SIM card fraud unfortunately manifests itself in a number of ways, but one of the most pernicious forms is the SIM card swap. SIM card swapping is the process by which a hacker or bad actor obtains the personal information and mobile number of an unsuspecting individual. That bad actor then uses that information to request a new SIM card from the victim’s mobile provider. Once received and placed into the bad actor’s mobile device, that SIM card grants the hacker with the ability to access SMS codes and change the victim’s passwords, enabling unfettered access to bank and financial accounts, and much more.
The prevalence of SIM card fraud has risen sharply since the onset of COVID-19, driven primarily by increased customer reliance on remote access procedures, decreased customer willingness to visit local branches and greater hacker interest in SIM card-focused social engineering attacks. These trends have resulted in approximately $100 million in losses in the United States in 2021 alone.
Measuring the impact of SIM card swapping
The most obvious impact of SIM card swapping is the monetary losses — such as the $100 million figure cited above. Seemingly anyone can be a victim or perpetrator — in 2019, Twitter CEO Jack Dorsey was famously a victim of the SIM card swap, and the year prior, a fifteen-year-old was able to steal $23 million in cryptocurrency from one victim alone.
Ultimately the responsibility for these losses falls on the customer, not the provider. While this may seem like a positive for mobile providers at first, who undoubtedly would not want to be on the hook for such high dollar figures, it can have a sizeable impact on the provider’s reputation. Customers increasingly do not want to do business with providers who don’t take their security seriously, and high-profile instances of identity theft and fraud can have a lasting negative impact on how providers are perceived.
Current methods used for SIM card registration and replacement
Historically the SIM card registration process—by which a new customer enrolls with a mobile provider and provides their personal details—has been performed in person at a local office or branch. This face-to-face workflow is by-and-large a very secure process, giving providers a strong foundation to get to know their customers and provide their services with the confidence that the user is in fact authorized and legitimate. Increasingly, however, this process has become available remotely due to the perceived inconvenience of in-person procedures; this has only accelerated in recent years because of the COVID-19 pandemic.
Remote replacement procedures performed online or over the phone are inherently less secure than in-person ones. This is because these rely on increasingly fraud-prone authentication methods, such as passwords. With identity theft at an all-time high of late, it has become easier and easier for bad actors to impersonate a victim and obtain a SIM card replacement fraudulently. To combat this, mobile providers are researching and implementing stronger authentication methods than traditional ones.
Biometric authentication to reduce SIM card fraud
For providers seeking to improve security for their customers without adding additional inconveniences, biometric authentication presents a strong option. Unlike passwords and PIN numbers, biometrics take advantage of the uniqueness of our physical features and characteristics, increasing security dramatically and greatly reducing a bad actor’s ability to impersonate customers.
Contemporary biometrics don’t require special hardware and are performed as easily as a person taking a selfie. Modern biometric technologies are mobile, using the cameras and microphones on today’s smartphones and devices to perform a facial capture or voice prompt from a user wherever that person may be. The face or voice presented would then be matched against the user’s existing biometric profile, ensuring the user is in fact the authorized individual.
As a result, since biometrics rely on something you are instead of something you know —like a password or the answer to a security question — a customer’s means of authenticating himself or herself cannot be stolen by a malicious party.
Biometric authentication is also fast, ensuring a high level of convenience for users. Today, highly secure facial or voice recognition can take place in seconds via a mobile device, using the cameras and microphones already included. No special hardware is needed, and the entire authentication process can be natural and frictionless.
Additionally, biometric authentication software can replace contemporary authentication methods such as passwords relatively quickly and easily with minimal implementation concerns. Providers can continue to maintain their existing workflows for SIM card registration and replacement; the only change is how users authenticate themselves.
With SIM card fraud on the rise globally, and passwords increasingly outdated and fraud-prone, now is an ideal time for mobile providers to review their authentication procedures and investigate proven alternatives. Too much is on the line not to do so.