Author: Liron Golan

Mobile phone numbers have become central to securing access to financial services, underpinning authentication methods like SMS-based two-factor authentication (2FA), one-time passwords (OTPs), and phone number verification. However, this reliance has made them prime targets for sophisticated fraud, with SIM swap and mobile number portability attacks exposing vulnerabilities in traditional authentication models. The good news is, advances in network technology are leveling the playing field, allowing forward-thinking financial institutions to secure a safer future for their customers by leveraging standardized network APIs to combat these threats in real time.

The growing threat of SIM swap and portability fraud

SIM swap fraud occurs when a malicious actor convinces a mobile carrier to transfer a victim’s phone number to a SIM card they control. Similarly, mobile number portability fraud exploits rapid porting processes to reroute a number without the owner’s knowledge. Once successful, attackers intercept SMS and call traffic, including critical 2FA codes, gaining unauthorized access to bank accounts, government portals, and digital payment platforms.

The scale of this issue is alarming. According to Cifas’ 2025 Fraudscape report, the UK's primary fraud prevention service, SIM swap incidents surged by 1,055% in 2024—rising from 289 to nearly 3,000 cases—with estimated losses exceeding £5.35 million.

Picture1-ezgif.com-resize.png

Picture2.png

The United States has been identified as highly susceptible to fraud and emerging fraud techniques, making it critical for merchants and digital service providers to trust the authentication services used to secure customer accounts. However, a leading U.S. mobile operator faced a $33 million arbitration award in March 2025 after a cryptocurrency account was drained due to a SIM swap that bypassed basic security measures. Another incident saw a Bank of America customer lose $38,000 to a SIM swap in late 2024. While these losses are significant compared to typical account takeover fraud, they underscore the dangers of inadequate authentication processes. According to a recent Juniper Research report, the value of bank fraud in the U.S. is projected to rise from $2.5 billion in 2025 to $4.1 billion by 2029. Although less than 1 in 200 SIM swap attempts are currently flagged as fraudulent, the SIM card remains a critical component of a user’s digital identity. If unprotected, it represents a significant vulnerability for financial institutions.

Cybersecurity leaders are raising concerns.

Shaun Cooney, Chief Product and Technology Officer at Promon, noted, “The latest figures show a tenfold rise in SIM swap fraud cases over the past year. This uptick signals that attackers are exploiting the fundamental insecurity of SMS-based second factors.”

Kris Jackson, Director of Cybersecurity Engineering at BOK Financial, highlighted how number portability laws have created vulnerabilities, stating, “This created a gap for porting numbers using information gathered through data breaches or social engineering.”

These incidents underscore the severe impact on financial institutions, including financial losses, legal actions, regulatory penalties, and reputational damage. Once customer trust is eroded, the consequences can be long-lasting, with many users permanently abandoning services.
 

A paradigm shift: Leveraging network APIs

To counter this threat, financial institutions must move beyond app-layer authentication and integrate mobile network signals. CAMARA/GSMA, as well as proprietary APIs , securely provided by communication service providers (CSPs) and orchestrated through platforms like Nokia’s Network as Code, offer a transformative solution. Four key APIs stand out:

image.png

1. SIM Swap and Device Swap API: This API enables financial institutions to check whether a user’s SIM card has recently changed. If a high-risk transaction or login attempt occurs shortly after a SIM swap, the system can block the session, prompt additional verification, or pause the transaction for review, enabling proactive fraud prevention. Additionally, the Device Swap component detects changes in the relationship between a phone number, SIM card, and device, identifying potential unauthorized device associations to further enhance security.
2. Number Verification API: This API silently confirms whether a user controls the phone number linked to their account, eliminating reliance on SMS OTPs. By verifying ownership in the background using mobile network data, it reduces user friction and neutralizes SIM hijacking risks.
3. KYC Match API: This interface cross-verifies subscriber information held by the mobile operator—such as name, ID number, or device metadata—with the institution’s records. Mismatches during onboarding or account recovery can trigger flags or blocks, distinguishing legitimate users from impostors.
4. Device Location API: This API detects anomalies by providing real-time geospatial context from the mobile network, such as a login attempt from a distant location shortly after a SIM swap. It complements device fingerprinting and IP-based geolocation for enhanced assurance.
5. Call Forwarding Signal API: This API checks whether call forwarding is active on a user’s phone number. Fraudsters use this tactic to intercept calls and voice-based 2FA codes during SIM swap attacks. By identifying active call forwarding, financial institutions can flag suspicious activity, block transactions, or prompt alternative verification methods, preventing fraudsters from diverting critical communications.
    

The power of silent authentication

The real power of these APIs lies in their ability to enable silent authentication. Rather than forcing users through repeated friction-heavy flows, silent authentication uses passive signals—SIM swap status, location proximity—to verify identity in the background. This means that even if an attacker gains access to a user’s number, they will fail to replicate the full network signature required for authentication.

From a compliance perspective, this approach offers two major benefits. First, it strengthens adherence to regulatory expectations around strong customer authentication (SCA), fraud prevention, and secure digital identity practices. Regulatory frameworks such as PSD2 in Europe, FFIEC guidelines in the U.S., and the Bank of Israel’s evolving cybersecurity mandates emphasize layered security and the importance of contextual signals. Network APIs provide these signals in a standardized and privacy-preserving manner.

Second, they reduce reliance on legacy authentication methods like SMS OTPs, which are increasingly discouraged by regulators. While a full transition away from SMS is still in progress, augmenting it with network-level intelligence helps bridge the gap between convenience and security.
 

Regulatory and strategic imperatives

As SIM swap fraud escalates, regulators may mandate deeper integration with mobile network data to ensure robust digital identity assurance. Just as multi-factor authentication and secure onboarding became standard, requirements to monitor SIM swap events and verify device-network congruence could soon follow. Institutions adopting network APIs now can stay ahead of these mandates while meeting customer expectations for seamless, secure experiences.

From a compliance perspective, network APIs reduce reliance on outdated SMS OTPs, which regulators increasingly discourage. They also strengthen adherence to strong customer authentication (SCA) and fraud prevention standards, offering a privacy-preserving, standardized approach to identity verification.
 

Conclusion: A network-centric future for digital identity

SIM swap and portability fraud pose a strategic risk to the financial sector, threatening security and customer trust. By leveraging standardized network APIs available through platforms like Nokia Network as Code, financial institutions can detect identity compromises in real time, authenticate users securely and silently, and align with evolving regulatory expectations. Modern digital identity must incorporate the network layer to remain robust. Anything less falls short in today’s threat landscape.