December 3, 2020

SIM Swap fraud attacks are omnipresent and growing

SIM swap fraud is nothing new and has long been a vulnerability of SMS one-time passcode (OTP) and outbound call-based authentication. In the UK banking sector in particular, it has been the facilitator of many large fraud scale fraud attacks and the volume of attacks continues to rise. According to Which?, SIM swap frauds have rocketed over 400% since 2015 while at the same time claiming a number of high profile victims such as Twitter CEO Jack Dorsey.

As Europe races towards the PSD2 Strong Customer Authentication (SCA) deadlines, the risk is widely expected to increase as the reliance on SMS OTP as an authenticator continues to grow. Despite the acknowledged vulnerabilities of SMS OTP, and the arguably more secure alternatives that are available (such as device recognition), one-time passwords are, for now at least, here to stay. The simple implementation, and the familiarisation users already have with it means we’re likely to see SMS OTP forming a core pillar of many authentication strategies.

What is a SIM swap attack?

So what is a SIM swap attack and how does it happen? SIM swap fraud is the act of a fraudster pretending to be the legitimate customer of a telephone network operator (e.g. O2, Vodafone etc.). They attempt to socially engineer the telephone network and convince them that they need a replacement SIM card for their phone. If successful, this enables the fraudster to take control of the victim’s mobile number, meaning they can intercept vital communications including SMS OTPs and other authentication related activities.

There are, of course, opportunities within this cycle for the fraud to be detected and prevented. The Telcos themselves have the opportunity to recognise that they are speaking to a fraudster when the SIM swap is requested. Though with so many legitimate and urgent rationales for SIM replacements in our mobile-first world, this isn’t always easy. It’s a fine balance to strike between security and expected levels of customer service satisfaction. Telcos have, in recent years, tightened up their call centre and in-store controls, though it’s unlikely this approach will ever fully curb the problem.

Additionally, SIM swap victims are sometimes able to detect that their legitimate SIM has been disabled. This can of course differ by demographic; some consumers can spend hours each day using their mobile devices and are therefore quick to realise their network service has been disrupted. Others, however may use their phones far less frequently, making it less likely they’ll recognise an issue. However, even in the short amount of time it takes a savvy customer to recognise something isn’t right and report it, the fraudsters will have had more than enough opportunity to pass any authentication challenges and successfully cash out. The fraudsters also use their own clever battle-ready tactics to reduce victim suspicion. These include executing SIM swaps overnight, giving the victim far less chance of recognising the attack. Also sending text messages direct to the victim prior to the SIM swap, warning them of upcoming service disruption and technical outages, thus temporarily reducing the victim’s suspicion when a network connection is lost.

In the end, however, the onus ultimately falls on the bank to adequately protect its customers from SIM swap fraud. It’s the banks, after all, that are liable for reimbursing the victim if their fraud and authentication challenges are breached. For these reasons they simply cannot afford to ignore SIM swap attacks – it would be both expensive and damaging to reputations and customer relationships.

What’s the best defense against SIM swap attacks and other attempts to beat SMS OTP authentication controls?

Firstly, SIM swaps can be detected. Real-time checks to determine if a SIM card has recently been issued for a given phone number are available in a number of EMEA regions. Any bank using SMS or outbound call OTPs in authentication strategies should deploy these kind of checks as a minimum. Tools used to detect SIM swaps can perform live lookups as SMS OTPs occur, to establish if a new SIM has recently been issued for the phone number in use, and to alert to any discrepancies. These checks can also be risk-ranked. For example, a fraudster will typically try and use the SIM card they have obtained very quickly, reducing the risk of the victim realising something is wrong. This means a recent SIM swap is significantly higher risk than one that occurred 2 weeks earlier.

SIM swap checks in isolation are not the answer, however. As well as fraud, there are many legitimate reasons for consumers to obtain new SIM cards – these include new handsets, upgrades and legitimate cases of lost and damaged SIM cards. The end result is that declining authentication requests based on a positive SIM swap check alone is not viable; too many legitimate users would be declined making the false positive rate too high. It therefore becomes important to layer in a SIM swap check as part of a wider, intelligent risk decision.

During events that may typically require SMS OTP authentication – such as payments, password resets, device enrolment and others – there are several other data signals that can be collected and analysed to support the objective of stopping the fraudsters while maintaining a positive user experience for legitimate users.

Introducing decisioning capabilities such as digital identity intelligence, device recognition, location and behavioural analytics, like those offered by LexisNexis® ThreatMetrix®, allow SIM swap outcomes to be used more effectively as part of a wider fraud detection ecosystem.

An example of this might be only declining a SMS OTP with a positive SIM swap check if there is another significant fraud signal such as a high risk device. Weaving these data items together in a smart way means that core fraud KPIs such as detection rates remain high, while overall false positive rates and intervention rates remain low.

Banks should also consider alternative criminal approaches when it comes to fraudsters attempting to circumnavigate SMS OTP challenges. Banks will always need to offer a route for customers to update their phone and other contact details, so it is essential that this journey is also adequately protected. The industry standard differs wildly here, from prolonged quarantine periods in which new phone numbers cannot be used to complete authentication challenges, right through to the sophisticated fraud decisions described above.

We’re also starting to see the banks and Telcos working more closely together, with the banks leveraging some powerful Telco data items to further fuel their own risk decisions. For example, when a user is attempting to add a new phone number to their banking portfolio the bank cross-referencing the personal data they have on file for a customer, with the personal data held by the Telco,.

As these SIM swap and general authentication threats continue to loom large, it will become ever more important for banks and Telcos to continue to grow their evolving working relationship. A robust army of joined-up thinking, shared intelligence and innovative adoption of new technology will be the best defense against a strong, resilient and ever-evolving onslaught from fraudsters.

Subscribe today to Fraud and Identity in Focus to receive regular email updates.