tru.ID has released Active SIMCheck, an easy to integrate API product, as a timely response to the alarming growth in SIM swap fraud and account takeovers. By using Active SIMCheck, any online business that uses PIN codes sent by SMS for user authentication can now protect their customers and their brand from the potential damage of identity theft and account takeover caused by SIM swap fraud.
Many kinds of mobile fraud, including SIM swap, are now becoming mainstream. Just recently, Wired UK reported on the “relentless rise” of Royal Mail text message scams, while The Sun warned against WhatsApp scam access codes. According to Javelin, the strategy and research firm, there’s been a 72% year-on-year increase of account takeover fraud (2020).
One of the most common ways to implement SIM swap fraud is to intercept a PIN code, and then take over a customer account. Banks, FinTechs, and any company using SMS to send security PIN codes, are all at risk.
Now there is a simple, turnkey solution - Active SIMCheck from tru.ID - which works for any business that uses SMS PIN codes for user authentication.
tru.ID Active SIMCheck is an API-based service that connects directly, and in real-time, to mobile network operators to verify the identity of the SIM card in a user’s mobile phone. If there has been a recent change to that SIM card, the API will flag that, enabling action to be taken and blocking potential fraudsters from intercepting SMS messages including SMS 2FA PIN codes.
This new security check can be integrated quickly and easily by developers alongside existing SMS 2FA solutions. There is no need for any change to user experience.
“Many of the security challenges faced by businesses today are caused by antiquated reliance on passwords and SMS PIN codes. tru.ID delivers user authentication that is mobile-native, seamless, secure and private. Active SIMCheck is part of the range of powerful new mobile authentication products developed by tru.ID that are based on the cryptographic security of the SIM card. Active SIMCheck is an important stepping stone on that journey enabling businesses to rapidly solve a major fraud risk without impacting the user experience.“
Consumers’ general reliance on m-commerce, and other online interactions for banking, health and education has been accelerated by lockdowns - and fraudsters have taken advantage. Now it is not only high profile cases, such as Twitter CEO’s Jack Dorsey account takeover, or tech entrepreneur Robert Ross’ $1million life-saving losses on crypto, who are targets of fraudulent activity. The customers of every business that uses PIN codes sent by SMS are now at risk of having their identity taken away and their savings stolen.
Most phone-based authentication methods today simply use the mobile number, and rely on a PIN code that is sent via SMS, or a voice call. Companies assume this is a possession-factor authentication method, but the problem is that it doesn't reliably prove possession. There are some fundamental flaws – and bad actors are taking advantage.
The primary issue is SIM swap. Bad actors are increasingly committing SIM swap fraud by persuading the mobile operator to issue them with a replacement SIM card that takes over the same mobile number. They are then able to receive all voice calls and SMS messages (including PIN codes) sent to that number, and then use those codes to take over that User’s accounts. There are many other issues with SMS 2FA; for a full comparison take a look at the SMS 2FA security analysis on our website.
The technology which authenticates the identity of each SIM card is a core part of every mobile network – it’s how MNOs are able to bill us correctly for our mobile network usage. But it is only now becoming available for identity management and fraud prevention. We call this new approach SIM-based authentication, and tru.ID makes it available via API for fast and easy integration.