Physical SIM cards have been present in mobile technology since the beginning of the smartphone revolution. However, unlike phones of the past, Apple’s latest release, the iPhone 14 series, comes without a physical SIM slot. Instead, these handsets exclusively use embedded SIMs (eSIMs), which can’t be removed. This design change makes it easier for users to change providers, enables users to connect to more than one network, and allows for extra physical space on the phone to enhance the design.
However, as the SIM has traditionally been the gateway to any connected device, what does its removal mean for security? Account takeover, a form of identity theft involving hijacking a user's account, is an ongoing problem that rose by 90% in 2021. Could eSIMs be the answer to preventing threats posed by malicious actors?
In this article, we’ll examine the benefits and drawbacks of eSIMs from a security perspective and discuss why financial institutions must remain vigilant to the threats posed by eSIMs and data security.
In recent years SIM swapping has become an increasingly prevalent fraud technique. SIM swapping involves cybercriminals tricking mobile phone carriers into porting a genuine user’s phone number into the criminal’s device. They will pretend to be the genuine user and say that their device has been lost or damaged. When asked to provide identification, the criminal will provide real information on the user - often either stolen beforehand or bought on the dark web.
Once the cybercriminal has convinced the carrier to transfer the number, they will then be able to conduct account takeovers across any accounts linked to the compromised phone number.
With an eSIM, however, as there is no physical SIM card, a cybercriminal cannot fraudulently claim that the SIM card got lost or damaged - which negates the ability of criminals to carry out a SIM swap.
Apple’s iPhone 14 series has been seen as a key driver for eSIMs, which follows the US government’s push toward eSIM adoption. However, while enhanced data security is one of the key driving factors for this switch, iPhones sold outside of the US still feature a physical SIM card slot.
One of the most significant changes with the eSIM-enabled iPhones is that users must sign into their Apple iCloud ID to activate the device. The logic behind this is that Apple iCloud passwords are more complex than standard Apple ID passwords, thus making them more resistant to brute-force attacks.
However, despite the increased security of Apple iCloud passwords, any system that relies on a password (including those that use temporary one-time passwords - OTPs) are still vulnerable. For example, Apple ID passwords can be leaked, breached, or phished from users through various email and keylogging scams.
As with all new technologies, it will take some time to understand the full scale of security vulnerabilities. This is because cybercriminals generally follow the path of least resistance, meaning it might only make economic sense to focus their attention on compromising eSIMs once they are more broadly adopted. In the UK, for example, the adoption of eSIMs has been somewhat slow, with only three major networks offering eSIMs without any caveats.
However, with Apple being the largest mobile phone manufacturer in the US, with over half the market share, the likelihood is that eSIM security will be heavily tested in the coming months and years.
While eSIMs help negate SIM-swap attacks, embedded SIMs such as those found on the iPhone 14 still rely on typed Apple ID passwords and OTPs. For the ultimate level of security, organizations should be utilizing biometric security, which replaces access via typed passwords with access via biological features. By using behavioral or biological characteristics for access control, data is at far less risk of being compromised.
Passwords are the biggest driver behind account takeovers, yet 64% of account takeover victims say that changing their password was the only action they took after experiencing an attack. By sticking with a typed password authentication method, users are keeping themselves vulnerable to further data breaches.
Here at Keyless, we don’t rely on SIMs to authenticate users and we don’t send OTPs anywhere because we know that one-time passwords can and will be compromised, no matter the method by which they’re delivered to the customer.
By combining our patented privacy-preserving facial biometrics with device verification software, we provide a multi-factor authentication solution that is resilient against SIM-swapping malicious actors who try to capture OTPs sent to the user’s device or accounts.
Our passwordless verification method also offers straightforward yet effective biometric-based authentication solutions for all users, allowing them to simply look into the camera for access – no passwords, PINs, or OTPs required.
To chat with a member of our team and see our technology in action, book a demo here.