• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

Researchers Find Unauthorized SIM Swaps Way too Easy to Perform

January 17, 2020 By Trevor Collins

Mobile Phone

Recently, vulnerabilities in SMS-based multi-factor authentication (MFA) have been highlighted in the news. While stories like these highlight individual instances showing the threat possibilities, a recent study on SIM swaps sheds light on how easy an adversary could take over your phone number. Using no previous knowledge of the user besides the name and phone number of the user, the researchers in this study swapped the sim every time without fail for the major networks like T-Mobile, Verizon, and AT&T. They also tested smaller carriers like Tracfone and US Mobile, for which some attempts failed. In some instances, they found the customer representatives gave hints on answers to authorization questions.

Researchers used previously dialed numbers as the primary method to falsify authentication to the carriers –an authentication method most users aren’t aware of. This works on all three of the primary carriers tested, T-Mobile, Verizon, and AT&T. Verizon and AT&T also accepted previous payment date. Anyone can add minutes to a phone without authorization so one could easily add minutes to the target phone then falsely authorize a sim swap with the previous billing date. Carriers used many other authentication types that security professionals don’t consider safe as well.

Sorting through a list of websites supporting some form of MFA, the researchers found 156 websites allowed SMS in their authentication method. Some websites even use one-step SMS for authentication. Meaning, if you can access the user’s SMS messages then you have access to their account without the need for a password.

The research paper concludes that the use of SMS for authentication should be discouraged. Websites should not use SMS for authentication and users should avoid it whenever possible. We fully agree on this. Alternative MFA methods exist, like Authpoint’s mobile push-based method. It secures the connections so no one can listen in and swapping to a new phone requires administrative intervention to ensure only authorized users have access. So long as the administrator in charge of the MFA app follows best practices this eliminates almost all vulnerabilities found in using SMS for MFA.

Share This:

Related

Filed Under: Editorial Articles

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • Cybersecurity News: Malvertising, Ransomware, and Alleged IRS Breach
  • Law Enforcement Infiltrate and Seize Hive Ransomware Operation
  • The RCE Vulnerability That Wasn’t
  • Cybersecurity News: ACLU Unveils Mass Surveillance Program, (More) Malvertising, and Breaches

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • CISA Warns of Weaponized RMM Software
  • Cybersecurity News: ACLU Unveils Mass Surveillance Program, (More) Malvertising, and Breaches
  • Law Enforcement Infiltrate and Seize Hive Ransomware Operation
  • Report Roundup
  • Cybersecurity News: Malvertising, Ransomware, and Alleged IRS Breach
View All

Search

Archives

Copyright © 2023 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use