Growing SIM swap fraud threat necessitates strong identity verification
By Stuart Neal, General Manager for Identity at Boku Inc.
Mobile banking has become a smartphone practice as common as dialing a number. According to Insider Intelligence’s Mobile Banking Competitive Edge study, 89 percent of US survey respondents said they use mobile banking — a number that rises to 97 percent for millennials.
Finance and banking apps offer a convenience that drives their popularity. But convenience comes with a catch: the risk of fraud — specifically, fraud conducted through what’s known as ‘SIM swapping’
In a nutshell, SIM swap fraud — sometimes referred to as ‘SIM splitting’ or ‘SIM jacking’ — is a scam that involves a fraudster gaining control of another person’s phone by porting or replacing their SIM without detection. This new SIM then gives the scammer control over the victim’s number and full access to accounts associated with that number.
It’s a crime on the increase: Feedzai have reported a 600 percent increase in account takeover events in the past year. Europol arrested a single group of ten SIM Hijackers in February 2021 who together stole over $100 million, targeting celebrities and other high-worth individuals.
As disturbing as it sounds, the technology does exist to fight back and keep users, their phones, and their accounts safer. Read on as we explain exactly what SIM swap fraud is, how it happens, and how it can be prevented.
While SIM swapping hackers can drain an account in a matter of moments without the user noticing, the whole end-to-end process takes a lot longer.
The fraudster starts by building a profile of the intended victim, collecting key pieces of personally identifying information (PII) to facilitate the crime. These details can be found in numerous places; from databases compiled by other criminals on the dark web to social media, or by extracting information through social engineering and phishing scams.
The aim is to gather all available information, or to trick an individual into sharing more information, to build a profile that the attacker can adopt convincingly. It’s labor-intensive work, so SIM swaps are carefully planned to find high-net-worth targets with savings and investments. Crypto investors are a particular target because it’s harder to track where those funds go and are easier to spend without arousing suspicion.
Executing the SIM Swap
Once a profile is built, the fraudster moves on to the swap itself. The most common scenario involves the scammer socially engineering a customer service representative into transferring the victim’s phone number to another SIM card already in the hacker’s possession.
To do this, the swapper will begin by calling a mobile operator to explain why the number needs to move—seemingly plausible reasons such as the phone’s been lost or damaged beyond repair.
Once the mobile operator’s representative on the end of the phone has been convinced, the hacker then uses the information from the victim profile to navigate any security questions. Many networks won’t send out a physical SIM to a different address, but are willing to transfer the number to a pre-purchased SIM which in this case is in the hands of the fraudster—a move that enables them to complete the scam faster.
With the phone number transferred to a new SIM, the victim’s mobile phone is deactivated. The fraudster now has complete control over the unsuspecting victim’s phone number and can start to access the personal accounts associated with it.
With so many of our accounts, from bank to email, protected by One-Time Passcodes (OTP) when a change of password is requested, it’s light work for the person now in control of the number, because these codes come straight to them.
And, the longer they have access to the sensitive information held on the other side of your mobile banking or email login screen, the more havoc the hacker can wreak.
If the SIM swap is quick and happening away from where you are, how do victims know they’ve been scammed? The clearest sign for victims is when their phone suddenly loses signal and stops working.
They might be notified that their new SIM has been activated or sent a notification by their carrier to confirm the recent change to their account—though the victim will be unable to log into their account, and by and large, the damage will already be done.
How do we fight back against SIM swap fraud?
It’s a horrible thought, losing your network connection and access to your own accounts. But there is hope. The technology exists to block this kind of fraud at its roots, but it requires firms to buy into a more active role in monitoring what’s going on around the transfer of a number.
For example, while people do often have real needs to move their number—a phone accident, or switching to a new provider—banks and mobile network operators can use technology like voice recognition to confirm the claim is genuine.
Even more can be done in the background too. Silent verification technology can allow banks to use mobile networks to confirm the identity of the user at the time of any login, and detect SIM swaps in real time. When connected directly to the mobile network operators themselves, the technology can access deterministic data that prevents a login or requires additional verification if a SIM Swap event has been detected.
Silent, pinless user authentication means SIM checks are made without any additional effort from the end-user, while thwarting would-be SIM swappers. And it’s effective, too. Next-generation multi-factor authentication technologies are 96 percent more effective at stopping authentication fraud than SMS OTP.
About the author
Stuart Neal is General Manager for Identity at Boku Inc. He joined the company in 2011 from Barclaycard, where he was responsible for growing their merchant acquiring division – the second largest in Europe. He is a prominent figure in the European payments market, with specific expertise in deploying innovative payment solutions, such as the roll out of NFC capability in the UK.
DISCLAIMER: Biometric Update’s Industry Insights are submitted content. The views expressed in this post are that of the author, and don’t necessarily reflect the views of Biometric Update.