Why failing to understand the difference between mobile phone number (MSISDN) and SIM card number (IMSI) – or just relying on a mobile number to verify identity – can open the door to SIM swap fraud and a range of other issues for mobile users…
Commerce has moved online, and online increasingly means mobile. The Covid-19 pandemic has led to more people working, shopping, and doing business remotely than ever before. Worldwide, over 50% of that traffic already happens on mobile devices; across all Asia that figure is closer to 60%, while in India it’s higher than 75%.
As mobile’s dominance of e-commerce continues to grow, many apps have started to use the mobile number as their primary form of user identity. The most common two-factor authentication method – a PIN code sent via SMS – also uses the mobile number.
But there’s a big problem here: although a mobile number is unique, it is not actually owned or controlled by the user. That makes it vulnerable to fraudsters who can intercept SMS PIN codes and other sensitive information with increasing ease. It also causes problems when numbers get recycled by mobile operators and reissued to different users.
So, if your business relies on a phone number alone, you could be in big trouble.
In this article, we’ll explain the crucial difference between a phone number (MSISDN) and a SIM card identifier (IMSI). We’ll look at how SIM swap fraudsters operate, examine the issue of recycled phone numbers, and explain how a mobile number on its own isn’t enough to verify users safely. Finally, we’ll look at a secure and surprisingly straightforward alternative for verifying users and preventing fraud that you may not be aware of.
Everyone knows their mobile phone number – it’s fairly simple to memorise. The technical name for this number is Mobile Station International Subscriber Directory Number: MSISDN. But this number is actually just a label – something the user can remember and share with others.
In fact, it is the SIM card identifier – called the International Mobile Subscriber Identity, or IMSI – that is the unique user identifier in mobile networks. So, if you need a new SIM card for any reason, that new card will have a new IMSI. But you can keep the same mobile number, and that creates a vulnerability.
When you send a text message or make a call, you send it to a phone number (MSISDN) – this is how your contacts can still reach you when you get a new SIM. Your mobile operator routes that message to a mobile device, based on the latest mapping of that MSISDN to the IMSI of that device. If there has been no change, there’s no problem. However, if that MSISDN is now mapped to someone else’s SIM card, then that text message or phone call will go to that someone else.
You might think this isn’t a big issue unless you have recently lost your phone or changed networks. But malicious actors exploit this loophole deliberately, and to great effect.
SIM swap frauds are on the rise and high-profile cases increasingly make the headlines, such as Twitter CEO Jack Dorsey having his account hacked, and a Canadian teenager being charged with stealing $50m.
Here’s how it works:
SIM swap fraud is a simple and successful method with a thriving community of criminals behind it, and it’s continuing to rise. In 2020, Action Fraud recorded nearly twice as many cases in the UK as in the previous year. But even if you’re never a victim of SIM swap, your mobile number could still be handing bad actors the key to your identity – or leaking your personal information to a stranger…
Another consequence of the separation of MSISDN and IMSI is what happens when a mobile number gets recycled. There are a finite number of mobile phone numbers available in each country, so there is always a pressure to free up more, especially as MNOs go through them faster than you might think.
For example, a common marketing tactic used by MNOs is to send out a slew of prepaid SIM cards to attract customers to their network. Each of those SIMs has a phone number assigned to it; even if it’s not activated, no one else can use that number for a period of time. But eventually, if it hasn’t been used, the mobile operators will recycle the MSISDN and put it back into the pool of available numbers.
In the UK, the length of this period varies by network, generally taking between 90 days and a year before an unused number becomes available again. But in other countries it can take as little as a few weeks, or even a few days.
Problems arise here when a mobile app uses the mobile phone number (MSISDN) alone as the primary identifier. When that number is recycled to a new user, that person may inadvertently access the previous user’s login information when trying to register for accounts – or even receive messages, calls, and two-factor authentication codes intended for the previous user.
At best, this might simply lead to a confused stranger accidentally viewing your social media profile. At worst, it could mean a malicious individual deliberately accessing your online accounts, taking your money, and stealing your identity.
The short answer is no – but the right level of authentication depends on the level of risk and the balance your app needs to strike between friction and security. The most secure version of every app would make 2FA mandatory on every login, but when it comes to user onboarding and retention, this just isn’t realistic.
For example, in a mobile onboarding flow for a travel app, a user may be able to sign up with MSISDN alone to simply browse listings and message sellers. When a user needs to take a higher risk action like making a reservation, the app may then require a second factor, such as a fingerprint or face scan. Although this adds friction, the user is already invested at this point, so the UX tradeoff is seen as worth it for fraud prevention.
There’s no need to compromise. The key to authenticating a mobile user quickly, securely and reliably is to use their mobile number, but perform the verification using the SIM card in the mobile phone. A mobile number check that is linked to a physical SIM card is the strongest and lowest-friction solution for user identity on a mobile device, addressing all the issues raised above.
Unrivalled security: Mobile phone numbers are uniquely tied to an individual SIM card. At any one time, this pairing of mobile number + SIM card is entirely unique, not duplicable and cryptographically secure.
Prevents SIM swap: Verifying with mobile number + SIM card works against SIM swap fraud by ensuring that the number hasn’t been reassigned by a bad actor.
Solves recycled numbers: Identifying users based on a combination of mobile number + SIM card removes the risk of account details being compromised when numbers are recycled, keeping users secure and protecting your brand’s reputation.
Seamless UX: For a user, this approach is extra simple – just type your number and it will be verified instantly, in real-time, with no further action required: no SMS to wait for, no PIN code to retype.
tru.ID can help you to implement this 21st century approach to user identity. No more guessing with unreliable and invasive data collection: our range of API-based products enable you to quickly and easily implement deterministic, secure, frictionless mobile user authentication, reducing fraud and helping you to increase mobile revenues.