Man holding phone and standing on giant SIM card

Preventing SIM Swapping at Financial Institutions

 A Surprisingly Effective Global Low-Tech Threat

Imagine all of your incoming texts and calls being routed to a stranger intent on accessing your private accounts. Unfortunately, this is a reality that affects people around the globe, thanks to an increasingly common scam used by criminals to impersonate mobile phone users, steal money and cause great damage.

It’s called SIM swapping, and these attacks are so prevalent and so effective at circumventing two-factor authentication (2FA) protections that the FBI has issued a warning to financial and crypto companies.

SIM swap scams are not limited to one geography or set of user attributes; anyone who uses a mobile phone is a potential target. Even the most tech-savvy and highly resourced individuals can be affected — from the CEO of Twitter to celebrities and Bitcoin users.

In this first post of our Risk Management blog series, we’re covering SIM swapping: what it is, how it works, how it’s evolving and ways to protect against it.

What is SIM Swapping and How Does it Work?

A SIM, or subscriber identity module, card is the technology that identifies and authenticates you so your telecommunications provider knows where to direct your calls and texts.

A SIM swap allows a hacker to take a person’s cellular number and reassign it to themselves. In doing so, they are able to impersonate the victim and gain access to secure codes and one-time passwords (OTPs) commonly sent via SMS. But how do they accomplish the swap in the first place?

It starts when the hacker obtains personal information, and then contacts the victim’s telecom provider to report a lost or stolen phone or SIM card. Once they’ve convinced the telecom employee of their (assumed) identity, it’s as simple as requesting a new SIM card or transferring the account to their own SIM. At this point, the victim’s SIM card is disconnected, and any phone calls or SMS intended for them (including secure codes or one-time passwords) are routed to the attacker’s mobile phone instead.

SIM Swap Telecom operator ‘ports’ the number to the fraudster’s SIM The fraudster now receives victims’ SMS and phone calls The fraudster steals money and wrecks havoc Scam Process

If you are one of the luckier victims of a SIM swap, you’ll notice that you’ve missed calls or texts. But too often, by the time the missed communications are detected, much of the damage has already been done. And alarmingly, SIM swap scammers are inventing more plausible stories and finding new ways to reroute texts without detection.

The difficulty in this type of scam is the effective impersonation of individuals. Spotting and safeguarding against these impersonators is only difficult for institutions that rely on the limited combination of a small set of factors like passwords, OTPs and IP address checks to verify identity.

Yet when people interact with their mobile devices, they unwittingly utilize predictable behaviors and biometric tells that are easy to spot using the right technology.

Implementing a well-rounded threat and fraud detection solution that incorporates these behaviors — and safeguards the online digital experience across all digital channels — is critical for financial institutions that want to protect their customers from SIM swapping. HID Global’s Risk Management Solution uses AI and machine learning to detect, record and analyze users' behavioral biometrics (including clicks on a website or taps on a phone) to ensure accurate identity verification. This enables financial institutions to minimize vulnerabilities and address the full scope of digital threats, from SIM swaps to zero-day malware — without patching together software from various vendors.

Although it remains up to telecom providers to stop SIM swaps as they happen, the HID Risk Management Solution can stop attackers from abusing stolen accounts. If a SIM swap does occur, the attacker won’t be able to conduct transactions or steal money.

To learn more about next generation fraud detection based on deep behavioral profiling and machine learning, take a look at this ultimate guide to risk management systems.

Ondrej Valent is a Sales Director of Consumer Authentication within HID Global and has more than a decade of experience in IT Security. Leading the Global Sales Team and Sales strategy. Ondrej has profound technical background and has extensive experience with Financial Institutions, advising on Regulatory initiatives, Operational Risk, Governance and Compliance bringing a wealth of knowledge on how organizations can create greater user experience while meeting their security requirements. Prior to HID Global Ondrej led the sales strategy at FireEye, Gemalto and SafeNet.