(Sim Swap Detection)
Qualification: IT product
06/02/2015 until 28/02/2017
Initial certification on October 30, 2012
Not applicable (IT product)
9 Devonshire Square
London EC2M 4YF
SSD sticks to the principle of data avoidance and minimisation by keeping the personal data processed to the absolute minimum. In addition, its conditions of use provide for strong legal safeguards: Buyers of the software are comprehensively informed about their data protection obligations and contractually bound to ensure compliance with the applicable data protection law.
The TOE has not changed. Nothing has been added to the TOE. Nothing has been removed from the TOE. There are no new regulations relevant to the TOE. The EuroPriSe Criteria Catalogue requirements relevant to the TOE have not changed. The experts verified that there are no new technical standards relevant to the TOE and that the state of the art has not changed.
VALid-SSD serves the purpose to ensure the integrity of (out of band - OOB) communications by checking whether a potentially fraudulent SIM swap has occured. The ToE works by "looking up" the SIM card numbers of the to-be-checked mobile phones (e.g., on the occasion of an OOB authentication in the online banking context) and then correlating these with the initially established SIM card numbers of the respective mobile telephone subscribers. When SSD determines that a mobile subscriber's SIM card number has changed, this is passed to the user of the ToE (e.g., a bank) who may choose to treat an unrecognised SIM card number as suspicious and take the action it deems appropriate.
The ToE is a tool that enables organisations (e.g., banks) to prevent fraud by means of so-called "Pseudo Device Theft". In such "Pseudo Device Theft", attackers deceive the mobile network operator (MNO) of which the individual (e.g., bank customer) is a subscriber that that individual has obtained a new SIM card for his or her mobile phone, or a new phone, but wants to retain the original mobile phone number. The MNO then substitutes the new SIM card number for the original one, and calls or SMS messages to the original individual's mobile phone will be passed on to the new card - and thus to the criminal - rather than to the mobile phone of the subscriber. This divergence of the call / SMS can undermine the integrity of OOB authentication systems or other communications.
The ToE consists of a carrier with software which has a database at its heart. It has interfaces to the user's own systems and to the systems of a telecommunications service provider ("partner TSP") who supports the ToE in looking up the SIM card numbers.
Javier Garcia-Romanillos Henriquez de Luna
Ernst & Young (Spain)
Plaza Pablo Ruiz Picasso 1
Prof. Douwe Korff
Wool Street House
Gog Magog Hills
Cambridge CB22 3AE