MSISDN vs IMSI: What’s the Difference and Why Does It Matter for Mobile Identity?

Failing to understand the difference between mobile phone number (MSISDN) and SIM card number (IMSI) — or just relying on a mobile number to verify identity — can open the door to SIM swap fraud and other issues for mobile users…

Paul McGuire
Mar 27 · 6 min read
Photo by Andrey Metelev on Unsplash

Commerce has moved online, and online increasingly means mobile. The Covid-19 pandemic has led to more people working, shopping, and doing business remotely than ever before. Worldwide, over 50% of that traffic already happens on mobile devices; across all Asia that figure is closer to 60%, while in India it’s higher than 75%.

As mobile’s dominance of e-commerce continues to grow, many apps have started to use the mobile number as their primary form of user identity. The most common two-factor authentication method — a PIN code sent via SMS — also uses the mobile number.

But there’s a big problem here: although a mobile number is unique, it is not actually owned or controlled by the user. That makes it vulnerable to fraudsters who can intercept SMS PIN codes and other sensitive information with increasing ease. It also causes problems when numbers get recycled by mobile operators and reissued to different users.

So, if your business relies on a phone number alone, you could be in big trouble.

In this article, we’ll explain the crucial difference between a phone number (MSISDN) and a SIM card identifier (IMSI). We’ll look at how SIM swap fraudsters operate, examine the issue of recycled phone numbers, and explain how a mobile number on its own isn’t enough to verify users safely. Finally, we’ll look at a secure and surprisingly straightforward alternative for verifying users and preventing fraud that you may not be aware of.

MSISDN vs IMSI: What’s the difference?

In fact, it is the SIM card identifier — called the International Mobile Subscriber Identity, or IMSI — that is the unique user identifier in mobile networks. So, if you need a new SIM card for any reason, that new card will have a new IMSI. But you can keep the same mobile number, and that creates a vulnerability.

When you send a text message or make a call, you send it to a phone number (MSISDN) — this is how your contacts can still reach you when you get a new SIM. Your mobile operator routes that message to a mobile device, based on the latest mapping of that MSISDN to the IMSI of that device. If there has been no change, there’s no problem. However, if that MSISDN is now mapped to someone else’s SIM card, then that text message or phone call will go to that someone else.

You might think this isn’t a big issue unless you have recently lost your phone or changed networks. But malicious actors exploit this loophole deliberately, and to great effect.

How do bad actors carry out SIM swap fraud?

Here’s how it works:

  1. A bad actor finds out your mobile number and some personal information, typically via a phishing scam, social engineering, or buying information from other criminals.
  2. They use that information to impersonate you to your mobile network operator (MNO), saying that they need a new SIM card — perhaps pretending that they lost their phone.
  3. The MNO customer support agent issues the new SIM card to the bad actor, with your mobile number.
  4. As soon as that SIM card goes live (is activated in the bad actor’s mobile phone), your original SIM stops working.
  5. Before you notice, or before you do anything about it, the bad actor quickly logs into your online banking, social media, email, and more, and changes the password by intercepting the PIN code sent out by SMS. They can then easily steal your identity and/or your money.

SIM swap fraud is a simple and successful method with a thriving community of criminals behind it, and it’s continuing to rise. In 2020, Action Fraud recorded nearly twice as many cases in the UK as in the previous year. But even if you’re never a victim of SIM swap, your mobile number could still be handing bad actors the key to your identity — or leaking your personal information to a stranger…

How do recycled numbers cause problems?

For example, a common marketing tactic used by MNOs is to send out a slew of prepaid SIM cards to attract customers to their network. Each of those SIMs has a phone number assigned to it; even if it’s not activated, no one else can use that number for a period of time. But eventually, if it hasn’t been used, the mobile operators will recycle the MSISDN and put it back into the pool of available numbers.

In the UK, the length of this period varies by network, generally taking between 90 days and a year before an unused number becomes available again. But in other countries it can take as little as a few weeks, or even a few days.

Problems arise here when a mobile app uses the mobile phone number (MSISDN) alone as the primary identifier. When that number is recycled to a new user, that person may inadvertently access the previous user’s login information when trying to register for accounts — or even receive messages, calls, and two-factor authentication codes intended for the previous user.

At best, this might simply lead to a confused stranger accidentally viewing your social media profile. At worst, it could mean a malicious individual deliberately accessing your online accounts, taking your money, and stealing your identity.

Is MSISDN alone ever the right solution?

For example, in a mobile onboarding flow for a travel app, a user may be able to sign up with MSISDN alone to simply browse listings and message sellers. When a user needs to take a higher risk action like making a reservation, the app may then require a second factor, such as a fingerprint or face scan. Although this adds friction, the user is already invested at this point, so the UX tradeoff is seen as worth it for fraud prevention.

So how does using the SIM card get around all these issues?

Unrivalled security: Mobile phone numbers are uniquely tied to an individual SIM card. At any one time, this pairing of mobile number + SIM card is entirely unique, not duplicable and cryptographically secure.

Prevents SIM swap: Verifying with mobile number + SIM card works against SIM swap fraud by ensuring that the number hasn’t been reassigned by a bad actor.

Solves recycled numbers: Identifying users based on a combination of mobile number + SIM card removes the risk of account details being compromised when numbers are recycled, keeping users secure and protecting your brand’s reputation.

Seamless UX: For a user, this approach is extra simple — just type your number and it will be verified instantly, in real-time, with no further action required: no SMS to wait for, no PIN code to retype.

Geek Culture

Proud to geek out. Follow to join our +500K monthly readers.

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store