SIM Swap Fraud: The King of Account Takeovers

5th April 2019
PJ Rohall PJ Rohall Fraud and Financial Crime Expert

Picture this: You lose mobile phone connectivity. Then you start getting password reset emails for your different apps and accounts. You know something is wrong, and attempt to log-in to your banking and email accounts, but the passwords have all been reset. Everything goes dark and you have no access to or control over your accounts. Everything, right down to account notifications, is in somebody else’s hands.

What is SIM Swap Fraud?

SIM Swap Fraud is a terrifying ordeal. It happens in an instant and you have no idea what damage is being inflicted. But what exactly is it? SIM Swap Fraud is the unauthorized porting of a mobile number to a SIM card that is controlled by a fraudster. Legitimate customers commonly request to keep their mobile number when changing networks. Unfortunately, fraudsters have found a soft spot in security and get numbers ported to new or replacement SIM cards by pretending to be the customer. By doing so, fraudsters can gain access to the data associated with the mobile number (e.g. apps and accounts) and unleash subsequent account takeovers and monetization schemes.

Weak authentication and lax identity checks turn customers into targets

How can it be this easy? There are multiple issues at play. To start, authentication by mobile phone providers is often relatively weak, and in some cases non-existent. As illustrated in a piece by BBC’s Watchdog Live, some mobile phones shops are bypassing basic identity checks to issue replacement SIM cards to potential criminals. Another issue is the prevalence of social engineering. Even when faced with the stronger authentication procedures,  skilled fraudsters are using social engineering techniques to get the necessary identity information to convince mobile providers that they are a genuine customer – getting a new SIM card and porting the number over is simple once this initial hurdle is cleared.

SIM Swap Fraud opens the door to other types of Account Takeover Fraud

SIM Swap Fraud is sometimes referred to as “The King of Account Takeovers”. This is because it is not the fraudsters end game: instead, SIM swap is merely an entry point into multiple other account takeover schemes. Once they have access to a customers phone number and the information associated with it, they have almost limitless options. Fraudsters will look to takeover email accounts, bank accounts, social media accounts and more. A critical soft spot is multi-factor authentication through one-time passwords (OTPs) sent via SMS text to the mobile phone.

Many account holders rely on this form of multi-factor authentication, and in the case of SIM Swap Fraud, the OTP is sent directly to the fraudster. Check mate.

With critical data and the key to customer accounts at hand, fraudsters may try to gain access to more sensitive information, such as information associated with an email or Google account, or they may choose to move directly to bank accounts to monetize their operation. They can hatch schemes to scam friends and family. They can use a phone number to execute vishing attempts. They can continue to bypass two-factor authentication to push through high value, high risk bank transfers to accounts they own. The options are endless.

SIM Swap Fraud Account Take over statistics featurespace

Closing the loophole

Lax authentication by mobile providers is out of the immediate control of those affected by downstream account takeovers, such as banks, merchants and ultimately the customers. It is therefore vital that organizations have appropriate fraud controls in place to ensure that SIM Swap does not result in further Account Takeover Fraud and monetary losses.

SIM Swap Fraud exposes the vulnerabilities of two-factor authentication. The good news is Adaptive Behavioral Analytics understands behavior across the customer journey and creates individual customer profiles that are constantly updated. Even if the fraudster executes a SIM Swap and bypasses two-factor authentication, Adaptive Behavioral Analytics spots changes in the known good behavior of the individual customer. Taking in non-monetary and monetary information to enrich the profile along every step of the way, a system using Adaptive Behavioral Analytics provides appropriate risk-based alerts, protecting against fraudulent activity and monetary loss.

SIM Swap Fraud presents significant risk to any account that can be accessed from a mobile device — and today, that is just about all of them. The best defense is strong authentication and fraud prevention.