Understanding SIM-Swap

Table of Contents

What is it, and how can you protect your business?

How do you prevent fraud?

If you’re part of a small to medium business, no matter what, there is always more you could, or should, be doing.

Of UK and US SMEs, one-third report using free, consumer-grade cybersecurity, and a further one in five use no endpoint security whatsoever. A single attack can cost over £10,000 to recover from without factoring in the subsequent loss of business, which can be devastating for any business, but especially an SME.  

Regarding customer verification, it is common for businesses to be similarly lax: you may utilise phone number and password combinations but alone these leave accounts wide open to fraudsters. To add an extra layer of security, your business may also require the use of a code sent to an SMS – in reality, this may not make your customers much more secure.

Multifactor authentication methods, such as SMS, have become the most commonplace form of authentication.

This makes sense: mobile phones are ubiquitous today. They have revolutionised the way we communicate with one another locally and globally – becoming a practical necessity for modern life. As central as they are to our lives, they are not as secure as you might think. Gaining access to a person’s phone number is not considered difficult, and with the high volume of legitimate customer requests, fraudsters are able to act undetected. Costing UK victims an estimated 2.6M in 2019, SIM-swap fraud boasts some high-profile targets, such as Twitter CEO Jack Dorsey who famously had his bank and Twitter accounts compromised.

So how does it work?

SIM-swap is the process of moving a phone number onto a different SIM card. This can occur legitimately if a customer loses their SIM card or wants to change to a device with a different SIM format or a different provider entirely – whilst maintaining their original phone number.

This is where the fraudsters come in, looking to take advantage of these processes implemented for customer convenience…

When the fraudster has selected their target phone number, they will attempt the SIM-swap procedure, to port the phone number to a device they have access to. If they can succeed in this, they will have access to all SMS and calls intended for the legitimate customer.

To achieve this, the fraudster will use their victim’s personal information to convince the network operator to perform the swap. These details are usually gathered from spoof portals, smishing, social engineering or purchased from the dark web. In some cases, fraudsters will even attempt to prove their identity in person, with forged documents.

Once the swap has taken place, all calls and SMS will be directed to the fraudster’s device, allowing them to request access, or a password reset on the victim’s banking or retail account. With the security information being sent directly to the fraudster, nothing is stopping them from making illegitimate transfers and processes.

Is there a smarter solution?

Fraudsters have perfected their craft. Even seemingly complicated acts of fraud have become perfectly achievable, for even an amateur fraudster, due to black market guides and communities. As such, fraud is on the rise, mobile fraud particularly: the losses due to mobile banking fraud in the UK rose by 127% in the first half of 2021, compared with the same period in 2020. More fraudsters are making more money more easily.

But the fact that it is straightforward, means that there are some equally simple – but powerful – steps you can take to keep your customers safe.

Adding further checks and barriers may seem like the best solution – however, while these tactics will be effective at stopping fraudsters from accessing your services, they will also be effective at stopping legitimate customers from having the convenient experience they desire.

When preventing fraud, the use of fraud prevention solutions and customer experience must be balanced. It is imperative organisations do not cause undue stress for legitimate customers. After all, customer experience is key to retention. For example, online retail sites see an almost 70% cart abandonment rate, 24% of these abandonments are due to the account creation process, and another 18% are due to an overly long or complicated checkout. In short: too many security steps and they are likely to lose interest, no matter how well-protected it makes them.

By quickly checking that a SIM or Device ID has not changed since you last interacted with a customer, you can identify and respond to any flags, without impeding users. 

The key to this is the use of mobile network operator data. Within the streams of information sent between phones and the network, there are clues as to the identity of the end-user, one of these clues being if a SIM has recently been swapped.

Whilst preventing fraud requires a multi-faceted and collaborative approach, by increasing data enrichment, you will provide better security against many kinds of fraud, specifically SIM-swap and Account Takeover – whilst providing a desirable customer experience. SIM-swap is simple, so don’t let it get the better of your business.


Sources:

Enisa European Union Agency for Cybersecurity
Prove
PrWeb
Baymard Institute
Association for Computing Machinery
UK Finance
The Times


Read more

Which Authentication Method is Best?

How can you improve your authentication process? Save time and money with our quick guide to authentication, helping you work out which method is best for your business.

Read More

Who are the Victims of Fraud?

With a recent wave of fraud specifically targeting the young, how accurate is the assumption that only older people fall victim to fraud?

Read More

Make KYC more inclusive

Traditional sources of KYC data exclude many users. Here’s how you can make KYC more inclusive, and verify the thin file demographic.

Read More