Virtual SIM Cards: What They Are & How Fraudsters Use Them
by Tamas Kadar
2FA (2 factor authentication) and OTP (one time passwords) are so common these days, that app developers are increasingly letting your phones fill them in for you automatically.
After all, if the user receives the message, they must indeed be the rightful device owner of whatever account needs the extra verification step. Why create extra friction and frustration by forcing them to input the code manually?
But what if the phone number that received the code isn’t legit in the first place? Doesn’t that defeat the whole purpose of multi-factor authentication?
As we’ll see in this post, obtaining disposable numbers and SIM cards isn’t hard at all. And that has serious implications for the security of your Internet business.
What Is a Virtual SIM Card?
A virtual SIM card, also known as an e-SIM, is a cloud-based phone number. It allows users to make calls and receive messages using data without the need for a physical SIM card.
Standard SIM cards are physical objects you must order from your phone network operator in order to access its services. However, a growing number of operators are now issuing virtual SIM cards instead.
One key advantage, for instance, is to allow users to make calls from the same phone number even when they are traveling abroad – without the need to change their location with a mobile network provider. Virtual SIM cards also allow users to have multiple phone numbers accessible from the same device.
How Do Virtual SIM Cards Work?
There are a few ways to use a virtual SIM card:
- Download an eSIM app on your phone: just sign up for an online service that gives you a phone number. It can be temporary, and often referred to as a Burner App, based on burner phones (disposable phones).
- Use a phone that supports virtual SIM cards: some network providers offer official eSIMs. If your phone supports it, it’s only a matter of scanning a QR code or dowloading the official carrier app for your region.
Note that while most phones require a physical SIM card to make calls, an increasing number of manufacturers are enabling support for virtual SIM cards. iPhones, for instance, have supported virtual SIMs since the iPhone 11.
Virtual SIM Cards, 2FA and OTP
Unfortunately, the majority of use cases for virtual SIM cards seem to be fraudulent in nature. This is because of the reliance on 2FA (2 Factor Authentication) and OTP (One-Time Passwords).
Both these technologies are designed to authenticate users by confirming they own a certain device or a phone number.
And according to Google’s own research, it works: adding a recovery phone number to an account can block up to 100% of automated bots, 99% of bulk phishing attacks, and 66% of targeted attacks.
The problem? Fraudsters are now finding ways around these authentication methods.
4 Ways to Bypass Phone Authentication
Every time a new security technology is deployed, fraudsters find several ways to bypass it. Phone verification is no different. Here is how fraudsters work around that kind of authentication.
1. Disposable Phone Number Services
Phone verification isn’t just used for authentication these days. It’s increasingly part of the standard account creation process. In theory, linking a phone number to a new account helps complete a piece of the customer profile.
But what happens when the user doesn’t have a phone or doesn’t want to use their real number? And more worryingly, what happens when a user is creating a profile based on a fake ID or synthetic ID.
They have plenty of solutions, and the first one is to do a quick online search for disposable, or temporary phone numbers.
Some of these online services are free, while others operate under a pay-as-you-go model, where you buy credit (usually via cryptocurrencies).
The service receives the confirmation SMS for you and lets you create a new account in seconds, with a non-official phone number, all for the very affordable price of $0.1 – 0.5 per message.
2. Burner Apps and eSIMs
What if you don’t want to leave your actual smartphone to receive confirmation SMS from numerous numbers? It’s also possible thanks to burner apps.
Named after “burner phones”, or disposable mobile phones used in the drug trade, these apps allow anyone to benefit from a second line for private calls, texting, and pictures.
Sold under the pretense of protecting your real number (for privacy reasons), we also know that these apps are quickly becoming tools of the trade for fraudsters who want to create multiple accounts. And multi-accounting usually means bonus abuse, fake reviews or payment fraud.
Similarly, a quick Google search for the App or Play Store will reveal dozens of eSIM services, which give you multiple accounts for VOIP and SMS. Each account comes with its own profile, perfect for easy multi-accounting and identity fraud.
3. SIM Jacking
Without a doubt, the most worrying consequence of an increase in phone verification is that fraudsters will now attempt to hijack the original number.
The process isn’t easy, but the success rate is frightening. In fact, even Jack Dorsey, CEO of Twitter fell victim to what is called SIM jacking, or a SIM swap attack. Here’s how it works:
- Fraudsters obtain a phone with a number they control
- They find their victim’s phone number
- They call the network company and convince the operator to change the victim’s number to theirs. (More organised criminals have known to pay staff at the phone company to help.)
- All the verification SMS for 2FA and OTP are now under their control. They can begin resetting passwords for social media accounts or bank accounts.
The consequences of SIM swapping attacks cover a wide range. At the lighter end, pranksters just want to show off their hacking skills. Others use it to take hold of valuable Instagram handles.
But of course, the end goal of organized criminals is to access digital wallets or financial details and to drain the accounts of money.
4. SS7 Hacking
One of the most sophisticated types of attacks we’ve detected in recent years involved SS7 hacks. These technical methods exploit a vulnerability that allows the fraudsters to receive calls and SMS for a subscriber on another phone.
As you can imagine, this opens the door to endless phishing and social engineering attacks. Combined with advances in audio deep fakes, it should be enough for an organization to be extra vigilant about confirming anything via phone call or SMS.
How to Detect Fake Phone Numbers and Fake SIM Cards
It should now be clear that checking a phone number isn’t enough to guarantee your users’ identity. But what about hidden metadata that can be gathered via enrichment?
This is exactly what SEON lets you verify, using a number of features:
- CNAM, or Caller Name Delivery: this technical check is requested to the telephone company. It helps us compare the subscriber’s full name and compare it to the caller ID. We can already begin flagging unmatching data here.
- HLR, or Home Location register: this check lets us access more data linked to the phone subscriber, as logged in a central database. We can check the carrier name, whether the phone has been routed, and if the phone number is virtual.
- IMSI and MSISDN lookup: an International Mobile Subscriber Identity and Mobile Station International Subscriber Directory Number are also useful databases to scan. If two users share the same one, it points to a virtual SIM.
Want to test it yourself? Just enter a phone number in the field below to check it out:
It’s worth noting at this stage that virtual and cloud SIM carriers do not even allow an HLR lookup. This is probably the strongest indicator that your tool is working.
Try our demo for a set of full features such as:
- Is it a real number?
- Country of carrier?
- Carrier type: Is it a mobile or landline number:
- Social media Accounts: What Social profiles are associated to that accountare connected e.g Facebook, Instagram, Twitter
- Messenger data: What messenger apps are connected e.g Whatsapp, Viber, Telegram
Combining Phone Analysis With Reverse Social Media Lookup
The magic bullet when it comes to verifying user info based on a phone number only is social media and messenger lookup.
And SEON is the only fraud detection software that allows you to check 50+ social media networks and messenger apps to find info such as:
- Whether the user has registered to social media sites: in some industries, such as online lending, we found that 76% of users without a social presence would default on their loan. SEON can check up to 50+ social networks including LinkedIn, Twitter Facebook and many others.
- User bio and gravatar: if you want to go in-depth with your KYC, social media lookup can give you an idea of who your customer is, and what they look like.
- Last time seen: useful for manual review, to confirm whether our user’s messenger profiles are actually in use or just dummy / abandoned accounts.
All this extra data helps build a more complete profile, based on a phone number alone.
SEON Phone Analysis for the Lending Industry
Analyzing a user’s given phone number can point to whether they use a real one or not. But it’s not enough to flag them as fraudsters, only to raise suspicion. Which is why phone analysis is especially useful as an extra data enrichment, combined with email and IP analysis.
This is exactly how one of our clients, a P2P lending platform, leverages SEON for phone analysis. Performed via API, this real-time check helps their credit scoring, and decide if they are trustworthy borrowers, or should be avoided.
For more information about how phone analysis helps them save on manual review costs, you can read the case study here.
Virtual SIM Card Detection And You
Phone numbers are increasingly used as verification methods, and extra data points for KYC or credit checks. The problem? They are also easier than ever to spoof.
The good news is that SIM swap protection and virtual SIM card detection is a fast, affordable and effective process thanks to CNAM lookup and HLR lookup tools, all available with SEON’s Intelligence phone analysis module.
Combined with other data enrichment modules from our anti-fraud suite, or integrated into our full end-to-end fraud detection platform, we’re giving you all the tools to protect your business and your users.
Frequently Asked Questions About Virtual SIM Card Detection
Fraudsters use virtual SIM cards to receive OTP and 2FA messages without linking their phone numbers to an identity. It allows them to commit ID fraud, transaction fraud, and even account takeover attacks.
Using a phone analysis tool, you can immediately know if the phone number is from a legitimate carrier or a third-party app. The latter doesn’t always mean it’s fraud, but it should increase your suspicions that someone is trying to hide something.
Fraudsters who want to bypass phone verification and authentication can either use fake phone numbers, stolen phone numbers, or virtual SIM cards and eSIMs. This allows them to receive SMS and phone calls without tying the number to someone’s name.
You might also be interested in reading about:
- SEON: Reverse Phone Lookup Tool – Who Phoned Me?
- SEON: Synthetic Identity Fraud – How to Prevent and Detect it
Learn more about:
Data Enrichment | Browser Fingerprinting | Device Fingerprinting | Fraud Detection API | Fraud Detection with Machine Learning & AI
Showing all with `` tag
AML & CFT: Combating Money Laundering & Financial Terrorism Financing
What You Need to Know About KYC for Online Lending
How to Detect Money Laundering in Ecommerce
What Is Layering In Money Laundering & How Does It Work?
See a live demo of our product
Tamás Kádár is the Chief Executive Officer and co-founder of SEON. His mission to create a fraud-free world began after he founded the CEE’s first crypto exchange in 2017 and found it under constant attack. The solution he built now reduces fraud for 5,000+ companies worldwide, including global leaders such as KLM, Avis, and Patreon. In his spare time, he’s devouring data visualizations and injuring himself while doing basic DIY around his London pad.
Use casesOnline Lending
Sign up for our newsletter
The top stories of the month delivered straight to your inbox