14 May 2019
Many online two-factor authentication schemes send a One-Time-PIN (OTP) to their customer’s mobile number as a second layer of security, in addition to the user name and password. If an unauthorised third party manages to gain access to the user’s user name and password, they still would need to gain access to the user’s mobile phone in order to receive the OTP to authorize a transaction. As these transactions are executed online, the third party typically has no way of physically gaining access to the mobile phone of their target, and therefore they have devised alternative mechanisms to gain access to the OTP. The simplest of these is to affect a SIM swop, where the user’s phone number is re-allocated to another SIM card, which is in the possession of the third party (the SIM card registered against the user’s mobile network account is swopped for another SIM that is not in the possession of the legitimate user). Any OTP that is generated will then be received by the third party, which will enable them full control of the user’s online services.
It is important to note that SIM swop fraud is a time-sensitive activity. When the user’s phone number is allocated to another SIM, their original SIM will be deactivated. The user will realize that their SIM no longer connects to the mobile network, and will alert the mobile operator to the fact that their service has been suspended. The new SIM will then eventually be blocked, but until such time the third party will have the opportunity to access the user’s online services.
SIM swop fraud occurs when the SIM card registered against a user’s mobile network account is swopped for another SIM that is not in the possession of the legitimate user, and without the consent of the legitimate user.
SIM swop fraud is a growing global problem, and Mobile Operators as well as Financial Institutions are constantly searching for ways to combat this nefarious activity. A few examples of what have been reported in the media:
There has been a lot of focus in recent years on the low level of online security provided by the user name and password system. Invariably, most users use weak passwords that are easy to remember, or they use the same password across multiple services, opening them up to fraud across multiple sites when one site is hacked. To counter this, online services increasingly employ 2-factor authentication schemes, using the mobile phone number to send an OTP to the user, which provides an additional layer of security on top of the user name and password.
There are other mechanisms that can be used to implement 2-factor authentication, each with its drawbacks:
Using the user’s mobile number to send an OTP in an SMS is the lowest common denominator in terms of 2-factor authentication. Every online user has a mobile phone, and all users can receive SMS messages. No additional hardware or software is needed at the user’s side to make it work.
The incentive for bad actors to commit SIM swop fraud is large. Passwords have been shown to be weak, and the OTP mechanism put in place to add additional security is open to exploitation.
The first step in securing the OTP is encrypting it. IoTConnect’s Secure OTP (S-OTP) system creates a secure zone between the S-OTP server and the user’s SIM card. Each secure zone uses a unique key to encrypt the OTP traffic within the secure zone. This ensures that the OTP cannot be accessed, even if the SMS is intercepted.
Each user of the S-OTP service has a PIN that is known only to them. The S-OTP is sent to the user’s mobile phone number as before, but can only be decrypted once the user has entered their S-OTP service PIN.
In the event of a fraudulent SIM swop, the S-OTP can never be accessed, as the unauthorised person does not know the user’s PIN. The system makes use of additional mechanisms to block the PIN after a number of incorrect entries, and recover from a blocked PIN.
IoTConnect’s Secure OTP product uses encryption to guard against OTP interception, and a unique PIN per user to ensure that only the authorised user can decrypt and view the OTP.
There are several use cases for the S-OTP solution, some of which are listed below:
The use cases for S-OTP are numerous, and essentially any online activity that requires the user to authorise an action, or requires the user to prove that they are the legitimate holder of a specific mobile number, can be secured through the use of the S-OTP service.
Any activity that the user performs online can be authorised through the use of the S-OTP system. The S-OTP Server provides an API that can be called at any time from a third party system to send an S-OTP, or even to generate and send an S-OTP.
SIM swop fraud results in financial losses for users and Financial Institutions, as well as reputational damage for the Mobile Network Operator that had its internal processes compromised to execute an unauthorised SIM swop. All stakeholders have a strong incentive to permanently eliminate SIM swop fraud.
As stated above, the Mobile Network Operator suffers reputational damage in cases of SIM swop fraud. The Operator that takes proactive steps to eliminate this fraud will significantly increase the confidence that their subscribers have in them as a company that is serious about protecting their privacy and online security.
As the use cases listed earlier illustrate, there are numerous ways in which the Secure OTP service can benefit companies operating online. Deploying the service to all subscribers creates a strong incentive for third parties to use it, which can in turn generate significant revenue for the Mobile Operator.
The Secure OTP product makes use of industry standard technologies to deliver the S-OTP to the mobile subscriber. Integration with the mobile network is quick and easy, and the built-in SIM OTA technology makes the deployment of the S-OTP applet to SIM cards already in the market a powerful option.