A SIM swap is an unauthorized change of who effectively controls a user’s mobile phone service, ostensibly prompted by the reported loss of a phone, leading the telco to associate an existing phone number and account with an alternative SIM possessed by a fraudster. Many organizations rely on the relationship between a person and their phone number as part of the processes they use to verify a customer’s identity, and this motivates criminals to exploit SIM swaps to gain access to other accounts and services used by the phone subscriber. Anecdotal evidence suggests there has been a sharp rise in the number of SIM swaps occurring worldwide. At the end of 2017 security pioneer John McAfee said his mobile phone account was taken over by cryptocurrency geeks who sent fake recommendations from McAfee’s Twitter account. This illustrates that criminals do not need to access a bank account to make money. At the same time, banks are becoming wary of accepting financial liability for security lapses within telcos. For example, a UK bank refused to reimburse a customer after his bank account was emptied following a SIM swap. And recently an employee of T-Mobile USA was investigated after allegedly performing a SIM swap in order to steal the prized Instagram username of a T-Mobile subscriber.
Naughty people want your identity, your money, and even the cool username you obtained on your favorite social network. Your mobile phone is just a means to get to them. This is creating an increasing security burden for telcos. Can telcos respond? Lots of phones are lost every day. That means thousands of staff working in stores and contact centers need to have some authority to permit a change of the SIM associated with an account, and so need to be trained not to fall for social engineering. That training will never deliver perfect results, for the same reasons that make it impossible to force everyone to protect their own passwords. Furthermore, insiders will collude in crime. Which telco is going to be able to vet their staff with sufficient rigor that they will exclude all potential fraudsters? Telcos find it difficult enough to prevent fraud by executives; they will never weed out every wrongdoer from the legions of customer-facing staff who receive modest wages and which tend to turn over frequently. The stakes rise every year, but telcos have no easy way to prevent SIM swaps.
Perhaps the only person that can prevent SIM swaps is the customer. If other people do not know your telephone number, then they cannot take control of it. Plagues of robocalls are already discouraging subscribers from sharing their number. Users who switch to OTT voice services may benefit from improved security, as well as saving money. Telco insiders will still know your number, but perhaps this will also clarify which businesses should be held liable when a phone account is taken over. It may seem unimaginable to live in a world where nobody has a phone number, but not many imagined a world where everybody has a phone in their pockets, even when the first mobile networks were being rolled out. And if we do not want to imagine a world where phone numbers stop being used, we collectively need to imagine solutions that prevent phone numbers becoming the single point of failure when accessing every other service.