SIM cards are no longer the link between subscriber and carrier. The days when you needed to wait for your physical sim to reach you through the mail or collect it at a physical store and find a paperclip are thankfully over. eSIMs have dematerialised access to mobile services and anyone can instantly access connectivity anytime from anywhere.
This new digital form of connectivity has created business opportunities for both incumbent Mobile Network Operators (MNOs), Virtual ones (MVNOs), and for new market entrants on SIM marketplaces and neo-telcos. Even banks started providing connectivity to their customers so they can transact anywhere in the world.
But fraudsters are also innovating to take advantage of the speedy connectivity access eSIMs provide to commit crime. eSIMs have made it easier than ever to commit SIM swap attacks and take over phone numbers. In this blog post, we will explain SIM swap, why telcos should be concerned, and tools available to help prevent it.
Attackers exploit the over-reliance and assumed security of SMS-delivered One Time Passcodes. Used as a form of two-factor authentication (something you know, have, or are) the assumption is that a user’s phone number is something only the legitimate user has access to. This is not the case. Taking over a phone number is as simple as registering the number to a new SIM card or eSIM. The weak link of the number porting process is call centres and their human agents.
Criminals have found methods to exploit the vulnerabilities of call centre agents. One way they may do this is through impersonation attacks. The attacker gathers personal information on the victim, using a variety of methods such as phishing or publicly available information on social media, or data breaches of operators themselves (see the AT&T breach). When interacting with customer support, they will use the victim's information to impersonate them and ask for a replacement of their physical SIM card or deploy an eSIM to a new device. Bribery can be rife amongst low-paid, high turnover, and highly pressured staff. Although it is difficult to get a clear picture of how common these instances of bribery are, there are numerous press articles and at the time of writing, the latest occurrence was at T-Mobile’s (see this article).
Once they take over the phone number, they will begin a takeover of the victim’s accounts, receiving One-time SMS codes from the victim's bank or other service providers. The victim is likely to have no idea the SIM swap has happened until their mobile phone disconnects. The Guardian describes an attack from the victim's perspective, highlighting just how harmful the consequences of SIM swap can be, and how easy it is to not notice until it’s too late.
SIM swap isn't new and existed long before eSIMs came about. But eSIMs have made this type of attack faster and more scalable. While criminals previously had to wait to physically retrieve the victim’s SIM card to perform an attack, eSIMs are now making it possible to commit crime remotely, thus shortening the time-to-crime.
This is increasing the likelihood and impact of harm for those who fall victim to a SIM swap attack, as well as the scale of the problem itself. While we do not have a figure on the full scale of SIM swap fraud as of the time of writing (April 2024), indications are it isn't as low as one would hope. In 2022, the FBI reported 2026 sim swapping incidents, for a cost of over USD 72 million just for the US alone (source: Federal Bureau Of Investigation - Internet Crime Report 2022).
Certain cyber security agencies such as ANSSI in France (report in French) have been calling for the implementation of a 24 hour delay between the moment a SIM transfer is requested to the moment the transfer happens. They also call for carriers to send warnings to their customers about any SIM transfer request, as many other digital services do for password resets. ENISA recommends using AI to pick up on signals of abnormal activity at the time of the SIM transfer request: "[i]f abnormal behaviour is detected (e.g. sudden change of the IP address location, several concurrent connections from different IP addresses), the MNO is alerted in real-time in order to block the SIM-swapping process".
The identity solutions the telecommunications industry has worked on, like Mobile Connect, do not solve this issue, but suffer from the same risk of account takeover via SIM-swap. Secure recovery is as important to Mobile Connect as it is to any other operator service.
Are the measures recommended by ANSSI and ENISA enough to prevent the attacks? What about legitimate SIM transfer requests?
Take for example a diabetic person relying on their smartphone to monitor blood sugar levels via an application and wearable medical technology. If their monitoring application is protected by Two Factor Authentication and the person loses their phone or gets robbed, a 24 hour wait to be able to retrieve their phone number and regain access to their monitoring application is blatantly unacceptable. This Android Police article published in April 2024 shows how medical emergencies like this one have a higher likelihood of occurring than we realise, and how digital services lack properly implemented recovery and replacement processes.
While the mobile operators are moving on from physical SIM cards, billions of people worldwide still have a physical chipped identity: the chip in their identity documents can fulfil a vital role in the telecoms industry to keep customers safe from SIM swap. Government-issued identity document chips are very secure and contain the one true verifiable version of your identity.
NFC-based identity verification consists of checking the authenticity of a customer’s identity document based on the chip inside it. With mechanisms inside the chip preventing fraudulent manipulations or duplication attempts from going undetected, document chip verification is the only reliable way to check whether an identity document is authentic. Couple chip verification with a biometric holder verification with liveness checks included, NFC-first identity verification is the most reliable way to check that the user applying for a SIM port is who they claim they are. With NFC-first identity verification legitimate users can port their number to a new sim within minutes, while imposters trying to commit crime are stopped in their tracks. This significantly improves both customer experience and security.