SIM swapping scams and behavioural biometrics

Share this post

SIM swapping is an increasingly popular account takeover fraud that has in the past year, claimed high-profile victims including Twitter CEO Jack Dorsey and may have even been the reason behind Barack Obama and Elon Musk tweeting bitcoin scams as recently as mid-July. But it’s more than just public image and reputation that is on the line for victims of this fraud.

In January 2020, a Spanish hacker ring stole over €3 million in a series of SIM swapping attacks from unsuspecting cardholders. They struck over 100 times, stealing up to €137,000 at a time from individual bank accounts.

In Greece, simjackers have stolen €700,000 from Greek banking customers this year alone and the story repeats itself from country to country.

In this blog you’ll learn what SIM swapping is, how it works and what this trending scam tactic means for the financial industry.


How does SIM swapping work?

SIM swapping or simjacking targets a weakness in two-factor authentication in which the second factor is a text message (SMS) or call made to a mobile telephone.

Cybercriminals exploit mobile service providers’ ability to port phone numbers – required as the second step of two-factor authentication – to fraudsters’ phones.

When a mobile phone is lost, stolen or users switch services over to a new phone, the mobile service provider can seamlessly port the user’s number to a different device.

To turn this simple action into a scam, all fraudsters need to do is call the mobile service provider of a legitimate user, impersonate them – using data acquired through malwarephishing or from organized criminals – and convince the provider to switch the phone number over to the fraudster’s SIM.

This allows the fraudster to intercept any one-time passwords sent to the victim via SMS and circumvent any security features of accounts that rely on text messages or telephone calls.

What’s more, SIM swapping is significantly faster than traditional fraud tactics.


Fraudsters need only send a text message to a carrier to obtain a Porting Authorization Code, so if they only have access to a device for a few seconds it is significantly faster to exploit the weakness in two-factor authentication than to infect it with malware or go through a phishing campaign.

This is even easier to achieve in countries that don’t have stringent laws such as the EU’s ‘Strong Customer Authorization’ or have lower banking fraud awareness – where this can be done without going through any identification.

Signs that you are a victim of SIM swapping fraud may include:

  • You’re notified that your SIM card has been activated on another device
  • Your text messages aren’t sending and you can’t make phone calls
  • Your bank login credentials no longer work

In an hour or two most victims pick up on one of these signs, so fraudsters have to be quick to transfer the money to mule accounts and hide their traces.


SIM swappers struck – what next?

When simjackers targeted Greek banking customers this year, one victim caught up in the attack recalled how simply it was done: one minute his phone lost signal, next, €10,150 was moved out of his bank account.

The bank is a victim’s first port of call when fraudsters strike and the bank is who they blame.

“I am annoyed at the bank. I have taken a loan from them and I have always been consistent with my obligations,” the defrauded customer explained to the National Herald. He is not alone in looking at the bank for a solution.

In July 2020, the Dubai Court of Appeal found a local bank responsible for the SIM swap fraud that saw Dh4.7 million (over €1 million) stolen from Middle Eastern bank accounts in 2017 and ordered the bank to reimburse the victims.

With smartphone usage at all-time high and more people entering the banking ecosystem – as Covid-19 accelerates the shift to digital payments across the world – the onus is on the banks to ensure sophisticated fraudsters aren’t just one text message away from their customers’ life savings.


The role of the bank in stopping SIM swapping fraud

On the surface of it, banks are victims to SIM swapping scams just the same as their customers. Porting cardholders’ phone numbers to new devices is ultimately the decision of the mobile service provider, which – presented with accurate, stolen data – has no reason to suspect cybercriminals are behind the move.

But as the Dubai court ruling shows, responsibility to reimburse victims lies with the bank.

Does this mean banks will necessarily be on the back foot when it comes to simjacking? Quite the contrary. Financial institutions cannot afford to adopt a reactive stance – it is both expensive and damaging to customer relationships.

With the buguroo online fraud detection solution, bugFraud, banks can be one step ahead of evolving types of cybercrime, including SIM swapping.


Behavioral biometrics analysis overcomes the failings of two-factor authentication

Most banks verify the user’s identity at login and when a transaction is performed (two-factor authentication), leaving a gap in the process for mid-session account takeover to occur.

In comparison, bugFraud provides continuous authentication to monitor and verify a banking customer’s identity in real time, throughout the entire online session. Its deep learning-driven behavioral biometrics analysis capability builds a cyber DNA for each user based on their unique, granular patterns of behavior to determine what constitutes ‘typical behavior’ to the individual user.

Then, through continuously monitoring their activity throughout the online session, bugFraud flags any suspicious activity in real-time, prompting the bank to take action.

In the case of SIM swapping, while a SIM may check out as belonging to the authorized user, bugFraud is able to detect a change in the user’s patterns of usage and indicate fraudster activity.

It is also capable of establishing a correlation between a device and the user’s actual International Mobile Subscriber Identity (IMSI), allowing banks to reveal such anomalies as one device ID linked to two or more SIM cards or one SIM shared between two or more device IDs.

In both of these scenarios, bugFraud helps the bank stop fraudsters before money leaves a legitimate user’s account.


Profiling cybercriminals, one simjacker at a time

bugFraud not only protects banking customers from SIM swap scams, it also enables the bank to thwart and deter future attempts from the same cybercriminals.

Every time a SIM swap attempt is made, bugFraud’s Fraudster Hunter functionality collects unique behavioral biometric DNA from cybercriminals, allowing financial institutions to immediately identify malicious entities inside their system and prevent account takeover.

The more cybercriminals try, the faster the bank gets at identifying them, leading to complete deterrence – all while legitimate users enjoy a frictionless and safe banking customer experience.


More To Explore


Are you a member of The Payments Association?

Member benefits include free tickets, discounts to more tickets, elevated brand visibility and more. Sign in to book tickets and find out more.


Log in to access complimentary passes or discounts and access exclusive content as part of your membership. An auto-login link will be sent directly to your email.

Having trouble signing?

We use an auto-login link to ensure optimum security for your members hub. Simply enter your professional work e-mail address into the input area and you’ll receive a link to directly access your account.

First things first

Have you set up your Member account yet? If not, click here to do so.

Still not receiving your auto-login link?

Instead of using passwords, we e-mail you a link to log in to the site. This allows us to automatically verify you and apply member benefits based on your e-mail domain name.

Please click the button below which relates to the issue you’re having.

I didn't receive an e-mail

Tip: Check your spam

Sometimes our e-mails end up in spam. Make sure to check your spam folder for e-mails from The Payments Association

Tip: Check “other” tabs

Most modern e-mail clients now separate e-mails into different tabs. For example, Outlook has an “Other” tab, and Gmail has tabs for different types of e-mails, such as promotional.

Tip: Click the link within 60 minutes

For security reasons the link will expire after 60 minutes. Try submitting the login form again and wait a few seconds for the e-mail to arrive.

Tip: Only click once

The link will only work one time – once it’s been clicked, the link won’t log you in again. Instead, you’ll need to go back to the login screen and generate a new link.

Tip: Delete old login e-mails

Make sure you’re clicking the link on the most recent e-mail that’s been sent to you. We recommend deleting the e-mail once you’ve clicked the link.

Tip: Check your security policies

Some security systems will automatically click on links in e-mails to check for phishing, malware, viruses and other malicious threats. If these have been clicked, it won’t work when you try to click on the link.

Need to change your e-mail address?

For security reasons, e-mail address changes can only be complete by your Member Engagement Manager. Please contact the team directly for further help.

Still got a question?