The anatomy of the Nigerian SIM swap
The attack does not require advanced hacking skills. It relies entirely on social engineering and insider threats at the telecom level. A fraud syndicate identifies a high-net-worth individual, gathers their basic OSINT data (DOB, mother's maiden name), and bribes a rogue telco agent to port the victim's phone number to a new SIM card.
Once the SIM is active, the attacker downloads your fintech app. They click "Forgot Password." Your app dutifully sends a 6-digit SMS OTP to the phone number. The attacker receives it, resets the password, and drains the account. The victim, meanwhile, only notices their phone says "No Service."
Why standard defenses fail
Many engineering teams implement defenses that sound logical but fail under active exploitation.
The "Complex Password" Fallacy
Forcing users to have a 12-character password with special symbols is useless if the attacker can bypass it entirely by clicking "Forgot Password" and receiving an SMS OTP.
The "Transaction PIN" Bypass
Many apps require a 4-digit PIN to authorize a transfer. However, attackers know that users forget PINs. If your app allows a user to reset their transaction PIN using only an SMS OTP, the PIN provides zero security against a SIM swap.
Email OTP as a Backup
Sending an OTP to the user's email assumes the email is secure. In reality, most users use their phone number to recover their Gmail account. A SIM swap often leads immediately to an email account takeover.
Architecting true SIM Swap resilience
To defend against SIM swapping, you must break the assumption that "Possession of the Phone Number = Possession of the Identity."
1. The "Last SIM Swap Date" API
This is the most critical technical defense. Integrate with telecom aggregator APIs that provide SIM registry metadata. Before processing a password reset, a new device login, or a high-value transfer, query the API: "When was this SIM card last swapped?"
If the API returns a timestamp within the last 48 to 72 hours, automatically freeze the request. Force the user to verify their identity through an out-of-band channel, such as a live video liveness check or visiting a physical branch.
2. Cryptographic Device Binding (Device Fingerprinting)
When a legitimate user logs in, cryptographically bind their session to the physical hardware of the device (using Android Keystore or iOS Secure Enclave). When the attacker downloads the app on their new device and enters the SMS OTP, your backend should recognize that the hardware fingerprint has changed.
A change in both the SIM card (detected via API) and the device hardware simultaneously is a massive red flag that should trigger an immediate account lockdown.
3. Knowledge-Based Authentication (KBA) for Resets
If a user wants to reset their transaction PIN, SMS OTP is not enough. Require a piece of data the attacker cannot easily obtain from the SIM card. Ask for the last 4 digits of the physical ATM card attached to the account, or require them to input their full BVN.
Are you confident your app can survive a targeted SIM swap attack?
Book a Mobile App PentestHow Simpa Labs tests your defenses
During a mobile application penetration test, we actively evaluate your business logic against SIM swap scenarios. We do not need to bribe a telco agent; we simply assume the role of an attacker who has already obtained the OTP.
- Password Reset Flow Auditing: We intercept the "Forgot Password" API calls. Can we reset the password using only an SMS OTP, or does the backend enforce secondary verification?
- PIN Bypass Testing: We attempt to reset the transaction PIN. Can we bypass the requirement to enter the old PIN? Can we brute-force the KBA questions?
- Device Unbinding Attacks: We analyze how your app handles session tokens when logging in from a completely new device. Can we replay a session token from an old device to bypass the hardware binding checks?
- API Logic Flaws: If you use a "Last SIM Swap Date" API, we test if your application fails "open" or fails "closed." If the telco API is down and returns a 500 error, does your app allow the password reset to proceed anyway? (It should fail closed).
Move toward Hardware Keys (FIDO2)
The ultimate defense against both SIM swapping and phishing is abandoning SMS OTPs entirely in favor of WebAuthn/FIDO2 standard device biometrics (FaceID/Fingerprint) or physical security keys. Nigerian fintechs targeting high-net-worth individuals or B2B corporate treasuries must make this transition to remain secure.
Frequently asked questions
How does a SIM swap attack actually work?
An attacker tricks or bribes a telecommunications employee into transferring the victim's phone number to a blank SIM card controlled by the attacker. The victim's phone loses service, and the attacker immediately starts receiving the victim's SMS OTPs and phone calls.
Why does SMS OTP fail to prevent SIM swap fraud?
SMS OTP assumes that the person holding the phone number is the legitimate user. Once the SIM is swapped, the attacker controls the number. If your application relies solely on SMS OTP for password resets or transaction approvals, the attacker will effortlessly bypass your security.
How can fintechs detect if a SIM has been swapped?
Fintechs must integrate with specialized telecom APIs (often provided by NIBSS or aggregators like Dojah/Smile Identity) that return a 'Last SIM Swap Date'. Before authorizing a high-risk transaction or password reset, the app checks this API. If the SIM was swapped recently (e.g., within 48 hours), the transaction is blocked.
How do security engineers test for SIM swap resilience?
During an assessment, pentesters do not perform a literal SIM swap. Instead, they act as an attacker who already controls the victim's phone number. They attempt to reset the password, bypass the transaction PIN using only SMS OTP, or bypass the 'Last SIM Swap Date' API check using business logic flaws.
Related reading
Blog: USSD Banking Security · Defending Support Teams
Guides: Fintech Security Checklist · OWASP for Fintech
Services: Penetration Testing · API Security Testing