Phone Verification FAQ

Q: What is phone verification?

A:

Phone verification is the process of verifying various components of a phone number, including number format (regional, local and national), phone type, phone contract validity, information about the contract holder and more.

Q: What is phone verification used for?

A:

Phone verification provides a variety of risk signals and verified attributes that can be used to increase entropy in the end-user’s digital identity. Some common use cases include:

Basic verification: determine that a phone number is syntactically correct, and is a legitimate standardized phone number
Regional verification: determine that a phone number meets regional standards (if they exist)
Phone types: determine if a phone is a land line, VOIP, pay phone, mobile phone or burner phone
Phone contract validity: determine if a phone contract is in good standing
Phone contact information: determine end user contact information associated with the phone contract
SIM swap detection: determine if the SIM card in the phone has been swapped in the last 24/48/72 hours
Proof of possession: determine that the end-user has the phone in their possession

Q: What is a SIM swap attack?

A:

SIM swap attacks, also known as SIM splitting, SIM jacking, or SIM hijacking, rely on a vulnerability that is introduced through the legitimate process designed to help people who lose their phones or purchase a new phone, retain the functionality of their phone number.

The primary objective of a SIM swap attack is to gain control of the end-user’s mobile number so the attacker can send and receive messages on the user’s behalf. This enables account takeover attacks using account recovery workflows, customer support phishing and other masquerading attacks.

When an attacker succeeds in a SIM swap attack, they create a new, duplicate SIM card and the end-user’s “copy” of the SIM card will cease to function, since there can only be one active SIM card at any given time. End-users will commonly notice this attack via changes or limitations in phone functionality including:

Inability to send or receive texts, make phone calls, or access the internet. End-users will lose phone service, indicated by a likely absence of signal bars, or as a cross through them.
The cell carrier may send the end-user a confirmation message that their phone number has been activated on a new device.

Q: What is the impact of a successful SIM swap attack?

A:

A successful SIM swap attack can result in many different outcomes:

Financial loss: financial resources are always the highest priority targets for attackers. After a successful SIM swap allows the malicious actor to masquerade as the legitimate owner of the phone number, allowing them to attempt to make financial transactions on the end-user’s behalf
Account lockout: After a successful SIM swap attack, the attacker will likely attempt to change account passwords using legitimate account recovery workflows. Since the attacker has access to a working phone number, they can receive any SMS messages related to two-factor authentication, or other account recovery communications, making it possible to respond to account recovery messages.
Malicious account activity: Once an attacker has recovered (taken over) an account, they can gain access to a variety of services allowing them to carry out malicious activities. A common scenario involves compromised social media accounts that send phishing links to all contacts in an effort to deceive additional individuals.
Platform bans: malicious activity using a stolen platform account often results in bans as platform providers mitigate the impacts of malicious account activity in their networks.
Friends & Family Spear Phishing: after a successful SIM swap attack (and/or resulting cascading account takeovers) attackers can target friends and family members with spear phishing attacks in an attempt to takeover more accounts.
Stalking: attackers use SIM swap attack intercept messages for the purpose of compromising the physical security of the legitimate end-user, or a member of their friends and family network.

Q: Can a phone be used as an MFA?

A:

Yes, but care must be taken to ensure that MFA capability is private and secure. Phone based MFA workflows use a SMS to send the end-user a number or text OTP code or a “magic link” where the user can navigate their browser (also known as a “user agent”) to a hosted page where they complete a task. Successful validation of the OTP or “magic link” implies that the end-user has possession of the phone, which can be used as the “something you have” component of the identity triad (something you have, something you are, something you know)

However, it is important to note that using phone based OTP or magic link can be subverted if the provider does not perform SIM swap detection before sending the OTP or magic link.

Q: Can a phone be used for account recovery?

A:

Yes, a phone can be used as an MFA to add assurance to account recovery workflows. However, care must be taken to ensure that MFA capability is private and secure. It is important to note that using phone based OTP or magic link can be subverted if the provider does not perform SIM swap detection before sending the OTP or magic link

Without SIM swap detection, phone based MFA for account recovery does not completely mitigate account recovery vulnerabilities, and should be avoided.

Q: Can phone verification be abused?

A:

Yes. Implementing phone verification comes with some risk involved. Attackers attempt to use real-time phone verification systems to verify multiple phone numbers in an attempt to collect private end-user information or to farm a list of working phone numbers

Q: How does Nimble SA improve on phone verification?

A:

Typically, phone verification is used to determine the validity of a phone number by itself. That is, the phone number is passed to a M2M API as a text string,is processed and verified and the resulting data is stored in a database or user store of some type. Nimble SA improves on this workflow in multiple ways:

Identity linking: since phone numbers are often verified using an API, the verification provider can only authenticate the M2M service that made the API request, usually using a client ID/secret pair to authenticate the server. This does not actually verify the identity of the end user. Nimble SA performs phone verification within an authenticated workflow to ensure that both the M2M identity of the verification caller, AND the user that initiated the phone verification are authenticated together.
Secure phone number collection: attackers attempt to use phone verification services to verify phone numbers in bulk in an effort to skim PII from phone carriers. This increases the risk of collecting, parsing and recording multiple phone number attempts to mitigate mass verification attacks. Nimble SA provides secure phone number collection with load balancing, exponential backoff and retry limits.
Phone number changes: there are several legitimate reasons that an end-user may need to change their phone number. Nimble SA provides verification and re-verification to support users that need to update and reverify their phones.
Privacy & Consent: comprehensive phone verification requires that end-users consent to collection of phone data or delivery of messages. Nimble SA provides consent management capabilities that allow the user to consent or even opt-out from phone validation services.
Data tokenization: phone verification results in the collection of sensitive personal information. This information should be protected from unauthorized access. Nimble SA can integrate with multiple data tokenization services to ensure that PII is obfuscated and stored securely; and that it can be securely recalled and de-tokenized when needed.
Abuse Prevention: Nimble SA has developed highly reliable, secure, scalable and customizable relying party infrastructure that is designed to enable end-user phone verification while simplifying consent management, mitigating the risk of service abuse and simplifying re-verfication over time.