Closed mhfoo closed 8 months ago
I think we should include the eSIM scenario's in here just as well. In particular, what happens when device is changed. I assume we see this as a SIM Swap as well ?
I suggest for every listed scenario explicitly indicate on which step MSISDN-IMSI association is changed.
Scenario 3: looks like many scenarios, not a single one.
Scenario 2: considering the fact that MSISDN is the input for the API, how is this a SimSwap and how this can be used for an attack? Basically, this is one of many scenarios when given MSISDN is not served any more, no new SIM card is associated with it,
Scenario 2 is indeed a change of phone number, not a SIM swap. Detecion of change of phone number can have its merits as well, but this can be a separate API. In the current Number Verify specification, you can already detect this based on the PCR you receve (Mobile Number has changed, PCR has remained the same).
We see following use cases to be considered as SimSwap event
"First time" assignment of IMSI to the given MSISDN. this MSISDN could have being associated with another SIM earlier (can be used by another customer of the same MNO, or another MNO).
New IMSI is assigned to the given MSISDN instead of current one. this is classical SimSwap attack vector
Additional IMSI is associated to the given MSISDN (multi-sim) This not a "swap", but still can be used to get a copy of OTP SMS (for example).
Do you see any scenarios which are not covered by these 3 actions?
Scenario 3: looks like many scenarios, not a single one.
Yes. Updated to mention a list of change SIM scenarios
Could it be defined as follows for physical SIM?
SIM Swap event is when a new relationship between IMSI and MSISDN is established, where the IMSI could be from the same MNO/MVNO or different MNO/MVNO.
Are there any cases where the MSISDN is assigned back to a previous associated IMSI?
SIM Swap event is when a new relationship between IMSI and MSISDN is established, where the IMSI could be from the same MNO/MVNO or different MNO/MVNO.
This sounds strange and assumes that an MNO has and proves information about old IMSI associated with MSISDN. If an MNO assigns an MSISDN to any SIM it is reasonable to classify that this is a SimSwap. The only "false positive" here would be when given number has never even been used before, like really never-even.
SIM Swap event is when a new relationship between IMSI and MSISDN is established, where the IMSI could be from the same MNO/MVNO or different MNO/MVNO.
This sounds strange and assumes that an MNO has and proves information about old IMSI associated with MSISDN. If an MNO assigns an MSISDN to any SIM it is reasonable to classify that this is a SimSwap. The only "false positive" here would be when given number has never even been used before, like really never-even.
1) Number recycling for prepaid number range (frozen for X period) and 2) Number port-in with pre-activated cards (pre-activated number will be returned to the frozen pool and then recycled)
my 5c:
It should be enough to define SIM Swap as an event when a new relationship between MSISDN and IMSI and is established. MSISDN is a key here, therefore "MSISDN and IMSI", not other way around.
The key factor is that given MSISDN now "points" to another IMSI. If the IMSI "from the same MNO/MVNO or different MNO/MVNO" is not important.
Closed, as documented by #82
Hi
I have some clarifications on the scenarios below. I believe Scenario 1 and 3 are valid SIM Swap scenarios.
8< ------------------------------------------------------------ Scenario Context and prerequisites
Scenario 1: Mobile phone number port-in from donor operator to recipient operator.
Scenario 2: Change number scenario.
Scenario 3 List: Change SIM card scenario list, mobile phone number is not changed.