Payfone, a leading digital identity authentication company announced today that it has been awarded a first-of-its-kind patent for technology that detects and prevents SIM swap fraud, a social engineering scam that has been responsible for defrauding consumers and businesses out of millions of dollars. Criminals use this technique to bypass security measures like single-use PIN codes. In an effort to raise awareness about SIM swap fraud and to understand how financial services companies can help prevent it, we spoke to Payfone to learn more about how the scam works and how their newly patented solution detects and prevents it by leveraging its unique partnerships with the US's largest mobile network operators.
A dangerous and growing scam
SIM swap fraud is a rapidly growing problem that targets consumers by taking over their financial accounts and in some cases, draining their entire savings. The crime also costs banks millions and often results in time- and resource-consuming investigations. A 2016 Guardian article tells the story of SIM swap thieves who completely emptied one British man’s bank account and applied for a £8,000 loan in his name. Other articles from Fin24.com and The Telegraph recount similar cautionary tales.
The basics of SIM Swap
We’ll start with a disclaimer for any telecom experts: we’ll be using layman’s terms so everyone can follow along. We know the technology is complicated!
A SIM card, or subscriber identity module, at its basic level, is the small card in your phone that identifies and authenticates your phone on your provider’s network. It’s what enables your phone to work and make calls and get SMS messages. A SIM swap is when your account is switched to be associated with a new SIM card. In fact, most of us have all experienced legitimate SIM swaps when we get a new phone. It seems like magic when our new phone now connects to our mobile provider and our old phone suddenly becomes useless – that’s a SIM swap.
SIM Swap Fraud
SIM swap fraud is when someone convinces your mobile carrier to perform a SIM swap without your knowledge. This type of fraud has, in the past, been notoriously difficult to detect because mobile operators have relied on knowledge-based questions for security (i.e., your mother’s maiden name). A typical scenario of SIM swap fraud goes something like this:
- A fraudster buys information from the dark web, uses social media, and/or other social engineering tactics to gather information about you.
- When ready, the fraudster calls the mobile carrier and says their current phone is lost, stolen, or broken and that they want to use an “old phone” (i.e., swap to a new SIM card).
- The mobile carrier asks personal questions (which the criminal has the answers for) and they proceed to deactivate your phone and associate your account with a new SIM card.
- Once this is done, you – the unknowing customer – now have an unusable phone, so you can’t call your carrier, giving the criminal time to receive your calls and texts.
- The criminal then logs into your bank account, receives the one-time security PIN code, and drains your bank account.
- By the time you’ve sorted this out with your carrier, it’s too late.
Technology has caught up and it’s live
It’s been difficult for mobile operators to strike a balance between customer convenience and security. The majority of SIM swaps are legitimate – customers lose, upgrade, or break their phones – but personal questions are becoming easier to bypass. A technology solution is required and that’s where Payfone’s patented technology comes into play.
Payfone’s technology works by communicating in real-time with the major mobile carriers. On top of this communication, Payfone’s LOTUS platform analyzes millions of digital signals (i.e., location, phone type, etc.) to create a Trust Score, identifying fraudsters as soon as a new SIM is activated, before they are able to do any harm.
If we return to our scenario above, with Payfone’s solution enabled, your number would have already been flagged as being hacked as soon as the illegal SIM swap took place, enabling a bank to prevent any login using the phone number related to your account. For the more technical folks in our audience, the patent performs validation on the MSISDN-IMSI combination – this is the combination of your phone number (MSISDN) and the SIM card identifier (IMSI).
“We’re experts in mobile identity. We predicted that as chip cards rolled out in the US, fraudsters would attack two-factor solutions that secure banking, FinTech and bitcoin services,” said Rodger Desai, Chief Executive Officer, Payfone. “Payfone’s newly patented mobile identity authentication solution thwarts these types of attacks before they can do harm by detecting suspicious SIM swaps as soon as they occur.”
Payfone’s technology is already being used by the top three banks in the United States, with additional rollouts anticipated as more financial institutions realize the need to combat this expensive and detrimental problem.
For more information, visit www.payfone.com.
This post was sponsored by Payfone.