Insights • Blogs/Articles
Why SIM Swap has never been more relevant
“SIM Swap fraud isn’t a massive issue these days” is a common theme in the telco/mobile identity industry that is being said all too often.
While it’s true there are now several measures that attempt to address the pernicious problem that is SIM Swap, it doesn’t mean that it has gone away, rather, because SIM Swap is such a devastating and relatively easy fraud, with potentially very high rewards for the scammer when it does occur, it will have serious consequences for the operator, the bank and the customer.
The use of insiders, or ‘Innys’
Scammers and fraudsters, as we know, will always find a way around solutions. “Innys” are one: on services like Telegram, it’s easy to find people who work for operators willing to carry out SIM Swaps. These insiders, often on low salaries, will compete with others to offer SIM Swap business and get paid in Bitcoin for their services to anyone on the web with a SIM ID and a new card.
The barest of research shows customer services representatives’ posts showing their company’s CMS and offering access to it. A couple of SIM Swaps a day can easily turn a shift at the store into a £1,000-a-day money-spinner.
Talking of which, the rewards for scammers can feature big numbers, which is why people are prepared to pay £500 or so to an ‘inny’. When Sekura ran one Proof of Concept for a customer, we noticed a husband and wife team who were attempting to use SIM Swap in a £25,000 transaction which could have been stopped at source in real-time using our SAFr Auth technology.
The SIM Swap service with 5-star reviews
Even more alarming than using insiders, is something I found this week that highlights just how current and dangerous the threat of SIM Swap is and how it’s about to get a whole lot worse, very quickly…
There is a website publicly open on the internet, at the time of writing, claiming to have software that can access the SS7 layer of a telco to retrieve SIM information that can then be used to clone a SIM card and take control of someone’s mobile number.
The website can be found at simswap.su – (we’re not hyperlinking to it here and have reported it to the NCSC) and it purports to have everything you need to carry out a SIM Swap using a cheap SIM card writer, there is even a YouTube video showing the process ‘working’’, reviews on Trustpilot (4.5 out of 5 with 29 reviews) and a money-back guarantee.
‘Roll up, roll up, get your SIM Swaps..”
Here’s the sales pitch and the pricing: “Our SS7 Network Info Software retrieves all the data needed to write on the SIM (including KI decoding from the network). Then with the SimSwap software, you can write the SIM card with all data and have a network signal.”
* Software is available in any country 24/7
* Software success rate is 100% Guaranteed
* You receive the SS7 Network Info and SimSwap software.
Trial License – Valid for 1 Day – Clone 1 SIM Card
Full License – Valid for 7 Days – Clone Unlimited SIM Cards
Pro License – Valid for 30 Days – Clone Unlimited SIM Cards
Permanent License – Valid for 1 Year – Clone Unlimited SIM Cards
$350 – $8,000 in Bitcoin only.
As one commentator said, “Whether these particular services work or not, the methods used to break the law are much more successfully advertised than methods to prevent fraud. So if we objectively measure where people go to know about the frauds that plague the communications industry, they are far more likely to be learning from those who enable crime than from those who seek to stop it.”
What can be done to prevent SIM Swap fraud?
This kind of activity needs to be stopped; hundreds of telcos are working hard to remove SS7 vulnerabilities, but there are many businesses out there that could be at risk of this kind of activity due to their reliance on SMS or voice calls used during customer journeys – whether that’s an OTP to complete a transaction or even consuming a mobile number during onboarding.
A mobile number is crucial to businesses these days as it’s often the main method of contacting potential or existing customers, or more worryingly the primary key used for logging in to a service. Imagine how many companies receive an OTP from their bank before paying large sums to suppliers…
Trusted, real-time and direct data consumed from telcos around the world combat this kind of fraud and help businesses protect not only their customers but also their brand and reputation. Sekura’s SAFr platform takes this information in real-time and returns a range of data on when a SIM has been swapped, allowing banks, fintechs, gaming, crypto and e-commerce companies to make an informed decision or flag a potentially suspicious transaction. If a scammer has paid £500 for a SIM Swap to be carried out or has paid an online service for access they’re going to make sure that they extract the most they can from their victims and typically, SIM Swap scams are for large amounts and increasingly, customers’ perception is that they should not be liable, often going public to persuade their bank to refund them in full.
Please note I’ve not attempted to try using this online service and wouldn’t suggest anyone does – we’ve reported the website to the National Cyber Security Centre, however, we suspect these sites will become like hydra every time they are taken down. It could be argued that by raising awareness of this website we will facilitate people who will break the law. Our counterargument is that the knowledge of criminals already outstrips that of the professionals paid to resist them.
With coverage across 5 continents, Sekura Mobile Intelligence is the leading global provider of mobile identity solutions, providing trusted, secure, and easy-to-consume solutions for ID verification, anti-fraud and secure online authentication use cases. Sekura works with established KYC, identity verification and risk data providers who have already integrated into leading global brands with demand for mobile identity solutions.
Through the integration of real-time mobile data into our partners’ existing services, we enable them to extend and enhance their customer offerings into new services, use cases and geographies through the adoption of SAFr, our single standards-based, mobile intelligence API.
To offer your customers the opportunity to benefit from our global mobile identity solutions, contact the Sekura team today.