Editorial & Advertiser Disclosure Global Banking And Finance Review is an independent publisher which offers News, information, Analysis, Opinion, Press Releases, Reviews, Research reports covering various economies, industries, products, services and companies. The content available on globalbankingandfinance.com is sourced by a mixture of different methods which is not limited to content produced and supplied by various staff writers, journalists, freelancers, individuals, organizations, companies, PR agencies Sponsored Posts etc. The information available on this website is purely for educational and informational purposes only. We cannot guarantee the accuracy or applicability of any of the information provided at globalbankingandfinance.com with respect to your individual or personal circumstances. Please seek professional advice from a qualified professional before making any financial decisions. Globalbankingandfinance.com also links to various third party websites and we cannot guarantee the accuracy or applicability of the information provided by third party websites. Links from various articles on our site to third party websites are a mixture of non-sponsored links and sponsored links. Only a very small fraction of the links which point to external websites are affiliate links. Some of the links which you may click on our website may link to various products and services from our partners who may compensate us if you buy a service or product or fill a form or install an app. This will not incur additional cost to you. A very few articles on our website are sponsored posts or paid advertorials. These are marked as sponsored posts at the bottom of each post. For avoidance of any doubts and to make it easier for you to differentiate sponsored or non-sponsored articles or links, you may consider all articles on our site or all links to external websites as sponsored . Please note that some of the services or products which we talk about carry a high level of risk and may not be suitable for everyone. These may be complex services or products and we request the readers to consider this purely from an educational standpoint. The information provided on this website is general in nature. Global Banking & Finance Review expressly disclaims any liability without any limitation which may arise directly or indirectly from the use of such information.


Frans Labuschagne, UK and Ireland country manager at mobile app security and authentication provider Entersekt, explains how SIM-swap fraud works and what financial services providers ought to do about it.

For millions of us, the mobile phone or tablet is our primary means of authenticating online transactions, if not initiating the transactions themselves. It is no wonder then that fraud vectors targeting the mobile device have proliferated wildly in recent years.

The growing prevalence of SIM-swap attacks in the United Kingdom were once considered rare – consisting of isolated attacks aimed at a few unlucky high net worth individuals. The technique has since evolved, allowing scammers to perpetrate broader-based attacks. ActionFraud UK, part of the National Fraud Intelligence Bureau, put the public on high alert in a recent warning.

Legal claims against banks are mounting, but complicating things is the difficulty of pinpointing who, if anyone, was negligent in the lead-up to a successful attack means that banks, mobile network operators and consumers continue to argue in the press and social media over liability. These events play out in the public eye, and it damages trust in brands whose greatest asset is precisely that: trust.

The evolution of SIM-swap fraud

SIM-swap attacks also thwart banks’ attempts to coax customers into using digital banking channels instead of visiting relatively more expensive branches. Digital banking fraud is not new of course, and many consumers remain ambivalent about the safety of banking on their personal computers and mobile phones.

Ironically perhaps, SIM-swap fraud emerged as fraudsters adapted to banks’ efforts at protecting these channels. They worked to overcome the added security layer provided by SMS-based authentication, which commonly takes the form of a one-time password (OTP) sent to the phone and then typed into the primary banking channel, usually a browser.

Before banks started using SMS OTPs, scammers conducted man-in-the-middle attacks to gain access to consumers’ usernames and passwords. With these credentials, they gained the ability to fraudulently transfer funds out of their victim’s accounts. OTP-based authentication meant that they had to add a second phase to their attacks.

At first, they focused on intercepting the OTP through a counterfeit banking site or by using mobile trojans like Zeus, ZitMo, Citadel and Perkal, which leverage open access to SMS on mobile phones specifically to intercept OTPs. These remain the most popular approaches to stealing the OTP, but SIM swaps, where possible, make for a neat short cut.

In the diagram below, steps 1 to 5 describe a classic man-in-the-middle attack using a fake banking portal. Two other lines of attack appear in grey: OTP-stealing mobile malware and the SIM swap. 

Figure: Digital banking fraud vectors
Figure: Digital banking fraud vectors

But how does a SIM-swap attack work, exactly? There are two main ways to swap a SIM card (or Subscriber Identification Module) fraudulently.

In a SIM clone, an attacker will use a card reader with a software toolkit to copy the SIM card onto a blank one. While this method is inexpensive and can take as little as 10 minutes, the fraudster will require access to the original SIM card and act fast. Once the fraudster has a copy of the SIM, using it is likely to disconnect the legitimate subscriber from the mobile network, giving the attacker free reign to authenticate fraudulent financial transactions on their own phone, among other things.

SIM splitting does not require access to a physical device or SIM card. Organized crime groups trade digital files packed with personal data and account details sourced in mass data breaches and malware attacks. The fraudster will buy this data and use it to open a parallel account in their chosen victim’s name. Other details in the file or gained separately through social engineering and searches online provide them with enough information to answer security questions at the relevant mobile network operator and register a new SIM. The victim’s SIM is deregistered in turn, and the answers to security questions changed in order to frustrate the victim’s attempts at rectifying the situation.

Alternative focused only on SIM-swaps
Alternative focused only on SIM-swaps

Taking an holistic approach

To counter the rise of illegal SIM-swaps effectively, banks and other organizations in the identity ecosystem must take an holistic view of their security. Such an approach includes mitigating against human error as well as addressing technical weaknesses.

One of the weakest links in the security chain as it pertains to SIM-swap fraud is the mobile network operator contact centre. It is there, after all, that most SIM-swaps are requested and authorized. Fraudsters dial the call centre armed with details of their prospective victims, either harvested in previous data breaches or gathered online; agents can be manipulated through social engineering into breaking with procedure or recruited into criminal organizations; interactive voice recognition systems may not always raise alerts when callers make repeated attempts at cracking challenge questions; and advances in voice cloning are seriously impacting the efficacy of voice fingerprinting security software.

Aside from instituting preventative procedures like delaying SIM activations for a set number of hours, requiring that the customer approve the request over a separate channel, and only carrying them out during work hours, call centres can also use behavioural analytics to flag anomalies in customer’s typical cross-channel behavior.

Creating an end-to-end security zone

The truth is that any digital service that relies on the mobile phone’s Mobile Subscriber Integrated Services Digital Network-Number (MSISDN) to authenticate the subscriber is to some degree vulnerable to SIM-swap fraud. This is because identifying the subscriber’s device depends on the process employed by the mobile network operator to pair the MSISDN to a specific SIM card. This process, over which banks and other providers of sensitive digital functionality have no control, is open to exploitation by cybercriminals.

If financial services companies, insurance companies and healthcare providers are going to use the mobile phone for user authentication – and, indeed, it is fast becoming the preferred means of doing so worldwide – they must urgently reassess any SIM-based authentication solutions they have in place.

Consider implementing strong public-key cryptography on the mobile device, independently of the SIM card and native device security, and couple it with asymmetric encryption. This approach allows each mobile phone or tablet to be uniquely identified, transforming them into second factors of authentication. They can now be used with complete confidence to confirm a user’s identity when logging into an online banking portal or transacting from a mobile application. All two-way communication between device and service provider is encrypted from end to end.

It’s a single end-to-end security zone over which users can authenticate and digitally sign approvals of all sensitive transactions, whether digital banking, card-not-present purchases or call center interactions.

Staying ahead of cybercriminals is a race. As fast as vendors and service providers come up with ways to prevent one line of attack, another will pop up. The reputational, financial and legal risks posed by SIM-swap fraud demand that security professionals aggressively apply themselves to lowering their exposure to these attacks while preparing for future threats.