Account Takeover Prevention
SIM swap detection for account takeover prevention
Account takeover via SIM swap works by transferring a victim's phone number to an attacker-controlled SIM, then using SMS authentication to access their account. Real-time SIM swap detection intercepts this attack at the authentication step, before the attacker gains entry. Telebase is launching a SIM swap detection signal for this use case. Early access is available now.
How SIM swap enables account takeover
SMS-based authentication is widespread because it is convenient and cheap. Its weakness is the phone number itself. If an attacker can take control of a number, they inherit every authentication factor tied to it: password reset links, OTPs, transaction confirmations, and account recovery codes all arrive on the attacker's device instead of the legitimate user's.
The attack follows a consistent pattern. The attacker gathers personal information, often from data breaches or social engineering, and uses it to convince a carrier's support team to port the victim's number to a new SIM. Once the port completes, usually within minutes, the original SIM goes dead and the attacker has full control of the number.
From that point, any account that relies on SMS authentication is exposed. In fintech, the typical targets are accounts holding funds: crypto exchanges, neobank accounts, payment apps and lending platforms where a successful takeover converts directly to financial loss.
Where detection fits in the authentication flow
The most effective place to check for a recent SIM swap is immediately before sending an SMS OTP. At that point the information is still actionable: if a recent swap is detected, the OTP is not sent and the user is routed to a step-up verification channel. After the OTP is sent, the information is too late.
A secondary check point is at login when the user's phone number is known. A swap detected at login, combined with other risk signals such as a new device or unusual location, justifies additional friction before session access is granted.
Signals available to detect and contextualise a swap
SIM swap history
Direct carrier signal. Returns the timestamp of the most recent swap, or confirmation that no recent swap has occurred.
Active status
Whether the number is currently reachable on the network. An inactive number is consistent with a port in progress.
Carrier
The current network operator. A carrier change on an existing account is worth flagging, especially combined with other signals.
Number type
Mobile, landline or VoIP. A number type change on an established account is unusual and worth reviewing.
Active status, carrier and number type are live today at $0.03 per query, no contract, no minimum spend. SIM swap detection is launching.
What to do when a swap is detected
A recent SIM swap is a risk signal, not a definitive fraud indicator. Legitimate users change SIMs when they get a new phone, travel internationally, or switch carrier. The response should be proportionate:
- Do not send the OTP. Route the user through an alternative verification channel such as biometric confirmation, a video call, or document re-submission.
- Log the event with the swap timestamp from the API response. Recency matters: a swap in the last 24 hours carries more weight than one from last week.
- Combine with device signals. A SIM swap plus a new device fingerprint plus an unusual login location is a materially stronger signal than any one of them alone.
- Allow the user a path to recover. A legitimate user who has genuinely just changed SIM should be able to verify themselves through another channel without being permanently blocked.
SIM swap detection: launching
Telebase is registering SIM swap data feeds with mobile network operators in GB, DE, NL and FR. The signal will return a simSwap value of SWAPPED, NO_SWAP, or UNKNOWN, plus a simSwapAt timestamp when a swap has been detected. The current API response returns UNKNOWN while carrier registration completes.