Princeton study: US carriers do little to protect customers from SIM-swap attacks

[nanoguy]

In brief: If you're using SMS for two-factor authentication into your online accounts, you may want to change that as soon as possible. According to Princeton researchers, five of the largest US carriers are doing little to protect you from SIM swapping attacks, which give attackers an easy way to reset your passwords and access your sensitive data or impersonate you online.

While it's always a good idea to use multi-factor authentication to secure your online accounts, it doesn't mean you're entirely safe from everyone who wants to steal sensitive personal data.

According to a study from Princeton University, five of the largest US prepaid carriers fail to protect you against something referred to by experts as a "SIM-swap" attack. We have covered this type of theft several times in the past.

The way it works is an attacker persuades a carrier to reassign the victim's phone number to a new SIM card without going through all the standard security questions to verify their identity. This effectively allows the scammer to hijack someone's account and use two-factor authentication to reset passwords to important online accounts like email and bank accounts.

The researchers signed up for 50 prepaid accounts on Verizon, AT&T, T-Mobile, US Mobile, and Tracfone, and spent most of 2019 looking for ways they could trick call center operators into attaching their phone numbers to a new SIMs. What they found was that they only needed to respond successfully to one security challenge to get it done, even after multiple failed attempts, which they report didn't raise any red flags.

After intentionally providing wrong PINs, they were asked to verify other details like zip codes or other facts about the real account holder. The researchers told call center employees they couldn't recall that information, at which point, the standard procedure appeared to be to ask about the most recent two calls made from their number.

That is the weakness that makes the process exploitable. Attackers can easily trick someone into calling specific numbers using websites promising one thing or another. The researchers also found that 17 out of 140 online services using SMS for two-factor authentication don't employ any other method of verifying your identity, making it even easier for scammers to commit identity theft or steal victims' personal information.

The experts at Princeton notified the carriers, and T-Mobile told them earlier this month that it's no longer using call logs as an authentication method. Others, like Verizon and US Mobile, said they had received less than 1 percent of their SIM swapping requests over the phone, and that they are continually updating their cybersecurity practices.

The obvious conclusion is to stay away from using SMS as a form of two-factor authentication, and instead use an authenticator app. For those of you who own an Android phone, Google allows you to use your phone as a physical two-factor authentication key, which is about the safest method there is.

Permalink to story.

https://www.techspot.com/news/83528-princeton-study-shows-us-carriers-do-little-protect.html

 

[DelJo63]

stay away from using SMS as a form of two-factor authentication,

and followed by

your phone as a physical two-factor authentication key, which is about the safest method there is

HUH? did I miss something there -- looks to me as if SMS is Phone 2FA

 

[PEnnn]

"The obvious conclusion is to stay away from using SMS as a form of two-factor authentication, and instead use an authenticator app. "

Always a good idea, but do any of those US carriers use an authenticator app?? Heck, even many banks don't use them and rely on SMS notifications!

Unlike the EU, consumer protection is not really a priority in the US.....and whatever protection was in place, our fearless leader and his pathetic gang are busy dismantling them

 

[Plutoisaplanet]

and followed by

HUH? did I miss something there -- looks to me as if SMS is Phone 2FA

For phones, there's SMS and authentication apps. SMS doesn't require the physical device, only the ability to receive SMS messages for a given phone number, which is vulnerable to SIM swapping.

Authentication apps (which can be referred to as a physical 2FA key) aren't vulnerable to this kind of attack because it's (supposed to be) a sandboxed app that generates 2FA codes without any external communication. To generate these codes, it requires the app to scan a QR code (or manually enter a secret key) to set it up initially and provide a unique seed value only available within the authentication app. If you get a new phone without backing up the software of the original device, then you lose the access you had with the old phone.

For extra security and safety (in case of losing a device), there are also physical keys that communicate with a phone and/or computer via USB and/or RFID and stores the secret keys/seed values to allow an authentication app to generate the 2FA codes. Some apps also may back up these seed values in the cloud behind a login for extra safety (to prevent being locked out).

 

[Plutoisaplanet]

The annoying thing about authenticator apps is companies are developing their proprietary 2FA apps and preventing you from using any other authenticator app to enable 2FA on their service. Some examples include Steam Guard Mobile Authenticator, Xfinity Authenticator, IRS2Go, and E*Trade Security ID. I'd like to punch whoever thought this was a good idea in the face.

 

[Evernessince]

The annoying thing about authenticator apps is companies are developing their proprietary 2FA apps and preventing you from using any other authenticator app to enable 2FA on their service. Some examples include Steam Guard Mobile Authenticator, Xfinity Authenticator, IRS2Go, and E*Trade Security ID. I'd like to punch whoever thought this was a good idea in the face.

Different 2FA apps and different passwords for each website both share a common problem. No one wants to provide a secure framework that everyone can use that is trustworthy. In the end we have dozens of different flawed implementations who's goal is to only cover the basics and that don't really care should security in fact be breached. After all, there really isn't any penalty for loosing customer data to hackers. Just ask equifax.

 

[Uncle Al]

Regardless of what the service is or who provides it the laws of the land need to be a lot stronger in requiring and holding accountable the "providers". Just like merchandise and/or equipment, they should be liable for it as well as how it performs. If we go after major retailers like Ikea there as absolutely no reason not to hold those major carriers equally responsible.

 

[hahahanoobs]

Using Google 2FA is recommended in the article:

Google's option only works with Google apps and accounts, Google Chrome on Windows 10 and Android 7 or higher.

Hardly a drop-in replacement for everyone.

This type of attack isn't going to be random, and according to the source links in the article, Bitcoin seemed to be the target, and rightfully so since no one is just going to call providers to swap sims without knowing the person or if it will be worth doing.

Is this still a concern? Sure. Am I worried? Not yet.