His iPhone was locked and encrypted. The thief just took the SIM.
A colleague of mine lost more than ₦300,000 in a few hours, and the thief never had to break a single one of the things we are told keep us safe. That is what makes the story so uncomfortable. The phone was secure. The banking relationship was not.
Let me start with the worst part.
It was not just the money, though more than ₦300,000 is nobody’s idea of a good week. It was the phone call. A colleague of mine at Youverify had his iPhone snatched, the way thousands of phones get snatched in Lagos traffic every week. Good phone. Locked. Encrypted. Face ID, strong passcode, the works. If you had asked him that morning whether his money was safe, he would have laughed at the question.
By the time he got to the care centre to retreive his line, the money was already gone. Then the agent asked one ordinary question as part of their security protocol: what kind of phone do you use? In that second, it clicked. The thief never needed to break into the locked iPhone. He removed the SIM, put it into a cheap Android phone, and used the banking channels that still treat possession of a phone number as proof of the customer.
Sit with that for a moment. The encryption, the secure enclave, the Face ID, and the passcode were all doing their jobs. The thief did not defeat the phone. He walked around it by lifting out a small piece of plastic.
This took almost no skill.
That is what has been bothering me. Not only that it happened, but how easy it was.
No hacking. No malware. No clever phishing link. You move a SIM from one handset to another, the line wakes up, and you start testing the channels that still trust SIM possession. It helps the thief that most of us never set a SIM PIN, and that the networks still ship them with a default of 0000, so the SIM simply connects in its new home. In a market where USSD remains essential to financial inclusion, that is a dangerous weakness.
Once the SIM works in the new phone, a surprising number of sensitive journeys open up. In Nigeria, a stolen SIM can be used to look up or recover identity details, including BVN and NIN, over USSD, and to walk through account-recovery and reset flows that still lean on SMS or on the line itself. Many of those resets still hinge on information that is either public or trivially guessed: a date of birth, an account number, a few static personal details. Your date of birth is sitting on Facebook, under the birthday messages. You can see where this goes. The thief certainly could.
That is the part Nigerians need to hear plainly. A stolen SIM may not only expose one account. It can become a bridge into account recovery, wallet access, instant lending, synthetic identity abuse, and future scams. For a few hours, as far as too many systems can tell, the thief is the customer.
We built a financial system that treats a SIM card as a human being. That is the whole problem in one sentence.
Other Markets are already moving.
When I went looking for who had already confronted this problem, the pattern was clear. Other markets have started moving sensitive authentication away from codes sent to a phone number and toward stronger, device-bound, app-based, biometric, cryptographic, or risk-based controls.
Singapore’s financial regulator and banking association announced in July 2024 that major retail banks would progressively phase out OTPs for account login by customers using digital tokens. NIST in the United States treats PSTN-based out-of-band authentication, including SMS and voice, as restricted. India’s 2025 digital payment authentication directions move the market toward stronger and more flexible authentication. Malaysia, the UAE, and the Philippines have also taken steps to reduce reliance on SMS OTPs for sensitive banking actions.
The lesson is not that every country has solved the problem perfectly. They have not. The lesson is simpler: your phone number is not you, and possession of the SIM behind it should no longer be treated as enough proof for high-risk financial activity.
TIRMS is useful. It is not enough.
Someone will say Nigeria is already on this because the CBN and NCC launched TIRMS, a system publicly described as helping banks and financial institutions check telecom-related identity risk, including whether a number was recently swapped, reassigned, inactive, or otherwise risky. TIRMS is a good and necessary step. It quietly admits the central point of this article: the phone number cannot be trusted on its own.
But we should be precise about what problem it solves.
Based on how TIRMS has been publicly described, it is strongest for risks such as SIM swap, SIM reissue, number reassignment, and related telco status checks. My colleague’s SIM was not swapped. Nobody convinced a telco to issue a new SIM. The thief physically moved the original SIM into another phone. Same number. Same SIM. A different person.
That is why TIRMS should be treated as a foundation, not the finish line. It can help banks detect one important class of telecom risk, but physical SIM theft, unusual SIM-device pairing, new handset usage, risky USSD behaviour, suspicious PIN reset attempts, and high-risk transaction patterns need broader controls. We should not mistake a good first step for a complete answer.
There is also the liveness mandate included in the Nigerian CBN AML Baseline, and it deserves fair treatment. Biometric liveness is useful for account opening and onboarding risk. It helps prove that a real person is present when a new account or customer journey begins. But my colleague’s account was already open. The thief did not need to onboard as anybody. Checking that a live face opens a new account does not, by itself, stop a live SIM from draining an old one.
Nigeria has more exposure than most markets can afford to ignore.
Nigeria has one of Africa’s largest mobile and digital-banking footprints. That is something to be proud of. It is also why this particular fraud matters so much. Tens of millions of customers rely on phone-number-linked journeys, USSD access, wallets, agent networks, mobile banking, and instant payments. For many people, USSD is not a backup channel. It is the banking channel.
That scale changes the risk calculation. The more financial access we build around the SIM, the more damage a stolen SIM can do. The solution cannot simply be to remove USSD and declare victory. Financial inclusion still matters. The solution is to stop allowing SIM possession alone to carry the weight of identity, authentication, recovery, and transaction approval.
What should change?
This does not require a breakthrough. It requires a decision.
The most urgent control is simple: high-risk banking actions should not proceed just because the customer appears to control a phone number. When a SIM swap, SIM reissue, number reassignment, unusual SIM-device pairing, new handset signal, risky USSD sequence, or suspicious reset attempt is detected, the customer should be stepped up or temporarily frozen until they are re-authenticated.
Beyond that, the fixes are not mysterious. Move the sensitive approvals, adding a payee, raising a limit, resetting a PIN, signing a large transfer, onto the customer’s trusted device, where a stolen SIM is useless because the secret never leaves the handset.
Put a real, dynamic PIN on every sensitive USSD step, and stop allowing a banking PIN to be reset with a date of birth and an account number. That single change would have stopped what happened to my colleague.
And fix the smallest, cheapest problem of all. Networks still issue SIMs with a default PIN of 0000, and almost nobody ever changes it. Force a customer-set SIM PIN at activation. That one habit is the line between losing a phone and losing a bank account.
Nobody here was careless.
Here is what I keep coming back to. My colleague never got the money back, and most people in his shoes never do. But I do not think anyone was being lazy or stupid. He did many of the things customers are told to do. He bought a secure phone. He locked it. He trusted the system. The bank, for its part, followed the rules it was handed.
The honest problem is that the rules belong to a world that has quietly ended. We built banking around the SIM when holding a SIM more or less meant being the person. That stopped being true, but the model did not change fast enough.
There is a lever that works, and the Philippines has just pulled it. Alongside moving off SMS OTP, its regulator flipped the liability, so that a bank which clings to weak authentication and then lets a customer get defrauded now carries the loss itself, instead of pushing it onto the victim. Nothing concentrates an industry’s attention quite like being made to pay for its own shortcuts.
Nigeria can lead this shift. We can keep USSD and inclusion, while still reducing the amount of trust placed on a removable SIM. We can use TIRMS as a foundation, not a finish line. We can move sensitive approvals to the customer’s trusted device, not just the customer’s phone number. And we can stop asking victims to absorb losses from a model that was technically working as designed but practically failing in the real world.
The SIM is not the customer. We should stop building as if it is.
