SIM swap fraud: what is it and how to fix it

by Paul McGuire | May 12, 2021
A hooded person holding a phone

SIM swap fraud is on the rise, and it’s not just high-profile cases like Twitter CEO Jack Dorsey getting their account hacked. The good news is that there’s now a solution…

We’re all familiar with using email + password when registering for a new online account. But knowledge factors like passwords are widely acknowledged to be flawed, security-wise, so a second possession factor is added, typically an SMS OTP (one-time password).

However, the way SMS 2FA (two-factor authentication) is used as a security layer when changing a password gives bad actors wide-ranging access to multiple accounts, leading to financial theft and stolen identities.

Banks, fintechs and crypto businesses are key targets, but any business using 2FA is vulnerable – as is any mobile app relying on the mobile number as the primary user identity.

How does the fraud work?

Typically, a bad actor finds out your mobile number and some personal information via a phishing scam, social engineering, or buying information from other criminals. They use that information to impersonate you to your mobile network operator (MNO) and request a new SIM card.

The MNO agent issues a new SIM card with your mobile number mapped to it. Once the SIM card goes live in the bad actor’s mobile phone, your original SIM stops working. Before you notice, the criminal can quickly log in to your banking apps, social media and email, intercept the SMS codes and start stealing all your money.

A new and easy solution – SIM-based authentication

For SIM swap fraud to work, the criminal must possess a newly-issued SIM card with your mobile number mapped to it.

But each SIM card also has a unique identity number (called the International Mobile Subscriber Identity, or IMSI) – so the new SIM card issued to the criminal will have a different IMSI to your original.

With SIM-based authentication, we can now check for this difference and stop SIM swap fraudsters from gaining further access.

The technology to authenticate the identity of each SIM card is a core part of every mobile network – it’s how MNOs can bill us correctly. But only now is it becoming available for identity management and fraud prevention.

IDlayr offers a range of easy plug-in APIs for SIM-based authentication that work across MNOs, supporting different identity management and fraud use cases. Active SIMCheck can be easily added to your existing authentication process on both websites and mobile apps, without having to complicate the design, user flow, or even release an app update.

How to get started

Solving SIM swap is fast and easy with IDlayr. Our products are easily integrated into any client-server application architecture using restful APIs and iOS, Android, React Native and Mobile Web SDKs.

Developers can find all they need to get started on our website, including integration guides for all our products. Simply sign up to start integration, and test for free, today.

For a more detailed explanation of how SIM-based authentication guards against fraud, download our free PDF: SIM swap fraud is getting worse – but now there is a solution.