If you’re building for mobile and are concerned about SIM swap fraud compromising your users, you’re not alone. It’s a growing issue with serious financial consequences – fintechs and cryptocurrency wallets have been especially targeted, but any platform is at risk if it can be used to gather details about potential victims or gain unauthorised administrative access to a widely used system. All it takes is one compromised user to cause major damage.
But with so many mobile security solutions now available, it can be daunting to work out the best way to authenticate real users and keep the bad ones out.
In this blog, we’ll break down the differences between the most popular ways to identify users and compare how susceptible they are to SIM swap attacks, before explaining the best solution for both user experience and powerful security, capable of stopping fraudsters at the gate.
Passwords are the most common ‘knowledge’ factor of security; the user proves their identity by providing something that only they know. They remain so popular because they’re easy to set up and universal. However, it’s now widely agreed that passwords are the weakest form of authentication, because knowledge can be shared and stolen.
In order to verify that a password is correct, you have to store it on a database. This data, even when it’s encrypted, is constantly being breached; even the ‘strongest’ password is only as strong as the database it’s stored in.
The other problem with passwords is that most users access hundreds of different password-based services. Realistically, this means the same password (or a small variation) is being recycled across many services, so one credential breach opens many other vulnerabilities.
On the other hand, a diligent user must memorise hundreds of different strong, unique passwords. Inevitably, users forget these passwords or need to periodically reset them. As well as taking up the majority of IT support requests, this means that another factor is needed to verify the user’s identity. Commonly, this is a code sent via SMS, which is where SIM swap fraud begins...
Security experts have long been pointing out the flaws within OTPs (one-time passwords) sent via SMS, and urging businesses not to rely on this method. Yet because mobile phone numbers are such a universal form of identity, many platforms still use SMS as their only check for password reset requests and two-factor authentication (2FA). Unfortunately, this is exactly what SIM swap fraudsters have learned to exploit, with devastating consequences.
SIM swap fraudsters operate by gaining information about a victim – typically through phishing scams, social engineering, or buying leaked data from other criminals – then convincing a mobile network employee to swap the victim’s phone number to the attacker’s new SIM card.
From there, even if they don’t already have the victim’s passwords, the attacker can simply use what they already know about the victim (such as email address) and trigger a password reset request, which sends a code straight to the fraudster’s phone. Very quickly, the victim is locked out of their own accounts, and the attacker is able to steal their identity and their money.
Social logins have gained recent popularity as a smoother user experience compared to creating a new set of credentials for each platform. By using an already existing account (such as Google, Facebook or Twitter) to sign up, users don’t have to bother with memorising a new username and password, making onboarding quicker and easier. For a business, this also provides the advantage that you don’t have to store user data, and can instead rely on the security of bigger companies.
However, the social login method’s main flaw is that these external services still themselves rely on username or email + password – meaning they can still be breached remotely or forgotten, and therefore still require a second factor to access, leading back to the issue of SMS OTPs.
The good news is that there’s a new verification method which is mobile-native, universal, provides a better user experience, and designed to keep out SIM swap fraudsters. We call it SIM-based authentication.
If you already use SMS OTP for authentication, you can use tru.ID Active SIMCheck to verify that the SIM card has not changed before you send the user a code. Your app or site passes the verified mobile number to tru.ID via our API, and our API provides you with an immediate, actionable response.
If the registered user is still in possession of the same SIM card, the check will come back positive, and you can send the SMS OTP as normal. But if there has been a change of SIM card, the check will fail, and you can follow your step-up security flow.
While this is most powerful when coupled with an active device session, that is not necessary — you can perform the check purely from your servers, which makes it trivial to augment to your existing security on website or mobile app 2FA flows.
What’s more, if you are looking for a SIM swap fraud prevention solution for subsequent login, as well as step-up security which also greatly improves UX, tru.ID offers Strong SubscriberCheck. Strong SubscriberCheck combines frictionless SIM-based authentication of the mobile phone number (without needing an SMS) with the silent check that the SIM card has not changed. This means your onboarding flow can be as simple as possible, resulting in delighted users without losing security.
Solving SIM swap is fast and easy with tru.ID. Our products easily integrate into any client-server application architecture using restful APIs and iOS, Android, React Native and Mobile Web SDKs.