The digital world is no stranger to security breaches and identity theft, and one of the most alarming forms of this is SIM swap fraud. Although SIM swap fraud has been around for a long time, carriers have not yet managed to implement a strong, successful defense. Recent incidents – including one that took place in New Orleans when a French Quarter visitor lost his phone, had his SIM taken, and his bank account alone defrauded for $7,000 – are highlighting the urgent need for an immediate and robust solution. According to FBI data, the technique has exploded in popularity.[1] In response, the FCC has issued a Further Notice of Proposed Rulemaking, inviting suggestions on additional steps it could take to combat SIM swap and port-out fraud.[2]
With the aim of establishing a resilient solution to combat SIM Swap fraud, ATIS’ User-Controlled Privacy Using Self-Sovereign Identity (SSI) initiative is exploring ways in which SSI can enhance security and maintain identity verification integrity. An SSI-based solution would provide cryptographic linkage between the proof of identity and the telephone number utilized, offering a formidable measure to combat SIM swap fraud.
Understanding SIM Swap Fraud
SIM swap fraud, a form of identity theft, occurs when cybercriminals use stolen personal data to impersonate a targeted victim and request the transfer of the victim’s mobile telephone number to a new SIM card. Once in control of the victim’s telephone number, the attacker can intercept calls, messages, and even two-factor authentication (2FA) codes, thereby gaining access to a multitude of the victim’s personal accounts.
The Crucial Role of Secure Identity
SIM swap attacks are becoming increasingly sophisticated in how they target consumers. This means there is an urgent need for secure identity verification processes for mobile network operators. These processes need to be more robust and less prone to manipulations by fraudsters, while also being user-friendly for both the mobile customers and the operators to operate.
Enter Self-Sovereign Identity
In the pursuit of a more secure and reliable identity verification solution, SSI emerges as a compelling contender. SSI is an approach to digital identity that empowers individuals with ownership and control over their personal data, dictating when and where they provide it, such as to a website or in person. The user’s digital identity, along with personal data, can be conveniently selected via a mobile wallet application and is cryptographically signed by the user to affirm its origin. This information, when received, can be cryptographically verified against the individual’s digital identity, ensuring that the data comes from the legitimate owner and has not been spoofed by an attacker.
Utilizing SSI Digital Identities to minimize risks from SIM Swap Attacks
By applying SSI identity verification for telecommunication customer authentication, we can mitigate risks associated with SIM swap fraud. Here’s how:
- Cryptographic binding of identity and the use of a telephone number: In an SSI-based solution, a cryptographic link is established between an individual’s identity and the telephone number they use. This cryptographic association provides absolute proof of the identity of the individual requesting the transfer of the telephone number, confirming their authority over that telephone number. This arrangement makes it extremely difficult for a fraudster to impersonate an individual and their associated telephone number without access to the cryptographic keys tied to the individual’s identity.
- Decentralized Control: With SSI, individuals maintain control over their identity data, making it far less susceptible to unauthorized access and manipulation. Verification does not rely on one centralized source but on a network of decentralized nodes, adding multiple layers of security.
- Enhanced Verification: An SSI model uses verified credentials (VCs), which are tamper-evident and impossible to forge attestations of information associated with the users SSI digital identity. VCs store information about the individual, such as name, address, and date of birth, previously verified and assigned to the digital identity by a government authority (such as a digital driving license). This allows individuals to confirm personal details, adding an extra layer of trust to the identity verification process. The mobile network operator can authenticate these VCs without needing to directly contact the government issuer, resulting in a more streamlined and secure process.
- Non-repudiation and auditability: Every interaction using SSI verification requires the user to sign using their digital identity. This provides the carrier proof that the user has requested the service, change of service, purchase or other action effectively eliminating spoofing or fraudulent activities without a signed proof.
- User Consent: One of the foundational principles of SSI is user consent. No data is shared without the explicit consent of the user, thus reinforcing trust in the system and reducing the risk of unauthorized data access.
Benefits of Using SSI Digital Identity
In the era of rising digital threats, such as SIM swap fraud, the importance of secure identity cannot be overstated. SSI offers an effective solution, enhancing security and maintaining identity verification integrity. By adopting SSI, mobile network operators can step up their defense against identity theft, secure their operations, and, most importantly, safeguard their users. The future of identity verification lies in empowering individuals with control over their data, and SSI provides the framework to make this possible.
For a more comprehensive understanding of how SSI can enhance security and maintain integrity in identity verification for the telecommunications industry, view ATIS’ Self-Sovereign Identity in Telecommunications Services white paper.
[1] Jones, David. “Hackers steal thousands of dollars through victims’ cell phones using SIM swap fraud, Mar. 17, 2023, Fox 8 Live.
[2] https://www.fcc.gov/document/chairwoman-proposes-rules-protect-consumers-cell-phone-accounts