How to tackle SIM Swap Fraud
SIM swap fraud is on the rise, and it’s not just high-profile cases like Twitter CEO Jack Dorsey getting their account hacked. What’s to be done?
We’re all familiar with using email + password when registering for a new online account. But knowledge factors like passwords are widely acknowledged to be flawed, security-wise, so a second possession factor is added, typically an SMS OTP (one-time password).
However, the way SMS 2FA (two-factor authentication) is used as a security layer when changing a password gives bad actors wide-ranging access to multiple accounts, leading to financial theft and stolen identities — SIM swap fraud.
Banks, fintechs and crypto businesses are key targets, but any business using 2FA is vulnerable — as is any mobile app relying on the mobile number as the primary user identity.
How does SIM swap fraud work?
Typically, a bad actor finds out your mobile number and some personal information via a phishing scam, social engineering, or buying information from other criminals. They use that information to impersonate you to your mobile network operator (MNO) and request a new SIM card.
The MNO agent issues a new SIM card with your mobile number mapped to it. Once the SIM card goes live in the bad actor’s mobile phone, your original SIM stops working. Before you notice, the criminal can quickly log in to your banking apps, social media and email, intercept the SMS codes and start stealing all your money.
A new and easy solution — SIM-based authentication
For SIM swap fraud to work, the criminal must possess a newly-issued SIM card with your mobile number mapped to it.
But each SIM card also has a unique identity number (called the International Mobile Subscriber Identity, or IMSI) — so the new SIM card issued to the criminal will have a different IMSI to your original.
With SIM-based authentication, we can now check for this difference and stop SIM swap fraudsters from gaining further access.
The technology to authenticate the identity of each SIM card is a core part of every mobile network — it’s how MNOs can bill us correctly. But only now is it becoming available for identity management and fraud prevention.
tru.ID offers a range of easy plug-in APIs for SIM-based authentication that work across MNOs, supporting different identity management and fraud use cases. Active SIMCheck can be easily added to your existing authentication process on both websites and mobile apps, without having to complicate the design, user flow, or even release an app update.