Case study: digital bank blocks 96% of SIM swap attacks with device + SIM intelligence

The Challenge

A digital bank operating in India and Southeast Asia with 8M+ customers was experiencing a surge in SIM swap-driven account takeovers. Attackers obtained victims' phone numbers through social engineering or insider access at telecom operators, swapped the SIM, received OTPs, and drained accounts — often within minutes.

The bank was losing approximately $890K/quarter to SIM swap fraud. Worse, regulatory pressure from RBI (Reserve Bank of India) required demonstrable SIM swap detection capabilities as part of digital lending guidelines.

Why OTP-Only Authentication Failed

SIM swap invalidates OTP: The entire security model relied on SMS OTP reaching the legitimate user. Once the SIM was swapped, the attacker received all OTPs. The bank had no way to detect that the SIM had changed.

IMSI checks were unreliable: The bank attempted server-side IMSI verification through carrier APIs, but carrier API response times were 3-8 seconds (unacceptable for real-time transactions) and coverage was inconsistent across MVNOs.

Behavioral biometrics added friction: A behavioral biometrics solution was piloted but generated a 14% false positive rate, blocking legitimate customers and increasing support costs.

The Deep ID Implementation

SIM Binding: Deep ID's SIM Binding links each device to its SIM card using IMSI, ICCID, and carrier metadata. When a SIM swap occurs, the binding breaks instantly — before the attacker can receive any OTP.

Device fingerprinting: Persistent device ID ensures the bank recognizes returning devices across sessions. If a new device appears with a swapped SIM, both signals — new device + SIM change — trigger high-risk scoring.

RASP protection: Anti-Frida and anti-hooking detection protects the banking app from instrumentation attacks that could bypass client-side SIM checks.

Results After 6 Months

96% of SIM swap attempts blocked before OTP delivery. Deep ID detects the SIM change and flags the session before any OTP is sent, preventing the attack from progressing.

$3.2M annualized fraud prevention — direct savings from blocked account takeovers, plus reduced investigation costs and customer compensation.

False positive rate: 0.3% — compared to 14% with behavioral biometrics. SIM binding is deterministic: either the SIM matches or it doesn't.

RBI compliance achieved. The bank met RBI's digital lending guidelines for SIM swap detection and device binding, enabling expansion into new lending products.

Customer authentication time reduced by 40% for returning users on bound devices, as the bank could skip OTP for trusted device+SIM combinations.