Secure One-Time-PIN to Combat SIM Swop Fraud

14 May 2019

SIM Swop Fraud – The Worldwide Problem

 

What is SIM Swop Fraud?

Many online two-factor authentication schemes send a One-Time-PIN (OTP) to their customer’s mobile number as a second layer of security, in addition to the user name and password. If an unauthorised third party manages to gain access to the user’s user name and password, they still would need to gain access to the user’s mobile phone in order to receive the OTP to authorize a transaction. As these transactions are executed online, the third party typically has no way of physically gaining access to the mobile phone of their target, and therefore they have devised alternative mechanisms to gain access to the OTP. The simplest of these is to affect a SIM swop, where the user’s phone number is re-allocated to another SIM card, which is in the possession of the third party (the SIM card registered against the user’s mobile network account is swopped for another SIM that is not in the possession of the legitimate user). Any OTP that is generated will then be received by the third party, which will enable them full control of the user’s online services.


It is important to note that SIM swop fraud is a time-sensitive activity. When the user’s phone number is allocated to another SIM, their original SIM will be deactivated. The user will realize that their SIM no longer connects to the mobile network, and will alert the mobile operator to the fact that their service has been suspended. The new SIM will then eventually be blocked, but until such time the third party will have the opportunity to access the user’s online services.

 

Global SIM Swop Fraud Statistics

 

 

SIM swop fraud occurs when the SIM card registered against a user’s mobile network account is swopped for another SIM that is not in the possession of the legitimate user, and without the consent of the legitimate user.

 

SIM swop fraud is a growing global problem, and Mobile Operators as well as Financial Institutions are constantly searching for ways to combat this nefarious activity. A few examples of what have been reported in the media:


  • The US Federal Trade Commission warned in 2016 that SIM swop fraud represented 6.3% of all identity theft incidents that were reported to the FTC, involving all four of the major mobile carriers. It further stated that it estimates that less than 1% of identity theft victims reported the incident to the FTC.

  • The South African Banking Risk Information Centre (SABRIC) reported that in 2018 the incidents of SIM swop fraud increased by 104% from the previous year.

  • The Nigerian Communications Week publication reported that a lot of perpetrators have insiders in the Telecommunications Operator that allow them to commit SIM swop fraud.

  • Forexfraud.com reports that statistics from various jurisdictions show a 60% rise in SIM swop fraud in 2018.

  • Even crypto currency is not immune to SIM swop fraud. In 2019 Ars Technica reported that a man used SIM swopping to steal $5 million in crypto currency.

 

The Drivers of SIM Swop Fraud

 

Large-scale adoption of the mobile phone in 2-factor authentication schemes

There has been a lot of focus in recent years on the low level of online security provided by the user name and password system. Invariably, most users use weak passwords that are easy to remember, or they use the same password across multiple services, opening them up to fraud across multiple sites when one site is hacked. To counter this, online services increasingly employ 2-factor authentication schemes, using the mobile phone number to send an OTP to the user, which provides an additional layer of security on top of the user name and password.


Over-reliance on the phone number as a secure and unique address

There are other mechanisms that can be used to implement 2-factor authentication, each with its drawbacks:

  • Hardware security token
    This remains one of the safest mechanisms in use today, but adoption is not universal as it requires the user to always have the device with them when they want to interact with their online services. The inconvenience to the user is an important factor in why this device has not become ubiquitous.

  • Smartphone app
    The functionality of the hardware security token can also be implemented in software as a smartphone app. This is more convenient as most users will always have their mobile phone with them. However, not all users have smartphones, especially in emerging markets.

Using the user’s mobile number to send an OTP in an SMS is the lowest common denominator in terms of 2-factor authentication. Every online user has a mobile phone, and all users can receive SMS messages. No additional hardware or software is needed at the user’s side to make it work.

 

 

The incentive for bad actors to commit SIM swop fraud is large. Passwords have been shown to be weak, and the OTP mechanism put in place to add additional security is open to exploitation.

 

 

Using Secure OTP to Combat SIM Swop Fraud

 

The Use of Encryption

The first step in securing the OTP is encrypting it. IoTConnect’s Secure OTP (S-OTP) system creates a secure zone between the S-OTP server and the user’s SIM card. Each secure zone uses a unique key to encrypt the OTP traffic within the secure zone. This ensures that the OTP cannot be accessed, even if the SMS is intercepted.

The Use of a PIN

Each user of the S-OTP service has a PIN that is known only to them. The S-OTP is sent to the user’s mobile phone number as before, but can only be decrypted once the user has entered their S-OTP service PIN.

The End of SIM Swop Fraud

In the event of a fraudulent SIM swop, the S-OTP can never be accessed, as the unauthorised person does not know the user’s PIN. The system makes use of additional mechanisms to block the PIN after a number of incorrect entries, and recover from a blocked PIN.



 

IoTConnect’s Secure OTP product uses encryption to guard against OTP interception, and a unique PIN per user to ensure that only the authorised user can decrypt and view the OTP.

 

 

 

Secure OTP Use Cases

There are several use cases for the S-OTP solution, some of which are listed below:

  • Financial Services Transactions
    The most obvious use case is in the Financial Services Industry, where the user typically receives an OTP from their bank to authorise a transaction initiated on the Internet, via a smart phone app, or through any other channel.

  • Mobile Number Verification
    In this case an OTP is used to verify the accuracy of a mobile number provided by the user in an online registration.

  • Online Security
    An S-OTP can be used to authorise the reset of a lost password to any online service. In addition, the S-OTP can be used as an additional layer of security during the login process – the OTP has to be entered with the user name and password.

  • Corporate Internal Audit
    A company can issue an S-OTP to an employee performing critical tasks to provide an audit trail with non-repudiation.



 

The use cases for S-OTP are numerous, and essentially any online activity that requires the user to authorise an action, or requires the user to prove that they are the legitimate holder of a specific mobile number, can be secured through the use of the S-OTP service.

 

The Benefits of Using Secure OTP

 

 

Secure Any Online Activity

Any activity that the user performs online can be authorised through the use of the S-OTP system. The S-OTP Server provides an API that can be called at any time from a third party system to send an S-OTP, or even to generate and send an S-OTP.

Eliminate SIM Swop Fraud

SIM swop fraud results in financial losses for users and Financial Institutions, as well as reputational damage for the Mobile Network Operator that had its internal processes compromised to execute an unauthorised SIM swop. All stakeholders have a strong incentive to permanently eliminate SIM swop fraud.

Increase Mobile Subscriber Confidence

As stated above, the Mobile Network Operator suffers reputational damage in cases of SIM swop fraud. The Operator that takes proactive steps to eliminate this fraud will significantly increase the confidence that their subscribers have in them as a company that is serious about protecting their privacy and online security.

Powerful Interface for Third Party OTPs

As the use cases listed earlier illustrate, there are numerous ways in which the Secure OTP service can benefit companies operating online. Deploying the service to all subscribers creates a strong incentive for third parties to use it, which can in turn generate significant revenue for the Mobile Operator.

Short Time to Deploy

The Secure OTP product makes use of industry standard technologies to deliver the S-OTP to the mobile subscriber. Integration with the mobile network is quick and easy, and the built-in SIM OTA technology makes the deployment of the S-OTP applet to SIM cards already in the market a powerful option.