Mobile network operator controls to mitigate SIM risks and fraud

  1. Standardization by regulators of SIM swap rules amongst MNOs/MVNOs by the regulator, including SIM swaps leading to porting of numbers to other MNOs/MVNOs.

  2. Where SIM replacement is carried out by proxy, the MNO/MVNO or its agents must capture a biometric, facial image of the proxy which must be kept for a specified period.

  3. MNOs should notify DFS providers on swapped SIMs, ported and recycled numbers.

  4. Biometric SIM swap verification: Mobile providers should adopt biometric verification before a SIM swap/SIM replacement is performed.

  5. Multifactor user validation before SIM swap: Mobile providers should use using a combination of something they are, something they have, or something they know authenticate users before a sim swap. User authentication challenges should include verification of personal details (address, email address, DOB), Account information (activation date, last payment, service type), device information (IMEI, ICCID), usage information (recent numbers), knowledge (PIN or password, security question), possession (email OTP, SMS OTP).

  6. Information sharing with DFS provider on SIM swaps and SIM recycling: MNO should design a mobile number recycling process that involves communicating with DFS providers on Mobile Subscriber Identification Numbers (MSIDN) churned or recycled. (In this context: number recycling is when the MNO reallocates a dormant/inactive Mobile Subscriber Identification Number (MSISDN) to a new customer). When a SIM is recycled, the mobile operator reports the new IMSI related to the account phone number. The DFS provider should block the account until the identity of the new person holding the SIM card is verified as the account holder.

  7. SIM swap notifications to users: On request for a SIM swap, sending of notifications via SMS, IVR or Push USSD of the SIM swap request to the (current) SIM/phone number owner, in case the SIM is still live, and then waiting for a positive response from the owner for a certain time before undertaking the SIM swap

  8. Secure SIM data protection: The mobile operator should safeguard personal information that can be used during SIM swaps and securely store SIM data like IMSI and SIM secret key values (KI values).

  9. Holding time before activation of a swapped SIM: A general holding time from the time of a SIM card request to providing the new SIM card to the requestor

  10. Customer support representatives training: Provide better training to customer support representatives. Representatives should thoroughly understand how to authenticate customers and that deviations from authentication methods or disclosure of customer information prior to authentication is impermissible.

PreviousRegulatory guidance to mitigate SIM risksNextDFS operators controls to mitigate SIM risks and fraud

Last updated