How can MVNO or eSIM avoid false positives without sacrificing security?

Orchestrate adaptive steps: minimal flow for low risk; for high risk, add biometrics plus an alternate channel and, when appropriate, a cooling-off period.

Unternehmen

Preise

Registrieren Demo anfordern

September 11, 2025

KYC in Telecom in Brazil: How to Stop SIM Swap Fraud (and More)

Q: Which operations should be treated as “high impact” in telecom?

Portability, SIM replacement/duplication, and changes to sensitive data. These require strong identity (document, selfie, and liveness) and, when there are risk signals, a cooling-off period before execution.

Q: What should a compliance team log?

Full traceability: rules invoked, line signals checked, biometric evidence, and outcomes. This streamlines audits and dispute resolution.

Q: Why aren’t static data points (CPF, date of birth) enough?

Because they’re widely exposed; what-you-know checks don’t prove identity once that data is public.

Q: What should we communicate to end users to harden the channel?

Clear messaging: don’t install apps based on a phone request, don’t share codes, and enable MFA on services.

#network

#Identity

What SIM Swap Is—and Why It’s Growing in Brazil Why Traditional Identity Verification Fails in Telecom What Brazilian Regulation Says (Practical Summary)KYC Strategy for Carriers in Brazil (2025)How Didit Helps Carriers Cut Identity Fraud Frequently Asked Questions

Key takeaways

SIM swap and “Mão Fantasma” are now the main vectors of mobile fraud in Brazil; carriers, as the first link in the chain, face losses, regulatory penalties, and eroding customer trust if they don’t protect the number and other critical flows.
Traditional verification fails due to reliance on exposed static data, SMS OTPs over compromised channels, and vulnerable human processes; number portability and SIM replacement/duplication are the most critical points and require strong identity, line-level signals, alternate-channel confirmation, and cooling-off periods.
Anatel requires SMS confirmation for number portability (with a response window); the updated RGST and RGC reinforce transparency and traceability. SMS is mandatory but insufficient as strong authentication in high-risk scenarios.
Effective strategy and Didit’s role: real-time KYC (ID document, selfie, and liveness), biometrics and MFA in high-impact flows, and decisions informed by line signals. An automated, flexible platform reduces reliance on manual review, improves detection, and enables easy integration with transparent pricing.

Brazil is experiencing a surge in digital crime where the mobile line is the critical weak link: SIM swap lets attackers take over a number and intercept OTPs (one-time passwords) sent by SMS to access bank accounts and other sensitive financial apps. The result? BRL 10.1 billion in bank losses in 2024, according to FEBRABAN (Federação Brasileira de Bancos).

But financial organizations aren’t the only ones affected. Telecom operators—often the first link in the chain—also face direct losses, regulatory penalties, and eroding customer trust due to identity fraud.

One thing is clear: the fraudsters’ playbook. Using social engineering, they exploit weak carrier processes and verify themselves with leaked (or stolen) data from the dark web. And it’s not the only threat on the radar: Mão Fantasma has become another major scam. Criminals trick victims into installing a remote-access app; from there, they take control of the phone without the person noticing and guide fraudulent banking transactions. Banks and FEBRABAN advise against installing apps at someone’s phone request or granting remote access to third parties.

What SIM Swap Is—and Why It’s Growing in Brazil

SIM swap is one of the biggest threats to the sector in Brazil. In this type of fraud, a criminal convinces the carrier to issue a new SIM tied to the victim’s number, blending social engineering with leaked data from the dark web.

Once they control the number, the attacker captures SMS OTPs meant for the legitimate customer (for logins or account recovery), leading to what’s known as account takeover.

SIM swap is a growing problem, with meaningful success rates reported across the industry, keeping it a top priority for fraud and security teams.

Why Traditional Identity Verification Fails in Telecom

Brazil faces one of the world’s most aggressive cybercrime environments. Every two seconds there’s an identity-fraud attempt and, in many cases, companies can’t detect, fight, and stop it in time.

While there are no official figures for the exact number of SIM-swap incidents, estimates suggest tens of thousands of users may be affected each year.

The spotlight needs to be on the weakness of current tools and processes. Widely used solutions in Brazil have proved insufficient due to their reliance on static checks, manual reviews, and rigid processes. And it’s not just the tools—approaches fall short, too.

Exposed Data and Carrier Vulnerability

Mass data exposure on the dark web means that with static data (like CPF or date of birth), an attacker can bypass very basic initial checks. When that data is already public, “what you know” verification no longer proves identity.

Plus, many telco workflows still lean heavily on human validation (in store or via call center) and lack real-time risk-signal analysis.

The result is an ecosystem where:

Legitimate customers face friction that doesn’t always stop the attacker.
Criminals exploit leaked information to duplicate SIMs, recover accounts, or force number portability.
Decisions are made on weak evidence (static data) instead of strong proof (biometrics with liveness, line-level signals, device reputation).

Breaches and Portability: The Blind Spot

Number portability between carriers and SIM replacement/duplication concentrate the highest operational risk. These are high-impact events: if attackers get through, they take control of the number, and with it, downstream authentications.

To fight back, carriers should adopt high-assurance standards:

Strong identity at request time (ID document + selfie + liveness) across app/web, call center, or in-store.
Line signals before choosing an auth channel (line type, SIM age, indicators of a recent swap).
Confirmation via an alternate channel (push or verified email) and cooling-off periods for sensitive changes.

What Brazilian Regulation Says (Practical Summary)

Anatel (Agência Nacional de Telecomunicações) requires mobile number portability to be confirmed by SMS to the user’s current line. The account holder has up to 6 hours to reply; if they don’t respond or reply “no,” the request is automatically canceled. These measures don’t replace strong authentication in high-risk scenarios, but they’re a regulatory minimum every telco must meet.

The Agency also approved the Regulamento Geral dos Serviços de Telecomunicações (RGST), consolidating and updating rules for the telecom sector.

Separately, the Regulamento Geral de Direitos do Consumidor was recently updated and consolidated (September 2025), reinforcing obligations for transparency, quality, and reversibility in the user relationship. This affects how portability, SIM replacements, and data changes are communicated and executed, as well as traceability for disputes.

KYC Strategy for Carriers in Brazil (2025)

With the right tools and processes, carriers can significantly reduce identity fraud.

Real-time KYC during onboarding. Document verification, 1:1 Face Match, and liveness detection to prevent sign-ups using synthetic or impersonated identities.
Facial biometrics and MFA for SIM replacements and portability. Embedding biometrics as part of MFA in critical processes raises the bar against social engineering.
Risk-signal driven flows. Before sending an SMS OTP, assess risk: line type, SIM age, signs of a recent swap. If risk is high, route to alternatives (biometrics, verified push/email); if low, continue as normal.
AI and behavioral analytics. Timestamps, locations, and request cadence help detect anomalies and proactively block out-of-pattern operations.

How Didit Helps Carriers Cut Identity Fraud

Brazil faces exceptional fraud volumes and, for operators, priority number one is reducing losses from SIM swap, fraudulent portability, and sensitive data changes. Didit is an identity-verification platform built with that goal at its core.

What does that mean operationally?

Less reliance on manual oversight. Didit reduces manual review load and improves detection at scale, while preserving control and auditability.
Global fraud intelligence. It operates with a worldwide base of thousands of cases: it recognizes patterns and acts accordingly.
Connections to government sources. It integrates government databases for necessary fraud checks.
End-to-end automation. Avoids bottlenecks from manual reviews and speeds up onboarding/servicing without sacrificing control.
Flexible, customizable workflows. Change rules without tickets; add steps when risk calls for it.
Transparency and easy integration. APIs and no-code modules to launch flows quickly, with clear pricing.

Why Didit Overcomes Common Market Limitations

In an environment where traditional providers lean on static validations, manual reviews, and rigid processes, Didit adds an automated, orchestratable layer—connected to government sources—that reduces dependence on manual review, improves detection, and keeps the experience under control. It combines complete identity verification with a global fraud-pattern base to make real-time decisions on new activations, portability, and SIM replacements.

KYC for Telcos in Brazil: Stop SIM Swap with Low Friction

Stay compliant with Anatel and cut fraud in number portability and SIM replacement with real-time identity verification, biometrics, and risk-based orchestration. With Didit, you can start for free, launch tailored flows, and stay ahead of SIM swap.

Talk to our team → Get started on your own

Frequently Asked Questions - KYC in Brazil Telecom

Frequently Asked Questions

KYC in Brazil telecom: common questions and quick answers

Can we use portability SMS alone as verification?

No. SMS is an Anatel regulatory requirement to confirm number portability, but it is not strong authentication. In high-risk cases, pair it with biometrics, line signals, and confirmation via an alternate channel (push or verified email).

Which operations should be treated as “high impact” in telecom?

Portability, SIM replacement or duplication, and changes to sensitive data. These require strong identity with document, selfie, and liveness and, if risk signals are present, a cooling-off period before execution.

What is acceptable to say about Mão Fantasma in a corporate blog?

It’s a remote-access social-engineering scam: the attacker induces the victim to install an application and then takes control of the device. Industry advice is not to install apps requested by phone and not to share codes.

How do we balance regulation and user experience?

Keep SMS as the mandatory confirmation for portability and apply additional strong authentication only when risk requires it. That way you meter friction while complying with Anatel.

What should a compliance team log?

Full traceability: rules invoked, line signals consulted, biometric evidence, and results. This eases audits and dispute resolution.

How do we avoid false positives without sacrificing security for MVNO or eSIM?

Orchestrate adaptive steps: for low risk, a minimal flow; for high risk, biometrics plus an alternate channel and, where appropriate, a cooling-off period.

Why aren’t static data points (CPF, date of birth) enough?

Because they’re widely exposed; what-you-know verification does not prove identity once that data is public.

What should we tell end users to harden the channel?

Clear messages: don’t install apps based on a phone request, don’t share codes, and enable MFA on services.