The SIM swap fix that the US isn’t using

Andy Greenberg, Wired:

…an escalating pattern of fraud based on so-called SIM swap attacks, where hackers trick or bribe a phone company employee into switching the SIM card associated with a victim’s phone number. The attackers then use that hijacked number to take over banking or other online accounts. According to Tenreiro, the bank had seen more than 17 SIM swap frauds every month. The problem was only getting worse.


SIM swap hackers rely on intercepting a one-time password sent by text after stealing a victim’s banking credentials, or by using the phone number as a password reset fallback. So the phone company, Tenreiro says, offered a straightforward fix: The carrier would set up a system to let the bank query phone records for any recent SIM swaps associated with a bank account before they carried out a money transfer. If a SIM swap had occurred in, say, the last two or three days, the transfer would be blocked. Because SIM swap victims can typically see within minutes that their phone has been disabled, that window of time let them report the crime before fraudsters could take advantage.

I recognize that this is a game of whack-a-mole, where one security hole is plugged and another one is discovered. But this seems a pretty solid solution.

By August of 2018, Mozambique’s largest bank was performing SIM swap checks with all the major carriers. “It reduced their SIM swap fraud to nearly zero overnight.”

Why is the US not following in Mozambique’s SIM-securing footsteps?

CTIA vice president for technology and cybersecurity John Marinho argued that while US carriers may not offer real-time SIM swap checks, that’s in part because the US has other protections, like geolocation checks based on banks’ mobile applications installed on smartphones, and two-factor authentication. (The latter, of course, is exactly the security measure SIM swaps attempt to circumvent.)

Fascinating read.

[H/T @Varunorcv]