The convenience and power of using mobile devices are astounding. With more than 14 billion mobile devices worldwide, they’ve become more than just communication devices; they are increasingly becoming a core part of our integrated digital lives. Mobile devices now act as authentication devices, storing a wealth of personal information and providing entry points to numerous online services, including email, banking and social media accounts. But the threat of SIM-swap fraud puts all that information and those accounts at risk. Protecting customers from this risk, which can quickly cause substantial financial harm, is now a fundamental requirement of doing business.
What is SIM-swap fraud?
A SIM swap is a type of account takeover fraud where a fraudster ports someone’s phone number to their SIM card through social engineering. Once the number is switched, the fraudulent actor can bypass any OTP (one-time passcode) set for the account, as well as create new accounts using that phone number.
According to Allison Nixon, the director of research at the security firm Flashpoint, “SIM swapping is proliferating, and it is going to keep proliferating until companies deal with this. I’ve been looking at the criminal underground for a long time, and SIM swapping bothers me more than anything I’ve seen.”
As these types of attacks can access valuable financial accounts and other sensitive information, the risk is significant. In one case alone, someone lost half a million in Bitcoin in minutes due to a takeover of a text messaging verification code. Beyond that, there's a risk of significant reputational damage if someone gets hold of your social media accounts. For example, the Twitter accounts of numerous celebrities and world figures were hacked, sending out messages with fraudulent payment links around the globe.
Protecting your customers and your business
As there are more than five billion mobile phones in use, measures to protect consumers and brand reputation are essential. As Aseem Sadana, group COO at IMImobile states:
Despite advances in technology, SIM-swap fraud continues to be difficult to detect and prevent, as fraudsters are adapting their techniques.
One practical measure is checking the SIM profile at key points in the customer journey, like during onboarding or when changes are made to the account. SIM-swap fraud detection determines if the sim card associated with a number has been swapped and evaluates the likelihood it’s been done to complete a fraudulent transaction.
Identity and fraud prevention with GlobalGateway MobileID
SIM-swap fraud detection is one of the features available in MobileID. Depending on requirements, various layers of mobile data can be combined with data points from other channels to help provide a holistic identity and fraud prevention solution.
For example, in scenarios where a bad actor provides their phone number instead of the victim’s, the identity details on file will not match carrier details.
Or, you can detect fraud where a SIM swap has occurred and a bad actor already has control of the victim's phone number. Even if submitted personally identifiable information (PII data) and a new account OTP verification match records, SIM-swap fraud detection can flag this transaction as highly likely to be fraudulent.
SIM-swap fraud detection is only one of many data points available from Mobile Network Operators (MNOs). These data sources have information about mobile users that includes name, mobile number and address, as well as device information like geolocation, usage and billing data.
Understanding device risk with Mobile Risk Score
Another feature is Mobile Risk Score, which takes up to three phone numbers per transaction and returns a reputation score for each number. The mobile risk score is based on phone number intelligence, traffic patterns, machine learning and global data sources.
One common strategy for MobileID is verifying thin-file customers, who might have a phone but no credit history. With more data coverage, you can access more customers and increase your business opportunities while still performing identity verifications.
Other use cases focus on combining data from MNOs with other data sources and channels to optimize identity intelligence. Relying on a single data source may be risky; systems with one data source have one point of failure, corrupted data can’t be offset, and varying data sets can’t be analyzed and optimized for maximum insight and performance.
Creating workflows that consider multiple signals and techniques provides robust and adaptable fraud prevention measures. Preventing SIM-swap fraud is a strong reason, but not the only reason, to consider adding MobileID to your identity verification and fraud prevention processes.