Most wireless carriers in the United States are
vulnerable to SIM swapping attacks and lack proper procedures to fend off
hackers and other bad actors, Princeton researchers have found.
SIM swapping became a popular attack method during the
Bitcoin boom as hackers targeted Bitcoin wallets protected by SMS two-factor
authentication (2FA). It took off and is now used in other scenarios as well,
although other forms of multi-factor authentication (MFA) are slowly taking
over, providing a more secure environment.
Even though SMS-based authentication is no longer
considered safe, plenty of online services out there continue to offer it at
least as an alternative for authentication, if not the primary method.
As the Princeton study shows, the major wireless carriers
in the United States, including AT&T, T-Mobile, Tracfone, US Mobile, and
Verizon Wireless, have weak security procedures that attackers can overcome
with minimal effort.
“To quantify the downstream effects of these
vulnerabilities, we reverse-engineered the authentication policies of over 140
websites that offer phone-based authentication. We rated the level of
vulnerability of users of each website to a SIM swap attack,” state the
researchers of the study.
Researchers were also able to go through the entire
attack chain, allowing them to perform a SIM swap attack, but accounts on 17
websites could be compromised by using the information strictly from the SIM
In a SIM swap attack, the attacker impersonates the owner
of a phone number and places a call to the carrier. The goal is to change the
number from an existing SIM to a new one. The carrier has a few security
procedures to make sure the caller is the owner of the SIM.
And this is where things go wrong, as the Princeton
researchers pointed out. While there are several security questions and hoops,
most can be bypassed with just the help of data aggregators. Wireless carriers
usually stop if one of the questions is answered correctly. At the very least,
they should require that all questions are answered correctly.
Just like in all situations involving bad actors,
security is only as good as the weakest link in the attack chain. In this instance,
there are several weak links along the way, starting with the mobile carriers
who don’t perform their due diligence and ending with websites that still used
SMS-based authentication despite its proven vulnerabilities.
Users are advised to drop SMS two-factor authentication
whenever possible and to pay attention to SMS messages with security codes that
are not generated at their request.