SIM swap fraud is a perennial problem for MNOs, and it can be tricky to counter. While it doesn’t directly affect their revenues, operators are rightly concerned about it because of the negative consequences for their subscribers.
Those consequences can be severe. In 2018 a cryptocurrency investor had his identity — and millions of dollars in crypto — stolen as a result of SIM swap fraud. He consequently sued his mobile network provider for US$224 million on the basis that they had not taken adequate steps to protect his private data.
A year later, Twitter CEO Jack Dorsey, among others, had his Twitter account hacked because of SIM swap fraud. This led to a great deal more public awareness of the risk, but the fraud itself remains prevalent.
What’s the risk?
SIM swap fraud leverages the legitimate, and sometimes necessary, facility for the operator to transfer or “port” a subscriber’s mobile phone number from one SIM to another. Fraudsters often exploit this facility to take control of their victim’s number, in order to access their accounts or intercept 2FA messages.
Given that SIM swaps cannot happen without the active involvement of the MNO, SIM swap fraud comes with a heavy reputational cost. The operator is essentially responsible for allowing fraudsters to steal subscriber numbers.
So how can MNOs fight this and protect their customers? Ensure the person requesting a SIM swap is really who they say there are. Too many operators rely on security questions, but these can be compromised by a little research into the target, or by “spear phishing” attacks.
#1 Verify their number
Consider using 2FA as a first-step. If a subscriber still has access to their phone and just wants to change SIM card (e.g. from mini to nano form factor) they can receive a code to authorise the swap. Any scammer who already has access to the phone or number wouldn’t need to divert a subscriber’s messages to another phone.
#2 Verify their identity
If someone cannot receive a 2FA message — for example they claim their phone has been stolen or the SIM card damaged — the best solution is to ensure they visit a physical store, with a form of photo ID, to verify their identity. Your employees at these locations should also be briefed on the importance of this verification, and to not cut corners. At the very least, you need to challenge them with specific information, and make sure your staff are well trained…
#3 Train your staff
All your staff — whether working in your stores or responding to calls at your contact centre — should understand the threat that SIM swap fraud poses to your customers. A study by researchers at Princeton University found that many customer service representatives asked easily-guessable questions, and in some cases gave callers hints as to the correct answer. This revealed another problem: “This suggests that sensitive account details are stored in the clear and visible to CSRs, who are thus susceptible to social engineering attacks.” A safer authentication method would require representatives to input the answer, and have the system tell them whether the response is correct or not, but never show them the answer ahead of time.
#4 Work with your partners
Today, enterprise traffic is a great revenue source for MNOs. 2FA traffic is a major part of this and is the prime target of perpetrators of SIM swap fraud. It is important to work with enterprise partners to protect their customers, encouraging them to watch for suspicious logins and additionally secure their 2FA messages with tools like Check IMSI.
#5 Educate your subscribers
It is important to help subscribers understand the risks of SIM swap fraud. Not just how it opens them up to identity theft, but how to recognise the signs and take action. They should know that suddenly being unable to make or receive calls and texts is a warning sign, and that they should check whether this is simply a service outage or something more sinister.
SIM swap fraud is a persistent problem, in no small part because there is no automatic way to detect it. Operators looking to reduce its impact on their subscribers and reputation need to take definite action across multiple fronts to prevent fraudsters from exploiting any loopholes in their MSISDN transfer procedures. By safeguarding user data, using robust authentication procedures, and keeping everyone involved educated and alert, operators can prevent the threat of SIM swap fraud.