Account Takeover Prevention

SIM swap detection for account takeover prevention

Account takeover via SIM swap works by transferring a victim's phone number to an attacker-controlled SIM, then using SMS authentication to access their account. Real-time SIM swap detection intercepts this attack at the authentication step, before the attacker gains entry. Telebase is launching a SIM swap detection signal for this use case. Early access is available now.

How SIM swap enables account takeover

SMS-based authentication is widespread because it is convenient and cheap. Its weakness is the phone number itself. If an attacker can take control of a number, they inherit every authentication factor tied to it: password reset links, OTPs, transaction confirmations, and account recovery codes all arrive on the attacker's device instead of the legitimate user's.

The attack follows a consistent pattern. The attacker gathers personal information, often from data breaches or social engineering, and uses it to convince a carrier's support team to port the victim's number to a new SIM. Once the port completes, usually within minutes, the original SIM goes dead and the attacker has full control of the number.

From that point, any account that relies on SMS authentication is exposed. In fintech, the typical targets are accounts holding funds: crypto exchanges, neobank accounts, payment apps and lending platforms where a successful takeover converts directly to financial loss.

Where detection fits in the authentication flow

The most effective place to check for a recent SIM swap is immediately before sending an SMS OTP. At that point the information is still actionable: if a recent swap is detected, the OTP is not sent and the user is routed to a step-up verification channel. After the OTP is sent, the information is too late.

A secondary check point is at login when the user's phone number is known. A swap detected at login, combined with other risk signals such as a new device or unusual location, justifies additional friction before session access is granted.

Signals available to detect and contextualise a swap

Launching

SIM swap history

Direct carrier signal. Returns the timestamp of the most recent swap, or confirmation that no recent swap has occurred.

Live

Active status

Whether the number is currently reachable on the network. An inactive number is consistent with a port in progress.

Live

Carrier

The current network operator. A carrier change on an existing account is worth flagging, especially combined with other signals.

Live

Number type

Mobile, landline or VoIP. A number type change on an established account is unusual and worth reviewing.

Active status, carrier and number type are live today at $0.03 per query, no contract, no minimum spend. SIM swap detection is launching.

What to do when a swap is detected

A recent SIM swap is a risk signal, not a definitive fraud indicator. Legitimate users change SIMs when they get a new phone, travel internationally, or switch carrier. The response should be proportionate:

SIM swap detection: launching

Telebase is registering SIM swap data feeds with mobile network operators in GB, DE, NL and FR. The signal will return a simSwap value of SWAPPED, NO_SWAP, or UNKNOWN, plus a simSwapAt timestamp when a swap has been detected. The current API response returns UNKNOWN while carrier registration completes.

Early access: SIM swap detection is launching.

If you are building or reviewing account takeover controls and want to include a real-time SIM swap signal, get in touch to discuss early access.

Get early access