The recent crackdown on SIM farm networks in Europe has once again exposed deep flaws in telecom security and identity verification. As criminals exploit weak KYC checks and outdated SMS-based authentication, experts say it’s time for telecoms and regulators to share responsibility and help restore trust in the world’s most basic digital authentication system.
Authorities in Vilnius recently disrupted a cybercrime-as-a-service operation running a vast SIM farm. The bust follows a similar operation earlier in the month by Europol, which led to the seizure of 1,200 SIM box devices and 40,000 active SIM cards. The farms were estimated to have facilitated over 3,200 cyber fraud cases, resulting in financial losses of approximately €5 million (roughly $5.8 million).
While the authorities are still uncovering the true scale of these networks, their takedown reveals an inconvenient truth – the ease with which legitimate telecom infrastructure can be repurposed for fraud.
“As long as there’s an economic incentive, someone will look for loopholes in the system,” Vykintas Maknickas, CEO of Saily, told Cybernews.
“The key is to cut off the profit motive – no incentive means no reason to exploit it.”
No verification
At the core of the problem are the cracks in telecom identity verification, specifically the Know Your Customer (KYC) process. It’s intended to prevent anonymous SIM use, but is often perceived as an inconvenience for both SIM providers and customers.
Danny Rogers, CEO of iVerify, told Cybernews that jurisdictions with strong KYC requirements for SIM cards, where they’re tied to national IDs, tend to be less prone to attacks like SIM swaps.
“Of course, that comes with significant cost in terms of friction to the business model and privacy implications for everyday or at-risk users,” says Rogers.
At the end of the day, he says telecom providers are commercial businesses looking to maximize revenue and minimize friction among their customers. And the enforcement of strong KYC requirements leads to an uneasy balance between convenience, revenue, and risk that increasingly favors attackers.
Maknickas agrees and says the low barriers to SIM acquisition and inconsistent KYC enforcement are perfect for criminals.
“In many countries, prepaid SIMs can be bought in bulk with minimal verification, and there’s little cross-operator visibility into how many active lines a single identity controls,” he notes. When combined with missing anomaly detection for SIM rotation or unusual cell tower activity, it creates the “perfect environment for industrial-scale abuse.”
Prevalence of SMS OTPs
SIM farms wouldn’t be as powerful if SMS-based authentication weren’t still so common. For years, security experts have warned that using text messages to verify identities or log into accounts is inherently insecure. Yet, several critical institutions, such as banks and government portals worldwide, continue to use OTPs sent via SMS for authentication.
Unfortunately, our experts believe that’s unlikely to change anytime soon.
“In the end, the universality of SMS, versus all the other kinds of 2FA (two-factor authentication), think apps, phones, hardware tokens, is just too convenient and seamless to ever fully go away,” says Rogers, adding that “history has proven that no matter how insecure it might be, SMS-based 2FA isn’t going anywhere anytime soon.”
Maknickas agrees that SMS-based authentication persists because it’s cheap and easy to deploy.
He believes the real drivers for change will be economic pressure from fraud losses linked to SIM farms, the rise of passkeys and device-based authentication, and regulatory bans on SMS as a primary 2FA method.
Until then, SMS-based identity verification continues to be one of the weakest links in the digital trust chain, and one that criminals will continue to exploit.
Shared responsibility
If the recent takedowns are to mean anything more than a temporary disruption, experts say that telecoms and regulators must fundamentally rethink how identity and fraud prevention are built into mobile networks.
Maknickas believes the answer lies in shared accountability. Telecoms should, for instance, invest in behavior-based detection systems that can identify patterns such as SIM cycling, mass OTP traffic, or suspicious cell-site clustering. Meanwhile, regulators, he says, must move beyond broad mandates and focus on measurable outcomes.
At a systemic level, he believes that cross-operator data sharing to detect activation spikes, limits on bulk SIM purchases, and automated proof-of-life checks will help. Working with hardware vendors that supply SIM boxes could also help disrupt the commercial supply chain behind these scams.
“Platforms and financial institutions also play a role,” he adds.
“They must stop treating phone numbers as strong identity markers and adopt phishing-resistant authentication.”
Rogers is more pragmatic. Given that SMS authentication isn’t going away anytime soon, he argues it’s best to figure out how to live with it, secure it, and detect when it has been compromised.
Unlock more exclusive Cybernews content on YouTube
Your email address will not be published. Required fields are markedmarked