How banks protect themselves from SIM swapping

[Mutt]

SIM swapping is a type of fraud in which an attacker deceives a victim’s phone number by reissuing a SIM card from a telecom operator. This allows the interception of SMS messages containing one-time passwords (OTPs) used in 3D-Secure and other authentication systems. Banks, together with telecom operators and technology partners, employ comprehensive measures to protect against SIM swapping. Here is a detailed explanation of how they counter this threat, focusing on technology, process and customer aspects.

1. Understanding SIM Swapping​

• How the attack works:
  • The scammer collects the victim's personal data (name, address, phone number, sometimes passport details) through phishing, data leaks or social engineering.
  • The attacker contacts the telecom operator, posing as the victim, and asks to reissue the SIM card (for example, citing "loss").
  • After reissuing, the fraudster receives SMS with OTP, calls and other messages intended for the victim.
  • Using OTP, the fraudster confirms transactions or gains access to bank accounts.
• Why it's a threat: SMS-OTP, despite the move to more secure methods (such as biometrics in 3D-Secure 2.0), is still widely used for authentication, especially in regions with limited app support.

2. Technological measures of banks​

Banks are implementing technologies to minimize the risks of SIM swapping and reduce reliance on vulnerable SMS.

Moving from SMS to more secure channels​

• Push notifications in applications:
  • Banks are replacing SMS-OTP with push notifications in official mobile applications (for example, through banking applications or Google/Apple Pay).
  • Push notifications are tied to the device and protected by biometrics (Face ID, fingerprint) or PIN code, making them resistant to SIM swapping.
• Biometric authentication:
  • Within the framework of 3D-Secure 2.0 and PSD2 (European directive), banks use biometrics (fingerprints, facial recognition) as part of Strong Customer Authentication (SCA).
  • This reduces the reliance on OTP, as biometrics require physical access to the device.
• Hardware tokens:
  • Some banks offer physical devices (such as code generators) that create OTPs independently of your phone.
  • This completely eliminates the risk of SIM swapping.

SIM card activity monitoring​

• Cooperation with telecom operators:
  • Banks work with operators to receive notifications when a SIM card associated with a customer is reissued.
  • If the SIM card is reissued, the bank may temporarily suspend SMS-OTP or request additional authentication.
• Device Metadata Analysis:
  • Machine learning (ML) analyzes changes in device identifiers (IMSI, IMEI) to identify suspicious SIM card replacements.
  • For example, if a transaction comes from a new IMSI (SIM identifier) but from the same device, it raises an alarm.

ML for anomaly detection​

• Behavioral analysis:
  • Algorithms (e.g. autoencoders, Isolation Forest) track changes in client behavior, such as a change in geolocation or device after a SIM reissue.
  • If OTP is requested after an abnormal event (e.g. SIM change), the bank may initiate additional verification (biometrics, call).
• Time Series Analysis:
  • LSTM (Long Short-Term Memory) models track sequences of events, such as login attempts after a SIM card change.
  • High frequency of OTP requests after SIM change is marked as suspicious.

Tokenization and virtual cards​

• Tokenization: Card data is replaced with tokens (such as in Apple Pay) that are useless without authentication on the device.
• Virtual cards: Limit the amount and validity period, minimizing damage even if SIM swapping is successful.

3. Process measures of banks​

Banks are implementing internal procedures and collaborating with telecom operators to make it more difficult for fraudsters to reissue SIM cards.

Strengthening authentication procedures for operators​

• Multi-factor verification:
  • Operators require several forms of identification for SIM reissue (e.g. passport, biometrics, code word).
  • Some operators implement two-factor authentication (2FA) for SIM change, for example, confirmation via email or a call to another number.
• Online reissue limitation:
  • Operators limit the possibility of reissuing SIM cards through online channels, requiring a personal visit to the office.
• Reissue Notifications:
  • Clients receive notifications (email, push) about the SIM reissue request, which allows the process to be quickly blocked.

Monitoring and blocking​

• Automatic lock:
  • If the bank detects a SIM card change (via operator data), it may temporarily freeze transactions requiring SMS-OTP until the customer's identity is verified.
• Manual check:
  • For high-risk transactions (for example, large transfers), the bank may request a call or a visit to the branch.

SMS-OTP Usage Limitations​

• Banks are minimizing the use of SMS for critical transactions, replacing them with push notifications or biometrics.
• In some cases SMS-OTP is used only as an additional factor, not the main one.

4. Cooperation with external partners​

• With telecom operators:
  • Banks and operators exchange data on suspicious SIM reissues via secure APIs.
  • Operators are implementing monitoring systems such as the GSMA Fraud and Security Group to track SIM swapping attacks.
• With technology companies:
  • Banks use FDS platforms (e.g. FICO Falcon, Feedzai) that integrate SIM swap data from global sources.
  • Partnering with Google and Apple to secure push notifications and tokenization.
• With law enforcement agencies:
  • Banks report SIM swapping data to cyber units (e.g. Interpol, local authorities) to stop organized schemes.

5. Training and informing clients​

Banks are actively working with clients to reduce vulnerability to SIM swapping:

• Educational campaigns:
  • Inform about the risks of phishing and social engineering, through which fraudsters collect data for SIM swapping.
  • It is recommended not to share personal information (for example, phone number, passport details) on suspicious sites.
• Safety recommendations:
  • Setting up a code word with your telecom operator for SIM reissue.
  • Using eSIMs, which are more difficult to replace as they are built into the device.
  • Setting up 2FA for operator accounts (e.g. via email or app).
• Notifications:
  • Customers receive alerts about login or SIM change attempts via email or push, even if SMS is not available.

6. Example of a script​

The fraudster, using the stolen data (name, address, phone number), contacts the operator and reissues the victim's SIM card. Then he tries to conduct a transaction for 100,000 rubles through a site that requires 3D-Secure OTP. Bank:

• Captures anomaly: An ML model (e.g. autoencoder) notices that a transaction is coming from a new IMSI after a recent SIM reissue.
• Requests biometrics: Instead of SMS-OTP, the bank sends a push notification to the app requiring Face ID.
• Notifies the client: Sends an email about suspicious activity and temporarily blocks the card.
• Cooperates with the operator: Checks the legitimacy of the SIM reissue and blocks further attempts if the attack is confirmed.

7. Limitations and Challenges​

• Carrier dependency: If the carrier does not have strict SIM reissue procedures, the attack may go undetected.
• Global differences: In some countries, operators are less protected, increasing the risk.
• Response speed: SIM swapping can take hours, but the bank will only find out about it with a delay.
• Client vulnerability: If the client does not report the number being compromised, the bank may not have time to block the transactions.

8. Future Directions​

• SMS-OTP gone completely: Banks switch to biometrics and push notifications to eliminate SIM swapping vulnerability.
• Blockchain for authentication: Decentralized systems can provide secure verification without SIM involvement.
• Improving operator systems: Operators are implementing ML to identify suspicious SIM reissue requests.

If you want to dive deeper into a specific aspect, like how ML models analyze IMSI changes or how carriers protect SIMs, ask and I'll give you a detailed answer with examples!