Home - , , , , , - Test Reveals Carriers Failed to Protect Customers Against SIM Swap Attacks

Test Reveals Carriers Failed to Protect Customers Against SIM Swap Attacks

Smartphone users, there seems to be a SIM-swap attack that is currently taking place. As discovered by a Princeton test, five carriers in the US failed to protect their subscribers against these attacks.

The results of the study showed that they were able to convince the carriers to assign a phone number to a new SIM even though the standard security questions were not answered successfully by the person making the request. And once the phone number has been reassigned to a new SIM card, the individual holding the device can reset passwords. The scary part is that they can even bypass accounts that have two-factor authentication (2FA) protection.

The study revealed that the SIM reassignment was allowed by the carriers even though the attacker answered the security questions incorrectly for several times. And considering that these security questions are designed to ensure the legitimacy of the account owner, it is scary to think that they could be bypassed without the correct answers.

The study showed that:

"We examined the types of authentication mechanisms in place for such requests at 5 U.S. prepaid carriers— AT&T, T-Mobile, Tracfone, US Mobile, and Verizon Wireless— by signing up for 50 prepaid accounts (10 with each carrier) and subsequently calling in to request a SIM swap on each account. Our key finding is that, at the time of our data collection, all 5 carriers used insecure authentication challenges that could easily be subverted by attackers. We also found that in general, callers only needed to successfully respond to one challenge in order to authenticate, even if they had failed numerous prior challenges."

The testers called in and claimed to have forgotten their answer to the primary security question. In addition to this, they claimed that they made a mistake when they set up the account, which is why they were unable to answer their date and place of birth correctly.

Surprisingly, the representatives allowed the testers to authenticate by simply naming the two most recent phone numbers they had called. And as discovered, they could easily persuade people to make a phone call to an unknown number by simply sending a text or leaving a voicemail. The test also discovered that there were three carriers that allowed incoming calls as an authentication. This meant that the attacker could just easily make a call from a burner phone.

And once the SIM swap is successful, the attacker could just reset the passwords of the victim by sending a reset link via SMS. They can then access this reset link and have access to the account of their victims.

Since more and more users are opting for text messaging as 2FA, the problem could be risky for them unless these carriers address this concern. The best option is still to use an authentication app once it is available as an option.

You can read more about the test here.

Source: Engadget 


Comment Page :
  1. I'm thinking of getting a Google Voice number. That way it's tied to a password, and not easily bypassed by Customer service.

    1. Google Voice is limited and needs to be upgraded so you can send videos too.

Comment Page :

All comments must be approved before they will appear. The following types of comments will not be approved: off topic comments, insults or personal attacks directed at other commenters, bigotry, hate, sexism and profanity.