The weakest link
"SIM-swapping attacks conducted by phone, which represent only 1 per cent of SIM-swapping requests"
Why would a criminal use a different method, when you make it so easy and don't care?
Four Princeton University eggheads have published a report showing that the five major US mobile carriers implement weak authentication techniques, leaving customers vulnerable to SIM-swapping attacks that transfer victims' phone numbers to devices controlled by scammers. Such attacks have been a problem for years, but have …
When it comes to security, my experience is that companies will change only when:
1. They lose money
2. They violate the law and someone goes to jail. Note that Paying a small fine is just considered the Cost of Doing Business.
3. The CEO loses his job.
The reason ATT is using the excuse that it is an industry wide problem? They can punt on the solution for a few more years and not do anything.
Any law that will be passed will be watered down to reduce the fines.
Somebody should explain to the carriers that the only thing they need to do to solve this problem is to stop accepting SIM switch requests by phone. No additional costs involved, and they are all white and fluffy, and can scream about it in their advertisements. Profit!
There's the problem. All the providers I've used in Germany won't transfer a number to a new SIM. If your SIM is lost, stolen or damaged, they block it immediately and they send out a new one to the registered address or you can go to the local store and identify yourself (account info + national identity card/passport).
If you want an additional card, they will only send that to the registered account holder's home address.
Under extreme circumstances, with company phone contracts, I have spoken to our rep at the telco and they have arranged for a courier to deliver a new card to an employee who is away from base for a prolonged period. But that requires me to call from a registered telephone number, I have to correctly identify myself and our account and the courier will require an ID card on delivery.
Well, I've always chosen the 2FA OTP application route. Glad I always click "Use App" where possible despite many services warnings of "Use your phone number! It's safer!".
But with that said, in this modern age, it's relatively simple to add extra security for a sim card holder to prevent this. They should do more to stop this.
In the U.S., there are many places where you aren't so close. They have to balance the security of requiring people to go there with the convenience of not requiring people who don't live in an urban area to travel well out of their way. I think that they could handle this by sending a replacement card to the address of the user, which would work for a legitimate request (almost always) and wouldn't require the user to go to the store. Letting someone at a call center change the card without security controls is a very bad decision. The two of those physical methods would work reasonably well for any account with an address or ID attached. Prepaid accounts set up without identification might be different, but I believe they are becoming rarer and rarer.
Is that really too much to require?
Ummmm, some of the criminals are making fake ID. Do you trust yourself to see the difference from identical ID, but with different pictures? I myself have not seen the actual IDs, but I have heard that they are very hard to tell the difference. I am not sure that picture ID will meet what the standards should be, but they will meet the minimum.
It's not an infallible solution, but a perfectly unbeatable solution would likely require far too much effort on the part of the user. If we require an ID check, then a criminal needs to make a fake ID and physically go to a store. That increases the costs to them such that they can no longer outsource it or do several in a day. If the target is high-value enough, they can still succeed, but it will take more effort and there will be many more possibilities for them to mess up and trigger an alert. In addition, if they do try, they have now committed forgery and fraud and I think the police will be more interested in stopping them.
Biting the hand that feeds IT © 1998–2020