SIM Swap Fraud: How this 90s technology has stood the test of time

The early 1990s was a time of boy bands, neon windbreakers and flat top haircuts. It was also the start of the dotcom boom, with the invention of the World Wide Web and the explosion in the adoption and use of internet technologies. Among those rising stars was the Subscriber Identity Module, better known as the SIM card. The introduction of the SIM card revolutionized the telecommunications industry. This tiny piece of technology was an easily removable, portable memory chip that acted as the brain of a mobile device.

SIM cards may not be widely acknowledged as a revolutionary technology any longer, but they are indirectly an important component in keeping your personal data safe. In fact, that one tiny microchip can serve as a crucial link for fraudsters to leverage as a means of denying unwitting individuals’ access to their cellphone, draining their bank accounts, or running up illicit credit card charges through fraudulent purchases.

SIM swap fraud: A case of imitated identity

What is SIM swap fraud? At a high level, SIM swap fraud involves bad actors using personal data to transfer victims’ cellphone numbers to the attackers’ own SIM cards in order to gain access to incoming calls, text messages, and security prompts. Bad actors can then use this SIM swap to gain access to communications that should have gone to the victim. But how is that even possible? Let’s break down how SIM swap fraud works. To start, scammers gather some personal information about their victim by either buying it off the dark web or scraping public information on social media sites. To make sure they have the right information they may even contact the victim directly with an excuse. Next, the fraudster will call the victim’s mobile carrier, impersonating them and claiming they have lost or damaged their SIM card. They then ask for a new SIM card to be activated, and voilà: the fraudster has unlocked the portal to a treasure trove of information about the victim and their contacts.

Now you may be asking, how can fraudsters fill out my information or answer my security questions? That’s where the data they’ve extracted through phishing emails, malware, the dark web, or your unique social media accounts becomes useful. Once they are connected to your cellphone number, fraudsters can access your communications with banks and other organizations — in particular, they can receive any codes or passwords sent to that mobile device via call or text-based authentication for any of your accounts. And that’s it: they’re in.

From that point on, making money with SIM swap fraud is a breeze. Bad actors can make purchases from your retail accounts with the stored payment information or get into your bank account and transfer funds elsewhere.

Still not convinced? In the past few years, and especially in Europe, there’s been a dramatic rise in SIM swap fraud by as much as triple-digit percentage rates. And even more recently, cybercriminals have been leveraging this scheme to make off with cryptocurrencies, demonstrating just how sophisticated social engineering attacks (aided by the theft of SIM cards) are becoming.

A unique problem requires a unique solution

Fighting fraudsters’ sophisticated, high-tech schemes demands several layers of defense that can paint a picture of who is a legitimate customer, and who is not. Victims of SIM swaps may only realize their SIM cards are compromised and numbers ported onto a different mobile device when they lose their network access, or when they discover they have lost access to bank accounts. By then, it’s often too late, even if it’s only a few minutes, and the damage has been done.

For most merchants and financial institutions, existing security solutions are often based on static data like passwords, one-time codes or, at a higher level, two-factor authentication. But it’s now critical for companies to incorporate additional layers of security beyond simple credentials. Efforts to secure users’ data and guard against the consequences of SIM swap fraud can get a boost from advanced technologies that analyze (via behavioral analytics or passive biometrics) how someone is actually interacting with a platform – in real time.

NuData helps by turning behavior against them

Behavioral analytics examines a user’s unique online behavior, looking at information such as when users start an online session, how long it takes them to complete transactions or interactions, whether they change their password, and how long it takes the user to surf web pages. Analyzing online behavior at the individual level can help fraud prevention organizations build up profiles that separate good users from fraudsters.

NuData Security, through its server-to-server solution, gathers data points from across several layers of intelligence to create a holistic view of a consumer. This helps companies realize, even if the credentials and SMS code are correct, that the user’s behavior is inconsistent with past patterns, thwarting the goal of SIM swap fraud. Having this level of understanding of real-world aspects helps verify the user behind the device, allowing companies to let trusted users proceed seamlessly and only introduce additional challenges or frictions where warranted – leaving SIM swap fraud in the past, between bright yellow windbreakers and flat-top haircuts, where they all belong.