2 min read

Five Major US Wireless Carriers Are Vulnerable to SIM Swapping

Silviu STAHIE

January 16, 2020

Five Major US Wireless Carriers Are Vulnerable to SIM Swapping

Update: This article on HotForSecurity was meant to raise awareness on the issues and challenges posed by SMS-based two-factor authentication and why users should consider replacing it with something else (app-based token generators, security keys or already-authenticated devices).

A missing paragraph on better alternatives to SMS 2FA has modified the original message in a way that it seems we recommend that users disable SMS2FA altogether. This has been flagged by several community members on Twitter and we have taken the necessary steps to address it.

Bitdefender highly encourages users to adopt two-factor authentication as an additional mechanism to prevent unauthorized logins. If no alternative is available, SMS-based 2FA is still a better option than none. We have strongly advocated the necessity of 2FA in the past and we developed several guides to help users set up two-factor logins for their accounts.

Original story:

Most wireless carriers in the United States are vulnerable to SIM swapping attacks and lack proper procedures to fend off hackers and other bad actors, Princeton researchers have found.

SIM swapping became a popular attack method during the Bitcoin boom as hackers targeted Bitcoin wallets protected by SMS two-factor authentication (2FA). It took off and is now used in other scenarios as well, although other forms of multi-factor authentication (MFA) are slowly taking over, providing a more secure environment.

Even though SMS-based authentication is no longer considered safe, plenty of online services out there continue to offer it at least as an alternative for authentication, if not the primary method.

As the Princeton study shows, the major wireless carriers in the United States, including AT&T, T-Mobile, Tracfone, US Mobile, and Verizon Wireless, have weak security procedures that attackers can overcome with minimal effort.

“To quantify the downstream effects of these vulnerabilities, we reverse-engineered the authentication policies of over 140 websites that offer phone-based authentication. We rated the level of vulnerability of users of each website to a SIM swap attack,” state the researchers of the study.

Researchers were also able to go through the entire attack chain, allowing them to perform a SIM swap attack, but accounts on 17 websites could be compromised by using the information strictly from the SIM swap alone.

In a SIM swap attack, the attacker impersonates the owner of a phone number and places a call to the carrier. The goal is to change the number from an existing SIM to a new one. The carrier has a few security procedures to make sure the caller is the owner of the SIM.

And this is where things go wrong, as the Princeton researchers pointed out. While there are several security questions and hoops, most can be bypassed with just the help of data aggregators. Wireless carriers usually stop if one of the questions is answered correctly. At the very least, they should require that all questions are answered correctly.

Just like in all situations involving bad actors, security is only as good as the weakest link in the attack chain. In this instance, there are several weak links along the way, starting with the mobile carriers who don”t perform their due diligence and ending with websites that still used SMS-based authentication despite its proven vulnerabilities.

People should use more secure multi-factor authentication solutions such as authenticator apps or security keys, whenever possible. It’s also a good idea to pay attention to SMS messages with security codes that are not generated at their request.

While SMS 2FA is broken as a security solution, it’s still better than not having anything at all as it can act as a deterrent if no other solution is available for that particular service.

tags


Author



Right now

Top posts

Ultimate Privacy Guide for Your Facebook Account

Ultimate Privacy Guide for Your Facebook Account

August 31, 2021

6 min read
7 Signs It’s Time to Use Parental Controls On Your Family’s Devices

7 Signs It’s Time to Use Parental Controls On Your Family’s Devices

August 27, 2021

2 min read
Your Netflix Account May Be on Sale on Darkweb. Protect It

Your Netflix Account May Be on Sale on Darkweb. Protect It

August 13, 2021

3 min read
E-mails claiming your computer was hacked and your privacy exposed - what you need to know (spoiler: you can relax - they’re bluffing)

E-mails claiming your computer was hacked and your privacy exposed - what you need to know (spoiler: you can relax - they’re bluffing)

July 29, 2021

5 min read
Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

July 16, 2021

3 min read
How to protect yourself against cyberstalking

How to protect yourself against cyberstalking

July 06, 2021

2 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Romance scammers arrested in Texas for defrauding elderly lonely hearts Romance scammers arrested in Texas for defrauding elderly lonely hearts
Graham CLULEY

September 28, 2021

3 min read
iCloud Private Relay Vulnerability Exposes User IP Addresses, Researchers Find iCloud Private Relay Vulnerability Exposes User IP Addresses, Researchers Find
Silviu STAHIE

September 27, 2021

1 min read
Bitcoin.org Compromised; Attackers Posted “Double Your Money” Announcement Bitcoin.org Compromised; Attackers Posted “Double Your Money” Announcement
Silviu STAHIE

September 27, 2021

1 min read