Clarify valid SIM Swap scenarios

[mhfoo]

Hi

I have some clarifications on the scenarios below. I believe Scenario 1 and 3 are valid SIM Swap scenarios.

8< ------------------------------------------------------------ Scenario Context and prerequisites

• Mobile phone number must be active and allocated to a mobile service at the time of invoking the CAMARA API. The mobile service can be in any of the following states: active, temporary suspension of service.
• The same mobile phone number cannot be associated (and active) with more than one IMSI (SIM card), ie: Multi-SIM product.
• API input reference point: mobile phone number; not IMSI

Scenario 1: Mobile phone number port-in from donor operator to recipient operator.

1. Recipient operator performs new mobile service activation with new IMSI (SIM card) issued with temporary mobile number; performs a change number transaction to the port-in phone number at a later scheduled date.
2. Invoking (using port-in phone number as input) CAMARA API on the recipient operator side; as routed by Telco Finder, based on which operator the phone number is active on.
3. The mobile service on the donor operator will be terminated upon port-out.
4. The temporary mobile phone number on the recipient operator will be replaced by the port-in phone number upon successful schedule port-in.

Scenario 2: Change number scenario.

1. IMSI (SIM card) is not changed, the original mobile phone number is recycled back into the frozen pool for X duration.
2. Original mobile phone number is no longer active at the mobile service level, mobile phone number will not be allocated right away.
3. IMSI (SIM card) will be associated with another mobile phone number.

Scenario 3 List: Change SIM card scenario list, mobile phone number is not changed.

• Within the same Mobile Network Operator (MNO): A new IMSI (SIM card) is issued for this same mobile phone number. Example: 4G SIM card is swapped with a 5G SIM card.
• Between MNO and the Mobile Virtual Network Operator (MVNO) using the same MNO: A new IMSI (SIM card) is issued for this same mobile phone number.
• Between different MVNOs using the same MNO: A new IMSI (SIM card) is issued for this same mobile phone number.
• Lost SIM card scenarios.
• Replace SIM card scenarios. Ie faulty SIM card
• Mobile phone number released back to customer within the freeze period, new IMSI is issued.
• Change ownership (between different entities), cease and provide mobile service, new IMSI is issued.

[HuubAppelboom]

I think we should include the eSIM scenario's in here just as well. In particular, what happens when device is changed. I assume we see this as a SIM Swap as well ?

[gregory1g]

I suggest for every listed scenario explicitly indicate on which step MSISDN-IMSI association is changed.

Scenario 3: looks like many scenarios, not a single one.

Scenario 2: considering the fact that MSISDN is the input for the API, how is this a SimSwap and how this can be used for an attack? Basically, this is one of many scenarios when given MSISDN is not served any more, no new SIM card is associated with it,

[HuubAppelboom]

Scenario 2 is indeed a change of phone number, not a SIM swap. Detecion of change of phone number can have its merits as well, but this can be a separate API. In the current Number Verify specification, you can already detect this based on the PCR you receve (Mobile Number has changed, PCR has remained the same).

[gregory1g]

We see following use cases to be considered as SimSwap event

1. "First time" assignment of IMSI to the given MSISDN. this MSISDN could have being associated with another SIM earlier (can be used by another customer of the same MNO, or another MNO).

2. New IMSI is assigned to the given MSISDN instead of current one. this is classical SimSwap attack vector

3. Additional IMSI is associated to the given MSISDN (multi-sim) This not a "swap", but still can be used to get a copy of OTP SMS (for example).

Do you see any scenarios which are not covered by these 3 actions?

[mhfoo]

Scenario 3: looks like many scenarios, not a single one.

Yes. Updated to mention a list of change SIM scenarios

[mhfoo]

78 is a similar discussion.

Could it be defined as follows for physical SIM?

SIM Swap event is when a new relationship between IMSI and MSISDN is established, where the IMSI could be from the same MNO/MVNO or different MNO/MVNO.

Are there any cases where the MSISDN is assigned back to a previous associated IMSI?

[gregory1g]

SIM Swap event is when a new relationship between IMSI and MSISDN is established, where the IMSI could be from the same MNO/MVNO or different MNO/MVNO.

This sounds strange and assumes that an MNO has and proves information about old IMSI associated with MSISDN. If an MNO assigns an MSISDN to any SIM it is reasonable to classify that this is a SimSwap. The only "false positive" here would be when given number has never even been used before, like really never-even.

[mhfoo]

SIM Swap event is when a new relationship between IMSI and MSISDN is established, where the IMSI could be from the same MNO/MVNO or different MNO/MVNO.

This sounds strange and assumes that an MNO has and proves information about old IMSI associated with MSISDN. If an MNO assigns an MSISDN to any SIM it is reasonable to classify that this is a SimSwap. The only "false positive" here would be when given number has never even been used before, like really never-even.

1) Number recycling for prepaid number range (frozen for X period) and 2) Number port-in with pre-activated cards (pre-activated number will be returned to the frozen pool and then recycled)

[gregory1g]

my 5c:

It should be enough to define SIM Swap as an event when a new relationship between MSISDN and IMSI and is established. MSISDN is a key here, therefore "MSISDN and IMSI", not other way around.

The key factor is that given MSISDN now "points" to another IMSI. If the IMSI "from the same MNO/MVNO or different MNO/MVNO" is not important.

[mhfoo]

Closed, as documented by #82