April 5, 2023

MSISDN or IMSI – the difference between your phone’s number and your phone number, and why it matters

Paul McGuire
Co-founder, CEO at tru.ID

Discover how SIM-based authentication can help you with a free 30 min consultation

Follow us on

Mobile devices are, for many of us, the primary way in which we access online services and make and receive payments. So it’s not a great surprise that the mobile – and its primary identifier, the mobile phone number – have become a target for cybercrime.

Despite being almost fifty years old, the humble SIM card is (like the fax machine) perhaps one of the most secure pieces of technology ever invented. 

It’s almost impossible for a bad actor to intercept encrypted communications between two SIM cards, so you could be forgiven for thinking that the technology that uses your phone number as a ‘second factor’ (known as 2FA) is highly secure.

But the problem is that the mobile number we use to verify our identity, and the serial number that identifies a SIM card, are not the same thing. And in order to explain why we need to consider two different numbers – the MSISDN and IMSI. 

Both are critical for identifying and tracking mobile devices, but they are very different. 

What is MSISDN?

Short for Mobile Station International Subscriber Directory Number, MSISDN is the mobile phone number you’re familiar with. 

It’s comprised of a country code where the SIM is registered, a network code which identifies the network operator, and a subscriber number. The subscriber number is unique to each SIM, and identifies an individual subscriber. 

But this number is just a label: a shortcut that humans can remember and share with others, or a code that when entered on any handset, gives a SIM card the instruction it needs to connect to another SIM card.

What is IMSI?

The International Mobile Subscriber Identity (IMSI) is another unique identification number assigned to a specific SIM card. 

Unlike the MSISDN, IMSI is not directly associated with a phone number. It consists of a Mobile Country Code (MCC), a Mobile Network Code (MNC), and a Mobile Subscriber Identification Number (MSIN). 

The MCC and MNC identify the country and mobile network operator, respectively. The MSIN identifies the individual subscriber.

What’s the difference between MSISDN and IMSI, and why does it matter?

Both MSISDN and IMSI play a vital role in mobile identity. They are used for various purposes, such as billing, roaming, and subscriber identification. MSISDN establishes communication between devices, while IMSI is used to authenticate and authorise subscribers to access mobile networks.

So the primary difference is that MSISDN is associated with a phone number. It’s a public identity, while IMSI is a private identity. 

The MSISDN is a gateway to the IMSI, and the link between the two is anything but secure – easily broken if a phone number is reassigned to a new SIM card.

If the IMSI is the lock on the SIM, the MSISDN is the key we use to open it – and this key is almost as easy to copy as an email and password.

How do people carry out SIM swap fraud?

SIM swap frauds (also known as SIM splitting, SIMjacking, and Port-Out scamming) have risen sharply as more businesses add the requirement for people to use their mobile numbers as part of 2FA when logging on to an online service, such as their bank.

They take place when a bad actor is able to acquire enough personal information on an individual to be able to convince their mobile phone company to send them a new SIM card. They can then insert the card into their phone, and use it to access the victim’s accounts.

As soon as that SIM card goes live (activated in the bad actor’s mobile phone), your original SIM stops working – and before you notice, the bad actor aims to quickly logs into your online banking, social media, email, and more, and change the password by intercepting the PIN code sent out by SMS. They can then easily steal your identity and/or your money.

A study by Javelin Strategy & Research found that SIM swap fraud accounted for 6.7% of all account takeover (ATO) fraud in 2019, up from 3.8% the year before, putting the median out-of-pocket cost (of all ATO fraud) for victims at $317.

High-profile cases have hit the headlines, notably when Twitter’s then-CEO Jack Dorsey was hacked in 2019, and a Canadian teenager was charged with stealing $36.5m in cryptocurrency in 2021.

The problem with recycled numbers

Another consequence of the separation of MSISDN and IMSI is what happens when a mobile number gets recycled. There’s only so many mobile numbers available in each country, so there is always a pressure to free up more, as MNOs can go through them quickly.

For example, MNOs will often send out prepaid SIM cards to attract customers to their network as a marketing tactic, and as each of those SIMs has a phone number assigned to it; even if it’s not activated, no one else can use that number for a period of time. 

But if it hasn’t been used after a period of time, a mobile operator will recycle the MSISDN and put it back into the pool of available numbers.

The length of time varies by network. It can generally take between 90 days and a year before an unused number becomes available again in the UK, but it can be a matter of weeks or even days in some countries. This means a new user may inadvertently access a previous user’s login information when trying to register for accounts — or even receive messages, calls, and two-factor authentication codes intended for the previous user.

At best, this might simply lead to a confused stranger accidentally viewing your social media profile. At worst, it could mean a malicious individual deliberately accessing your online accounts, taking your money, and stealing your identity.

Is MSISDN alone ever secure?

The short answer is no — anything that just relies on your MSISDN, such as an SMS code or voice message, should not be your only security method, as it can be intercepted in several different ways.

However, alternative security methods tend to come with their own problems. Codes sent via email can also be stolen via phishing or social engineering attacks. On-device biometrics such as thumbprints may feel more secure, but are just a shorthand way of confirming a stored password – notice you can always opt to enter a password instead, which a malicious actor will choose to do.

And external software or hardware, such as authenticator apps and security dongles, involve user effort and potentially cost that is prohibitive.

The right level of authentication for an app or service has generally been a headscratcher for security teams, involving a balance between the level of risk and whether adding more complexity to the user experience is worth it. 

Using the IMSI for security – it’s now possible

There’s no need to compromise now. The key to authenticating a mobile user quickly, securely and reliably is to use their mobile number, but perform the verification using the unclonable SIM card in the mobile phone. 

Mobile networks already do it every second – now businesses can take advantage of the same technology. It’s the strong security that mobile phones already use, as well as the simplest solution for the user.

Unrivalled security: Mobile phone numbers are uniquely tied to an individual SIM card. At any one time, this pairing of mobile number + SIM card is entirely unique and cryptographically secure.

Prevents SIM swap: Authenticating both the mobile number and SIM card works against SIM swap fraud by ensuring that the number hasn’t been recently reassigned.

Solves recycled numbers: Identifying users based on a combination of mobile number + SIM card removes the risk of account details being compromised by a reassigned number, keeping users secure.

Seamless UX: For a user, the security is silent and effortless: just type your number and it will be verified in seconds, with no extra action required.

About tru.ID

tru.ID uses the cryptographic security of the SIM card to unlock a whole new way of doing business online. The company’s products allow developers to completely re-engineer the mobile user experience, helping to increase revenues and reduce fake accounts and fraud.

The tru.ID API platform is self-service, with mobile SDKs and tooling that supports a modern development workflow from initial integration through to deployment at scale.  

tru.ID is already live in 23 markets covering over 2bn mobile accounts. 

To learn more about tru.ID visit our website, or talk to Sales for your personalised demo.