back to article Relying on AT&T, Verizon and T-Mob US to protect you from SIM swapping? You better get used to disappointment

Four Princeton University eggheads have published a report showing that the five major US mobile carriers implement weak authentication techniques, leaving customers vulnerable to SIM-swapping attacks that transfer victims' phone numbers to devices controlled by scammers. Such attacks have been a problem for years, but have …

  1. Richard Boyce

    The weakest link

    "SIM-swapping attacks conducted by phone, which represent only 1 per cent of SIM-swapping requests"

    Why would a criminal use a different method, when you make it so easy and don't care?

  2. Foxglove

    Bullshit

    'AT&T declined to comment because SIM-swapping attacks represent "an industry-wide issue and not specific to AT&T."'

    Yes, not specific to AT&T but including AT&T.

    What a bunch of cunts.

  3. A random security guy

    Carriers will not change unless forced to

    When it comes to security, my experience is that companies will change only when:

    1. They lose money

    2. They violate the law and someone goes to jail. Note that Paying a small fine is just considered the Cost of Doing Business.

    3. The CEO loses his job.

    The reason ATT is using the excuse that it is an industry wide problem? They can punt on the solution for a few more years and not do anything.

    Any law that will be passed will be watered down to reduce the fines.

    1. EnviableOne Silver badge

      Re: Carriers will not change unless forced to

      or with their Lacky Mr Pai at the FCC just not materialise

    2. Danny Boyd

      Re: Carriers will not change unless forced to

      Somebody should explain to the carriers that the only thing they need to do to solve this problem is to stop accepting SIM switch requests by phone. No additional costs involved, and they are all white and fluffy, and can scream about it in their advertisements. Profit!

  4. big_D Silver badge

    A SIM the scammer has...

    There's the problem. All the providers I've used in Germany won't transfer a number to a new SIM. If your SIM is lost, stolen or damaged, they block it immediately and they send out a new one to the registered address or you can go to the local store and identify yourself (account info + national identity card/passport).

    If you want an additional card, they will only send that to the registered account holder's home address.

    Under extreme circumstances, with company phone contracts, I have spoken to our rep at the telco and they have arranged for a courier to deliver a new card to an employee who is away from base for a prolonged period. But that requires me to call from a registered telephone number, I have to correctly identify myself and our account and the courier will require an ID card on delivery.

    1. EnviableOne Silver badge

      Re: A SIM the scammer has...

      this is a case of fool me once ...

      https://www.theregister.co.uk/2017/05/03/hackers_fire_up_ss7_flaw/

      also the implementation of PSD2

  5. JakeMS
    Mushroom

    Well

    Well, I've always chosen the 2FA OTP application route. Glad I always click "Use App" where possible despite many services warnings of "Use your phone number! It's safer!".

    But with that said, in this modern age, it's relatively simple to add extra security for a sim card holder to prevent this. They should do more to stop this.

  6. Phage

    Had exactly this experience with Vodafone in the UK.

    Name address and DOB was enough to lose the number for quite a while. Customer Service was not helpful, forcing me through many hoops of self identification which were apparently not required of the thieves !

  7. Claptrap314 Silver badge

    In person show ID?

    Is that really too much to require? In metro areas, you are literally within 5 miles of one of these stores for Verizon. I expect other carriers are the same.

    1. doublelayer Silver badge

      Re: In person show ID?

      In the U.S., there are many places where you aren't so close. They have to balance the security of requiring people to go there with the convenience of not requiring people who don't live in an urban area to travel well out of their way. I think that they could handle this by sending a replacement card to the address of the user, which would work for a legitimate request (almost always) and wouldn't require the user to go to the store. Letting someone at a call center change the card without security controls is a very bad decision. The two of those physical methods would work reasonably well for any account with an address or ID attached. Prepaid accounts set up without identification might be different, but I believe they are becoming rarer and rarer.

      1. Danny Boyd

        Re: In person show ID?

        I wonder, if you are too far from the provider's outlet to come and swap the SIM card (of this provider), where did you get the said card in the first place?

        1. Charles 9 Silver badge

          Re: In person show ID?

          Many years ago when you weren't so far away, or during one of those infrequent but planned trips into the city. There's planned...and there's unplanned.

    2. gnarlymarley Bronze badge

      Re: In person show ID?

      Is that really too much to require?

      Ummmm, some of the criminals are making fake ID. Do you trust yourself to see the difference from identical ID, but with different pictures? I myself have not seen the actual IDs, but I have heard that they are very hard to tell the difference. I am not sure that picture ID will meet what the standards should be, but they will meet the minimum.

      1. doublelayer Silver badge

        Re: In person show ID?

        It's not an infallible solution, but a perfectly unbeatable solution would likely require far too much effort on the part of the user. If we require an ID check, then a criminal needs to make a fake ID and physically go to a store. That increases the costs to them such that they can no longer outsource it or do several in a day. If the target is high-value enough, they can still succeed, but it will take more effort and there will be many more possibilities for them to mess up and trigger an alert. In addition, if they do try, they have now committed forgery and fraud and I think the police will be more interested in stopping them.

  8. gnarlymarley Bronze badge

    SIM swapping is only a major problem if you use 2FA. Without 2FA, an attacker has no need to try to do SIM swapping. Interesting that the attackers get the phone number to use with SIM swapping by hacking the original source.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020