MSISDN and IMSI: The role they play in SIM-Swap fraud
Covid-19 and its impact on cyberfraud
July 1, 2021
Banking & Payments Federation Ireland (BPFI) webinar on the importance of authenticating identity via the mobile phone
July 1, 2021
The role of MSISDN and the IMSI on Sim-Swap fraud
What is the difference between an MSISDN and an IMSI
An international mobile subscriber identity (IMSI) number uniquely identifies a mobile phone subscriber and is usually stored within a SIM card. A mobile subscriber integrated services digital network (MSISDN) number is a mobile's phone number. The IMSI is used internally within mobile phone systems to identify a phone. Most users don't know their IMSI, while the MSISDN can be dialed to reach the phone.
Why does this matter?
As the mobile phone continues its dominance in the e-commerce space, many applications have begun to use the mobile number to send a security code via an SMS to authenticate their users. The most common of these is through the adoption of a two-factor authentication method which uses secure customer authentication (SCA) to validate a user based on the factors of knowledge, possession and inherence. An SMS in this case can be classified as a possession factor if the user’s SIM card has been validated prior to the sending of the message.
The reliance on using the mobile phone number to authenticate users has made the number itself (MSISDN) vulnerable to malicious attacks. The mobile device therefore becomes more vulnerable to fraudsters who can intercept SMS PIN codes and other sensitive information with increasing ease.
How do fraudsters carry out a SIM-Swap?
Here is a timeline of how a SIM-Swap attack can take place:- A fraudster finds your personal information and or your mobile phone number through social engineering or a phishing scam.
- They will then use this information to impersonate their victim to the victim’s mobile network operator (MNO) stating that they need a SIM card replacement.
- The MNO can then issue a new SIM card to the fraudster along with the victim’s mobile phone number.
- The victim’s original SIM card will then cease to work as soon as the newly requested SIM card from the fraudster goes live.
- From this point, the fraudster will have access to your online profiles such as your digital bank account app.
How can a company prevent SIM-Swap fraud
When a fraudster transfers their victim’s mobile number onto a device in their possession, the serial number, the IMSI, also changes.
To compliantly authenticate a user efficiently and seamlessly, a company must validate their user’s mobile phone number against their SIM card. This must be validated at the mobile phone network level. As cited in the ‘Opinion of the European Banking authority on the elements of strong customer authentication under PSD2’, the possession element ‘would not be the SMS itself, but rather, typically, the SIM-card associated with the respective mobile number’. Link
Phonovation’s FinTech solution, known as Mobile ID, enables banks to be PSD2 compliant by providing real-time data on the status of a mobile SIM via a secure connection into the mobile network.
