tru.ID is on a mission to make SIM swap attacks a thing of the past. This post is part of our efforts to grow awareness of this type of fraud and invite developers to help address it.
If you've been following high-profile stories of crypto fraud, Jack Dorsey's account takeover, or the latest SMS message scams, you may have noticed that it has one vulnerability in common - the one-time passcode for two-factor authentication sent by SMS. SMS 2FA is common, it's easy, and every app that uses mobile phones uses it. But does this mean that they should? In this post, we explain how SIM swap fraud happens, and describe an alternative, mobile-native approach to stop it from spreading.
Any business that uses SMS to implement 2FA is at risk. While banks, FinTechs, and crypto businesses have been particularly targeted because money is involved, the risk is significant for any online business that relies on the mobile number as the primary user identity to verify customers.
In the beginning, there was the standard email + password (a ‘knowledge’ factor) to register for a new online account. Despite best efforts to get users to contort their password strings, knowledge factors such as passwords are now widely accepted to be a flawed security solution, because knowledge can be shared, leaked and guessed.
Enter SMS OTP, or one-time passcode. This single-use code, delivered over SMS to the registered mobile phone, is added as a second so-called ‘possession’ factor to validate the user. Unfortunately, SMS OTP is just a ‘sticking plaster’, with its own vulnerabilities that create new attack vectors for bad actors.
If someone has access to a mobile phone number, and is able to receive messages to that number on another device, most password recovery journeys use SMS as validation to allow to change a password. Once a password is changed, the fraudster can get access to multiple accounts, with serious potential consequences of financial theft and stolen identities.
A typical scenario for SIM swap fraud:
1. A bad actor finds out the victim’s mobile number and some personal
information, typically via a phishing scam, social engineering, or buying
information from other criminals.
2. They use that information to impersonate the victim to their mobile network operator, saying that they need a new SIM card – perhaps pretending that they lost their phone.
3. The network's customer support agent issues the new SIM card to the bad actor, with the victim’s mobile number mapped to it.
4. As soon as that SIM card goes is activated in the bad actor’s mobile
phone, the victim’s own, original, SIM stops working.
5. 40% of account takeovers, according to Javelin Research, happen within 24 hours. Before the victim can do anything about it, the bad actor quickly logs into their online banking, social media, email, and more, and changes the password by receiving the PIN codes sent out by SMS.
This way, a fraudster can easily steal the victim’s identity and their money.
SIM swap fraud relies on the bad actor possessing a newly-issued SIM card that has the target user’s mobile number mapped to it. However, each SIM card has a unique identity number (called the International Mobile Subscriber Identity, or IMSI). Mobile numbers and SIM identity numbers are not created equal. This means that if a new SIM card is issued to a bad actor, the IMSI of that new SIM card will be different to the IMSI of the original SIM card owned by the target victim.
The difference between new and old IMSI makes it possible to detect and avoid SIM swap fraud by alerting the application that the SIM has been changed recently. The technology which authenticates the identity of each SIM card is a core part of every mobile network – it’s how MNOs are able to bill us correctly for our mobile network usage. But it is only now becoming available for identity management and fraud prevention. We call this new approach SIM-based authentication, and we made it available via APIs to integrate quickly and easily.
The benefits of SIM-based authentication
How to transition to SIM-based auth checks
Now you know what SIM swap fraud is, how it happens, and why SMS may not be the secure solution you had hoped for, it's time to try something new and access technology which, until recently, has only been available to mobile operators.
tru.ID connects to carriers to verify SIM cards directly and in real-time. It performs a simple check that then tells your application if the SIM card has been changed. The check integrates on the server, with no need to change the UX of your app. You can then implement stronger security if the SIM has been changed recently and you risk rules require further verification.
Whether you're actively trying to protect your user base from the growing threat of SIM swap attacks, or curious what else you can do with APIs that connect directly to mobile carrier security features, check us out or get in touch for a demo.
Also published on: