SIM Swapping is a fraud consisting in obtaining a duplicate or clone of a SIM card associated to a telephone line in order to impersonate the identity of the holder of the line and be able to access their bank accounts by accessing the SMS message (OTP code) used as a double authentication factor.
This fraud has acquired such a dimension in recent months that the AEPD has imposed fines ranging from 70,000 euros to 3.94 million euros (5.8 million euros in total) on the country’s main operators (Vodafone, Orange, Telefónica and Xfera) for failing to comply with data protection and to adequately protect the confidentiality of their customers.
This serious warning from the AEPD, together with the easiness of cybercriminals to carry out SIM Swapping fraud, will force MNOs and MVNOs to reinforce their security, prevention and identity verification measures.
Phases in which SIM Swapping happens
SIM Swapping can be perpetrated for a wide range of purposes, from accessing bank accounts, to obtaining email accounts or a victim’s social media profiles.
Many cybercriminals seek to access Google accounts or services and social networks such as Facebook, to blackmail account owners threatening their digital reputation, or directly accessing their crypto wallets.
Nevertheless, the access to bank accounts is the most common, elaborate and dangerous fraud, as it is the one that maximises the economic benefit for the cybercriminal. To do this, in addition to obtaining a duplicate SIM card, it is necessary to steal the user’s online banking access codes.
We could therefore divide this type of fraud (for this particular case) into two different phases:
- Theft of the subject’s bank account credentials.
- SIM card cloning or duplication.
1. Theft of the subject’s bank account credentials
In order to gain access to our bank account, the first step is to fraudulently obtain the user’s online banking credentials.
The most common types of identity fraud, such as Spoofing, Pishing or Pharming, are usually carried out through fraudulent emails and websites that impersonate the bank, to trick users into sharing personal information such as credit card numbers, national insurance numbers or credentials to access online banking.
2. SIM card cloning or duplication
The next step is to steal the person’s phone or get a duplicate SIM card to gain access to SMS verification codes sent to that phone number (two-factor authentication).
And this is where the problems for telephone operators come in, as criminals often go to the physical branches with false claims that their phone has been stolen, along with a false photocopy of their ID card in order to get a duplicate SIM card.
The security mechanisms to verify the identity of such persons in shops are often based on personal questions that are obviously already known by the criminals, thus making it relatively easy for them to obtain the new SIM card.
As a result, there is a security gap in this face-to-face verification process, as telecom operators use weak methods to verify the identity of persons requesting a duplicate SIM card.
Use two-factor authentication: PSD2
At the end of 2019, the PSD2 (Revised Payment Service Directive) came into effect in the European Union to strengthen the security of digital transactions and payments, imposing the use of at least 2-factor authentication (2FA) to verify the identity of users performing a banking transaction.
Strong Customer Authentication (SCA) requires at least 2 factors among the following:
- Something you know (password or pin),
- Something you have (card or mobile phone) and
- Something you are (biometric recognition),
in order to verify the identity of a person during a transaction..
Most banks have opted to use as a second authentication factor an SMS message with a one-time, time-limited code (OTP / One Time Password) and this presents the second security breach in the authentication processes in cases of SIM swapping: banks, insurers and credit institutions.
Why are SMS for sending OTP codes not secure?
For banks to use SMS as 2FA is not secure because if the smartphone is stolen or the SIM card is duplicated, the SMS and therefore the code used as a second authentication factor to authorise a transaction would be accessible.
Usually the confirmation code can be seen even when the screen is locked, so stealing the phone, even without knowing how to unlock it, would be enough to gain access to bank accounts.
From this point onwards, pray that the bank can analyse the behaviour of the account and detect if there is an impostor misusing the online banking application.
How to avoid SIM Swapping fraud?
At this point, you will have realised that in order to prevent SIM swapping fraud, the problem must be approached on two different fronts:
- Strengthen telephone operators’ identity verification measures when registering SIM cards, requesting duplicate SIM cards and even requesting prepaid cards (we also prevent the use of these prepaid cards for terrorist purposes) and then using face recognition when applying for a SIM card duplicate.
- Use user biometrics as a second authentication factor within the financial industry.
Identity verification when ordering a duplicate SIM card
For the first front, the teleoperators, either remotely or in person, we have MobbScan, our technology to verify the identity in the process of registering new SIM cards, generating SIM duplicates or even registering prepaid SIM cards.
Our technology helps to detect the authenticity of an ID document and to verify that the person is its real owner through biometric facial recognition.
The telephone operator LEBARA uses Mobbeel’s technology to verify identity for SIM card activation both in face-to-face and in online processes.
Once we have a customer’s facial biometrics associated with their ID card, we can verify that the person who comes to ask for a duplicate SIM card is who they say they are by taking a selfie and comparing their face with the one captured during the registration process using face recognition technology.
This way, we can prevent a fraudster from making a duplicate of a card associated with a telephone line that does not belong to him.
FIDO 2 and the use of biometrics as an authentication factor
To solve the problem generated by the use of SMS codes as a second authentication factor, we have jointly developed with Telefónica Tech’s Identity Innovation Lab a solution based on the FIDO2 Identity standard, which allows transactions to be confirmed through secure SMS and biometrics.
In this case, the SMS that is sent requests the user’s authentication through the biometrics of their own mobile device; TouchID, FaceID or pattern or unlock code, making the process much more secure.
Sending this type of more secure SMS helps to prevent bank account access fraud.
Therefore, Mobbeel has the technology to help prevent this type of fraud by fighting cybercriminals on both the telephone operators’ side and the financial sector’s side.
If you want to know more about our technology and how we can help you avoid SIM Swapping fraud or use biometrics as a second authentication method, don’t hesitate to contact us!
I am a Computer Engineer who loves Marketing, Communication and companies’ internationalization, tasks I’m developing as CMO at Mobbeel. I am loads of things, some good, many bad… I’m perfectly imperfect.
Discover everything about KYC
- What is KYC (Know Your Customer)
- Types of KYC depending on the risk
- KYC regulations in Spain
- KYC regulations in Mexico, Chile, Peru, Colombia, Guatemala, El Salvador, Brazil and Argentina.
- What is eKYC and its benefits.