At least 5 US carriers and 17 related online services and websites use methods that leave users vulnerable to malicious SIM swaps. That’s according to a recently reported research document put forward by the Department of Computer Science and Center for Information Technology Policy at Princeton University. Researchers on the project included Kevin Lee, Ben Kaiser, Jonathan Mayer, and Arvind Narayanan.
The researchers wanted to test whether or not a SIM swap could be performed without proper vetting. Unsurprisingly if ironically, the underlying problem stems from the process used to gain a new SIM in the event of malicious activity.
Which carriers were affected and how were the SIM swaps conducted?
Carriers affected by the lapse in security protocol include what is effectively all of the major US carriers. Those are AT&T, T-Mobile, Tracfone, US Mobile, and Verizon Wireless. Since Sprint will probably be a part of T-Mobile soon, it isn’t unfair to say it should be included there too. That’s despite the fact that Sprint doesn’t typically utilize SIM cards in quite the same ways.
The process for getting the SIM swaps started and finished with each US carrier was surprisingly straightforward too. To begin with, the researchers set up 50 unique accounts complete with making calls as a normal account would. That’s 10 for each carrier, each with a unique phone attached. Then, after spending time building an account history, each company was called from each individual account.
In each case, the caller identified themselves as the account holder and requested a SIM swap, claiming to be a victim. The wireless carrier requested authentication, typically in the form of a request for an account PIN. The researchers deliberately failed that test.
After failing to provide an appropriate PIN, the companies asked secondary authentication questions. The example shown by the researchers is a question about recent account activity. In this case, the activity was related to recent calls made on the account. The researchers provided those details and the account was allowed to be swapped to a different SIM with no further questions.
That means that an attacker with access to those secondary details could burrow through and perform SIM swaps. There would be no need for them to have access to the primary authentication method — the security PIN. Those details might be easily discovered online or through phishing methods, rendering security used by the carriers null and void.
Not the first time and probably not the last either
While the details surrounding the research are alarming, SIM swaps and related attacks aren’t at all uncommon.
In August of 2018, for example, a $224 million lawsuit was filed against one of the carriers involved here — AT&T. That suit was filed by Michael Terpin after his account was swapped and monetary damages are done. The suit also alleged that the company had not done enough to fix the problem following a previous attack. T-Mobile had put in place secondary protective measures but those seem to have failed here anyway.
Since the researchers have proven the process to be relatively easy to replicate, it seems the carriers have not changed enough. They’ll probably remain that way without some drastic changes from each US carrier.