May 5, 2023

Replace usernames with proof of possession to tackle rising SIM swap fraud

Thomas Hull
Content Specialist
Curious?

Discover how SIM-based authentication can help you with a free 30 min consultation

Follow us on

Criminals commit SIM swap fraud by transferring a victim's mobile number to a new SIM card they possess. 

Through social engineering, phishing emails, scraping information from social media profiles, or malware installed on the device, cybercriminals steal personal information from the victim.

Using the information collected, they impersonate the victim, contacting the mobile carrier's operator and requesting the number be transferred from the original SIM card to the replacement. 

From there, they can actually take advantage of extra layers of security – two-factor or multi-factor authentication (2FA or MFA), and password recovery linked to the victim’s stolen phone number. By retrieving these codes with their replacement phone, they secure their takeover of the victim’s identity. Remote attacks like this are incredibly hard to trace, and devastating for the target. 

Crime in this area is on the rise. According to the Wall Street Journal, victims lost $68 million to SIM-card-based scams in 2021 alone – compared to just $12 million between 2018 and 2020.

 

Most organisations and businesses still manage customer and employee identities using usernames and passwords, which is part of the reason this area of crime is growing.

In this blog we’ll explain how usernames and passwords let fraudsters in – and how your business can combat SIM swap fraud with strong, secure proof of SIM card possession.

Usernames remove anonymity

By now, we all know we’re supposed to use a different password for each account and make them difficult to guess. But the same is rarely said for usernames. They’re also useful to attackers, as they help them to build a profile and compromise victims across different platforms – especially as the same username is often reused in multiple places. 

Because usernames are meant to be the public part of an online identity, people don’t consider making them secure in the same way. Instead, most of us do the opposite, using simple details we can remember that will identify us across multiple platforms. 

As a result, we tend to include our real name, date of birth, and other personal information in our usernames without thought. Attackers take advantage of this, using such personal details to build a profile in targeted account takeover attacks. This is especially key in SIM swap fraud, as it can only be carried out with a convincing impersonation of the target.

Are you telling attackers who you are? Photo by Jon Tyson on Unsplash

Repeat usernames are a link to other accounts

Even when they’re not revealing personal information, the fact that usernames are public and knowledge-based – meaning they can be entered by anyone, anywhere – is a vulnerability.

For example, let’s say John Doe has a cryptocurrency account. He keeps it separate from his real identity, using the username Dorsie100 and a strong password, a combination he’s used across a few different accounts. 

Attackers trying to breach random crypto accounts don’t know who Dorsie100 is, and aren’t able to guess the password. But they do have access to leaked databases full of credentials all over the dark web. They search the database for Dorsie100, find the strong password associated with a breach from a less secure site last year, and they’re in.

Even with a low success rate, attackers can use publicly visible usernames to connect the dots and profit from this connection of information.  

In an era where we all have hundreds, if not thousands, of online accounts, this is a very real problem – you can check if your credentials have been compromised at HaveIBeenPwned?

Who is the user behind the name? 

As well as creating potential threats for real people, reliance on usernames is a business problem. For reliable analytics, and to keep out spambots and fraudsters, you need to know that each person is a unique individual. But allowing them to choose a username doesn’t guarantee that. 

The security risk for real users is an advantage for malicious actors. JohnDoe1985 could be someone using their real details and exposing personal information… but it could also be a bot-generated username, tied to a bot-generated email address. 

Nowhere in this process is the user linked to a singular, unique identity that can’t be easily faked. 

A stronger, more secure alternative for password recovery and MFA

The simple alternative is to authenticate people using their mobile phone numbers and SIM card, a solution that provides them with anonymity and you with confidence in their identity.

A phone number is a unique identifier that doesn’t require the user to set a password, which can be compromised and linked to other accounts. There are still risks with a phone number alone: virtual numbers can be generated online, so a phone number doesn’t guarantee a unique device. And SIM swap fraudsters can also hijack a legitimate customer's phone.

For SIM swap fraud to work, the criminal must possess a newly issued SIM card with the victim’s mobile number mapped to it. 

But each SIM card also has a unique identity number (called the International Mobile Subscriber Identity, or IMSI) – so a SIM card reissued to a criminal will have a different IMSI than the original. 

tru.ID's technology checks the phone number against the SIM card in the device to solve this issue. SIM-based authentication can resolve the issue of mobile digital identity with no need to memorise yet another username and password – and it flags recent SIM changes. 

Before sending an SMS or email in a password recovery flow, you can now confirm the user’s SIM card hasn’t recently been swapped – and implement stronger security measures if it has. (See how it works for a password recovery flow in a website application in our dedicated tutorial.)

How to get started

tru.ID products easily integrate into any client-server application architecture using restful APIs and iOS, Android, React Native and Mobile Web SDKs. 

Developers can find all they need to get started in our documentation, including integration guides for all our products. Simply sign up to start integration, and test for free, today – or contact Sales to find out how we can help your business.