An alarming test carried out by Princeton shows that the five largest US carriers fail to properly protect their customers against so-called SIM-swap attacks.
They were able to persuade the carriers to assign phone numbers to new SIMs without successfully answering any of the standard security questions. Once a phone number has been reassigned to a SIM in the possession of an attacker, they can reset passwords even on accounts protected by two-factor authentication (2FA)…
The Princeton study found that carriers would permit the reassignment even if the attacker had repeatedly given incorrect answers to security questions designed to ensure that they were the legitimate account owner.
We examined the types of authentication mechanisms in place for such requests at 5 U.S. prepaid carriers—–AT&T, T-Mobile, Tracfone, US Mobile, and Verizon Wireless–—by signing up for 50 prepaid accounts (10 with each carrier) and subsequently calling in to request a SIM swap on each account.
Our key finding is that, at the time of our data collection, all 5 carriers used insecure authentication challenges that could easily be subverted by attackers. We also found that in general, callers only needed to successfully respond to one challenge in order to authenticate, even if they had failed numerous prior challenges.
The method used was ridiculously simple: the caller claimed to have forgotten the answer to the primary security question, and then went on to claim that the reason they couldn’t answer questions about things like their date and place of birth is that they must have made a mistake when they set up the account.
Unbelievably, customer service representatives then allowed them to authenticate simply by naming the two most recent phone numbers called. As the study notes, it would be pretty simple to persuade someone to call an unknown number, simply by leaving voicemails or sending text messages. Three carriers even sometimes accepted incoming calls as authentication, meaning an attacker need do nothing more than call the victim’s phone from a burner phone.
Once the SIM swap is complete, many online services will allow someone to reset a forgotten password by sending a reset link via SMS. That message would then go to the attacker, who would reset the password and gain control of the account.
[A selection of] 17 websites across different industries have implemented authentication policies that would enable an attacker to fully compromise an account with just a SIM swap.
The study also found that all carriers used weak security challenges. For example, one was the last payment made on the account, which an attacker could subvert.
An attacker could purchase a refill card at a retail store, submit a refill on the victim’s account, then request a SIM swap using the known refill as authentication.
The ease with which SIM-swap attacks can be carried out underlines the weakness of text messaging as a form of 2FA. Always use an authentication app if offered the choice.
FTC: We use income earning auto affiliate links. More.