Nigeria’s fast-growing digital financial system, once celebrated for expanding access to banking services, is now facing a deepening security dilemma.
- +How telecom-banking integration exposes users to rising SIM swap attack risks
- +A digital identity built on phone numbers
- +The rising pattern of SIM swap
- +When telecom meets banking: A fragile link
The same telecom networks that power mobile banking have become a critical vulnerability point exploited through SIM swap and number recycling attacks.
The same telecom networks that power mobile banking have become a critical vulnerability point exploited through SIM swap and number recycling attacks.
From Lagos to Abuja and across the diaspora, cases are emerging where users lose control of their phone numbers, sometimes without warning and shortly after, their bank accounts begin to show unauthorized activity. The issue is no longer isolated. It sits at the intersection of telecom regulation, banking authentication systems, and identity management failures in a highly connected financial ecosystem.
At the centre of the debate is how deeply telecom infrastructure is now embedded in Nigeria’s banking architecture. Mobile numbers are no longer just communication tools. They are identity keys.
A digital identity built on phone numbers
Today, telecom networks underpin nearly every layer of digital banking in Nigeria. Mobile numbers are used for one-time passwords (OTPs), Unstructured Supplementary Service Data (USSD) banking commands, transaction alerts, account recovery, and even fintech authentication systems.
According to telecom executives, the mobile network now functions as a silent backbone of financial services. Without it, millions of transactions across banks and fintech platforms would simply not work.
But this dependency has created a single point of failure. Whoever controls a phone number often controls access to financial identity.
This risk becomes more severe when numbers are recycled under regulatory timelines. Under Nigerian Communications Commission (NCC) rules, a SIM card is considered inactive if there are no revenue-generating events (like calls, SMS, or data usage) for 180 days (six months). Once this period lapses, telecom operators can deactivate the line.
Telecom providers typically deactivate a SIM after 180 days of dormancy. Before final deactivation, operators are required to send an alert (via alternative mobile lines or email) at least 14 days prior to the churn date. After deactivation, the line can be reassigned to a new subscriber after one year (365 days) of inactivity.
Subscribers who know they will be away or wish to keep their unused number can “park” their line for up to one year at a low cost.
Though, the House of Representatives has proposed extending the reallocation waiting period from 180 days to 18 months to protect consumers from financial fraud and identity theft. However, the official, implemented NCC baseline remains six months for deactivation and one year for reassignment.
While this improves efficient use of numbering resources, it has also opened a pathway for unintended financial exposure.
The rising pattern of SIM swap
The growing concern is not theoretical. Victims are increasingly reporting that once their SIM is reassigned, fraudsters can inherit access to banking systems still linked to the old number.
One widely circulated case involved Asabi, a project manager living abroad, who discovered unauthorised transfers totalling around N100,000 from her Access Bank account on May 25, 2026.
Her inactive MTN SIM had been reassigned. “So that is how MTN reassigned my MTN line to a new user, thus giving them access to my bank account and enabling transfers of 100k within a day,” she said.
She only caught the fraud after logging into her app to make a transfer. She had subscribed to MTN’s “Keep My Line” service but remains unsure of its full protection.
A Nigerian lady living in Canada recounted waking to debit alerts: “N20,000 had been withdrawn using *901#. I contacted my bank, and they advised me to reach out to my service provider, claiming my number may have been sold. I contacted MTN, and they reportedly admitted that they sold the number.”
Nwunye Odogwu, a content creator called it a clear pandemic, noting that hardworking Nigerians are losing savings.
A X user, Otunba Kappachino lost over N500,000 through Access Bank’s USSD channel and expressed frustration that the bank claimed nothing could be done.
Another X user, Babatunde O. reported not only money withdrawal but also takeover of his WhatsApp account, which the fraudster continued using. Many victims highlight how reassigned numbers grant full access to linked banking services.
Nigeria has lost over N320 billion to broader financial and digital fraud in recent years, with SIM swap and related telecom-enabled crimes forming prominent loopholes.
Industry reports indicate SIM swap fraud accounts for up to 43 percent of mobile money fraud cases in similar African markets.
Geographically, Lagos dominates with 63.43 percent of identity-linked digital fraud, followed by Abuja at 3.12 percent, Ogun 2.51 percent, Rivers 2.44 percent and Delta 2.09 percent.
An NCC survey notes the average Nigerian holds four to five SIM cards, expanding the attack surface, which prompted limits on NIN linkages to a maximum of seven SIMs.
Over 5,000 fintech accounts were compromised in one reported wave involving phishing and SIM swaps.
When telecom meets banking: A fragile link
The core issue is structural. Nigeria’s banking system relies heavily on telecom authentication methods that were designed for convenience, not high-level fraud resistance.
USSD banking, SMS-based OTPs, and mobile alerts remain dominant because they are accessible even on basic phones. But this simplicity also makes them vulnerable.
Tobechukwu Okigbo, the chief corporate services & sustainability officer, MTN Nigeria, said telecom infrastructure now supports a significant portion of Nigeria’s banking ecosystem, including mobile authentication, digital transfers, fintech services, and agent banking operations.
He noted that because of this integration, any compromise involving SIM ownership immediately becomes a financial security risk.
In other words, the phone number has become the password.
SIM swap fraud typically begins with identity compromise. Fraudsters may exploit weak verification processes, impersonation, or system loopholes to request replacement SIMs or take over recycled numbers.
Once successful, the consequences are immediate. For instance, OTPs are redirected to the attacker; banking apps can be reset; USSD commands are executed without the victim’s knowledge; financial alerts are intercepted or disabled and whatsApp and other linked apps may also be hijacked.
This chain reaction shows how telecom access becomes digital identity access.
One of the most overlooked vulnerabilities is the lifecycle of phone numbers themselves.
