Most wireless carriers in the United States are vulnerable to SIM swapping attacks and lack proper procedures to fend off hackers and other bad actors, Princeton researchers have found.
SIM swapping became a popular attack method during the Bitcoin boom as hackers targeted Bitcoin wallets protected by SMS two-factor authentication (2FA). It took off and is now used in other scenarios as well, although other forms of multi-factor authentication (MFA) are slowly taking over, providing a more secure environment.
Even though SMS-based authentication is no longer considered safe, plenty of online services out there continue to offer it at least as an alternative for authentication, if not the primary method.
As the Princeton study shows, the major wireless carriers in the United States, including AT&T, T-Mobile, Tracfone, US Mobile, and Verizon Wireless, have weak security procedures that attackers can overcome with minimal effort.
“To quantify the downstream effects of these vulnerabilities, we reverse-engineered the authentication policies of over 140 websites that offer phone-based authentication. We rated the level of vulnerability of users of each website to a SIM swap attack,” state the researchers of the study.
Researchers were also able to go through the entire attack chain, allowing them to perform a SIM swap attack, but accounts on 17 websites could be compromised by using the information strictly from the SIM swap alone.
In a SIM swap attack, the attacker impersonates the owner of a phone number and places a call to the carrier. The goal is to change the number from an existing SIM to a new one. The carrier has a few security procedures to make sure the caller is the owner of the SIM.
And this is where things go wrong, as the Princeton researchers pointed out. While there are several security questions and hoops, most can be bypassed with just the help of data aggregators. Wireless carriers usually stop if one of the questions is answered correctly. At the very least, they should require that all questions are answered correctly.
Just like in all situations involving bad actors, security is only as good as the weakest link in the attack chain. In this instance, there are several weak links along the way, starting with the mobile carriers who don’t perform their due diligence and ending with websites that still used SMS-based authentication despite its proven vulnerabilities.
Users are advised to drop SMS two-factor authentication whenever possible and to pay attention to SMS messages with security codes that are not generated at their request.