How US Mobile Leverages Digital Identity To Protect Against SIM Swap Fraud

Exploiting stolen information to convince cell providers to migrate victims’ phone numbers to new SIM cards has become a common tactic for bad actors to sidestep digital ID authentication measures. In this month’s Digital Identity Tracker, PYMNTS talked to Ahmed Khattak, CEO of US Mobile, about how the carrier deploys device fingerprinting and location tracking to prevent SIM swap fraud.

Digital identity has become a crucial part of the telecommunications industry as the proliferation of smartphones and the personal data they hold makes security paramount.

Multifactor authentication (MFA) has become commonplace for online accounts, with users confirming their identities via text messages sent to their phones. Biometric authentication methods like fingerprint and facial recognition scans are now standard on the latest smartphone models.

Such security methods can be critical to preventing fraud that targets mobile users, of which one of the most prevalent types is SIM swap fraud. This method involves bad actors impersonating customers and convincing mobile service providers to transfer the victims’ phone numbers to their own SIM cards, allowing these fraudsters to seize control of any accounts linked to that phone number.

“You could go to eBay and buy a blank SIM card for any of the wireless carriers out there,” Ahmed Khattak, CEO and founder of prepaid cell carrier US Mobile, said during an interview with PYMNTS. “Once you have that blank SIM card, all you need to do is convince the carrier to transfer a phone number to that same card, and that’s it. Now you can log into an app and reset a password, or — if you already have that password — use that SIM card to get [an MFA] code. It’s that easy.”

Preventing SIM swap fraud requires vigilance and ironclad authentication methods to ensure that users who are asking to transfer their phone numbers are legitimate rather than scammers. Digital identity verification methods such as device fingerprinting can be key to making that happen.

Why Fraudsters Swap SIM Cards

SIM swap fraud has been around as long as SIM cards have, but it has become much easier to perpetrate in recent years due to the increasing amount of publicly available information about victims that can be found online. These details are often enough to satisfy many service providers’ verification measures, giving fraudsters have ample opportunities to fake their identities.

“My email address, my address [and] perhaps my LinkedIn profile are all publicly available,” Khattak said. “There’s nothing I can do to stop that if it’s public information. [Fraudsters] can do whatever they want to with it.”

Cybercriminals armed with this information can complete MFA checks with victims’ phone numbers and change their passwords, for example. Hundreds of thousands of dollars could be transferred to fraudsters’ own accounts this way, and the victims could be unaware for hours or days because all notifications would be sent to the phone number that they do not know has been stolen.

“If you want to send a wire transfer to a bank or something, pretty much the only thing that a lot of companies do [for verification] is send you a text message on your phone,” he explained. “For example, if you know someone who has a couple hundred thousand dollars’ worth of Bitcoin sitting in their Coinbase account, and you know who they use for their wireless network operator, then it’s game over.”

Preventing this fraud is extremely difficult once fraudsters have access to phone numbers. This means that robust identity verification measures must be used to stop them in their tracks during the first step of their schemes, when they call to have their numbers transferred. Telecommunications providers like US Mobile are deploying various digital identity techniques to do so.

How Digital Identity Curbs The Threat

US Mobile’s first step in securing users against SIM swap fraud is limiting the channels through which they can transfer their phone numbers. Changing numbers over the phone is not allowed, for example. Users must instead go through the official US Mobile app, which tracks different aspects of their digital identities to confirm that they are who they say they are.

“We can fingerprint your device’s identity and can see what device you normally use on our network,” Khattak said. “For example, if you use the same iPhone for your services, but then you ask for a number change using Android, that sends a negative signal.”

The app can also track the location of its users for further verification. Requests for phone number changes that do not align with a registered address are also flagged as suspicious, at which point the company might ask for additional proof of identity to ensure that the request is not coming from a fraudster.

“Say you’re a Florida resident with your billing address somewhere in Miami and you go online and you say, ‘Hey, I want to transfer [my number] to someone else,’” he said. “What we do is we fingerprint the device that you’re coming from. If you say that you’re in Miami, but what our tools are telling us is that you’re actually signed in via [an] IP address from Las Vegas or California or London, that’s a flag for us.”

Minimizing SIM swap fraud at US Mobile means these digital identity factors must be verified before any phone number modification can take place, Khattak explained. Additional verification checks may be necessary as fraudsters figure out how to spoof this data, but for now, promoting robust verification methods can go a long way toward keeping customers safe.