tru.ID is on a mission to make SIM swap attacks a thing of the past. This post is part of our efforts to grow awareness of this type of fraud and invite developers to help address it. If you've been following high-profile stories of , Jack Dorsey's , or the latest , you may have noticed that it has one vulnerability in common - the one-time passcode for two-factor authentication sent by SMS. SMS 2FA is common, it's easy, and every app that uses mobile phones uses it. But does this mean that they should? In this post, we explain how SIM swap fraud happens, and describe to stop it from spreading. crypto fraud account takeover SMS message scams an alternative, mobile-native approach Is my app at risk for SIM swap fraud? Any business that uses SMS to implement 2FA is at risk. While banks, FinTechs, and businesses have been particularly targeted because money is involved, the risk is significant for any online business that relies on the mobile number as the primary user identity to verify customers. crypto Why is SMS-based verification flawed? In the beginning, there was the standard email + password (a ‘knowledge’ factor) to register for a new online account. Despite best efforts to get users to contort their password strings, knowledge factors such as passwords are now widely accepted to be a flawed security solution, because knowledge can be shared, leaked and guessed. Enter SMS OTP, or one-time passcode. This single-use code, delivered over SMS to the registered mobile phone, is added as a second so-called ‘possession’ factor to validate the user. Unfortunately, SMS OTP is just a ‘sticking plaster’, with its own vulnerabilities that create new attack vectors for bad actors. If someone has access to a mobile phone , and is able to receive messages to that number , most password recovery journeys use SMS as validation to allow to change a password. Once a password is changed, the fraudster can get access to multiple accounts, with serious potential consequences of financial theft and stolen identities. 1. A bad actor finds out the victim’s mobile number and some personal information, typically via a phishing scam, social engineering, or buying information from other criminals. 2. They use that information to impersonate the victim to their mobile network operator, saying that they need a new SIM card – perhaps pretending that they lost their phone. 3. The network's customer support agent issues the new SIM card to the bad actor, with the victim’s mobile number mapped to it. 4. As soon as that SIM card goes is activated in the bad actor’s mobile phone, the victim’s own, original, SIM stops working. 5. 40% of account takeovers, according to Javelin Research, happen within 24 hours. Before the victim can do anything about it, the bad actor quickly logs into their online banking, social media, email, and more, and changes the password by receiving the PIN codes sent out by SMS. This way, a fraudster can easily steal the victim’s identity and their money. number on another device A typical scenario for SIM swap fraud: A new mobile-native solution: SIM-based authentication SIM swap fraud relies on the bad actor possessing a newly-issued SIM card that has the target user’s mobile number mapped to it. However, each SIM card has a unique identity number (called the International Mobile Subscriber Identity, or IMSI). . This means that if a new SIM card is issued to a bad actor, the IMSI of that new SIM card will be different to the IMSI of the original SIM card owned by the target victim. The difference between new and old IMSI makes it possible to detect and avoid SIM swap fraud by alerting the application that the SIM has been changed recently. The technology which authenticates the identity of each SIM card is a core part of every mobile network – it’s how MNOs are able to bill us correctly for our mobile network usage. But it is only now becoming available for identity management and fraud prevention. We call this new approach , and to integrate quickly and easily. Mobile numbers and SIM identity numbers are not created equal SIM-based authentication we made it available via APIs The benefits of SIM-based authentication A SIM card comes with impregnable cryptography and is the same piece of highly secure, scalable and proven microcomputer technology that you can see in every credit card. Mobile phone numbers are also uniquely tied to an individual SIM card. At any one time, this pairing of mobile number + SIM card is entirely unique, not duplicable, and cryptographically secure. Unrivalled security For a user, the experience is extra simple – they just type their mobile number as usual, and both mobile number and SIM card identity are verified instantly, with no further action required: no SMS to wait for, no PIN code to retype. Seamless UX In addition to securing SMS 2FA, SIM-based authentication opens the door to a far bigger opportunity – the chance to finally move away from passwords. You can transition to a far more secure solution, using a mobile-native ‘possession factor’ (the SIM card) together with on-device biometrics. Potential to replace passwords Now you know what SIM swap fraud is, how it happens, and why SMS may not be the secure solution you had hoped for, it's time to try something new and access technology which, until recently, has only been available  to mobile operators. directly and in real-time. It performs a simple check that then tells your application if the SIM card has been changed. The check integrates on the server, with no need to change the UX of your app. You can then implement stronger security if the SIM has been changed recently and you risk rules require further verification. How to transition to SIM-based auth checks tru.ID connects to carriers to verify SIM cards Whether you're actively trying to protect your user base from the growing threat of SIM swap attacks, or curious what else you can do with APIs that connect directly to mobile carrier security features, or get in touch for a demo. check us out Also published on: https://medium.com/geekculture/sim-swap-fraud-how-it-works-how-to-fix-it-b66b9afdf54b https://f.hubspotusercontent20.net/hubfs/8403675/PDF/tru.ID%20-%20Funding%20PR%20-%20(2021-02-16).pdf https://tru.id/blog/what-is-sim-swap-prevent-account-takeover

Instantly

Target

Learn more about SIM-based authentication

Read My Stories

Too Long; Didn't Read

Questions about cloud security? Get answers here.

What is SIM swap, and how can SIM-based auth help fix it?

Too Long; Didn't Read

Companies Mentioned

tru.ID

About Author

TOPICS

THIS ARTICLE WAS FEATURED IN...

What is SIM swap, and how can SIM-based auth help fix it?

Too Long; Didn't Read

Companies Mentioned

tru.ID

About Author

TOPICS

THIS ARTICLE WAS FEATURED IN...

RELATED STORIES