SIM swap attacks are a challenge for banks because they exploit weak ID&V processes implemented by the mobile service providers. In addition there is a general trend, especially pronounced with some mobile devices, towards making the identification details
of the SIM inaccessible, thereby hampering device-based technical methods to detect SIM replacement.
There are two critical technologies which are relevant to mitigating SIM swap attacks: Mobile One-time-Pin (OTP) & Behavioural Authentication (Predictive Algorithm/Model). Mobile app-based OTP authentication is a particularly robust option to defend against
SIM swap attacks for the following reasons;
1. Mobile OTP operates in a completely disconnected manner. No carrier signal, Wi-Fi, or even an internet connection is required to use it. Therefore even if the device’s SIM is off air the Mobile OTP authentication remains usable and secure.
- Mobile OTP has no dependency on the installed SIM. An attacker who hijacks a user’s SIM does not inherit the ability to authenticate through Mobile OTP.
- Mobile OTP is unique in keeping the key material secure against an offline attack owing to a patented cryptographic camouflage algorithm.
1. Behavioural Authentication - In general a fraudster’s spending behaviour following a SIM swap is vastly different from the victim’s typical spending. A fraudster has a window of time, up to a maximum of 6 hours to extract as much money or goods as
possible from their target. Therefore a fraudster’s behaviour is usually characteristic of previously-seen fraud. The velocity and value of spending in combination with the use of different devices will indicate a strong suspicion of fraud. In these circumstances a
predictive model has good cause to fail authentication automatically and alert the fraud team, thereby preventing any further transactions until the legitimate cardholder has beencontacted.
Remember, no form of strong authentication is fail-safe forever. If the strong authentication has been given a high degree of trust within your systems, the speed and cost of a compromise is likely to be significant. But behaviour is impossible for a fraudster
to mimic. Having a powerful predictive model in the background detecting deviations and anomalies is not only powerful but essential.