2FA-beating SIM swap attacks still too far too easy, warn researchers
Thirty-nine out of 50 SIM swap attempts by US-based researchers proved successful
Two-factor authentication security based on text messaging remains wide open to SIM swapping attacks, researchers at Princeton University have warned.
SIM swapping is a type of fraud in which attackers trick mobile carriers' customer service staff into transferring a mark's mobile phone number to a SIM card controlled by the hacker. A successful attempt enables hackers to hijack user's online accounts, like emails, banking accounts and or cryptocurrency trading accounts, by changing their passwords.
In the latest study, researchers examined whether they could trick customer service staff at five US mobile operators - namely Verizon, AT&T, T-Mobile, US Mobile and Tracfone - into changing a user's mobile SIM without providing proper credentials.
They created 50 prepaid accounts - 10 accounts for each carrier, and all those 50 SIM cards were used on a separate phone. These cards were then used to make real calls, in order to generate a realistic call history.
After some time, the researchers called the customer care staff at the respective companies and requested them to change their SIM card.
During the process, wrong details were provided about the account owner, such as incorrect billing postal code or date of birth. The researchers told the staff that they were careless at the time of account sign-up and were unable to correctly recall the correct information.
The researchers said they were able to trick all five mobile carriers, and out of 50 SIM swap attempts, 39 were successful.
All 10 swaps involving Verizon, AT&T, and T-Mobile were successful. In case of US Mobile and Tracfone, three and six attempts were successful, respectively.
Researchers say they also examined about 140 websites, including online wallets, cryptocurrency exchanges, and crypto-related websites, to determine whether they allowed hackers to access user accounts following SIM swap attacks.
Eighty-three websites were found to be "insecure" or accessible with a password and SMS verification, according to researchers. Seventeen were "doubly insecure", meaning they could be accessed with SMS verification alone.
The findings of the study were submitted to all five phone carriers as well as CTIA.
Earlier this month, T-Mobile informed the research team that it had updated its security practices and was no longer using call logs for customer authentication.
The findings of this academic study were detailed in a draft paper [PDF] published on 10th January.