An alarming Princeton test shows that the five largest US carriers are failing to protect their customers from so-called SIM-swap attacks adequately.
We have been able to persuade the carriers to allocate phone numbers to new SIMs without answering any of the standard security questions successfully. Once a phone number is reassigned to an attacker’s SIM, they can reset passwords even on two-factor authentication (2FA)-protected accounts.
The Princeton study revealed that carriers would allow reassignment even if the attacker had repeatedly given incorrect answers to security questions designed to ensure that they were the legitimate owner of an account.
The method used was ridiculously simple: the caller claimed to have forgotten the answer to the primary security question. Then went on to request that the reason they were unable to answer questions about things like their date and place of birth is that they had to make a mistake when setting up the account.
Customer service representatives amazingly then allowed them to authenticate simply by identifying the two most recent phone numbers called. As the report concludes, persuading someone to call an unknown number would be pretty straightforward, by merely leaving voicemails or sending text messages. Three providers even sometimes approved incoming calls as authentication, which means an attacker has to do nothing more than a call from a burner phone to the victim’s phone.
Upon completion of the SIM swap, many online services allow someone to reset a forgotten password by sending a reset key or link through SMS. The message would then go to the attacker resetting the password and taking account access.
The report also found poor security problems in use by all carriers. For example, one was the last payment made to the account which could be easily subverted by an attacker.