New sim swap hacks highlight carriers’ wobbly securityMartha DegrasseLight Reading

Diagram demonstrating how the attack works

Researchers at Princeton University called three of the four major [US] carriers and tried to convince customer service representatives to move phone numbers to new sim cards. Verizon, AT&T and T-Mobile each received ten calls from the researchers, who posed as customers.

Astoundingly, in all 30 cases the fake customers successfully convinced the carriers to move the numbers to new sim cards.

This matters because so many other services (such as banking systems) rely on SMS for authentication. If you only need to convince one customer service representative to swap a phone number, you could potentially have access to… almost anything.

Duncan Stephen

Photo of Duncan Stephen

I lead teams and organisations to make human-centred decisions. I am a lead content designer and information architect at the Scottish Government.

Email — contact@duncanstephen.net

Comments

  1. This doesn’t surprise me. The online method of phone-number swapping doesn’t generally need much in the way of security (one password, that’s generally sent to the SIM in question). I don’t think phone companies consider phone number/SIM comboss to be the security measure they’re often used for. This is the fault of the app creators, because phone number/SIM combo, to my knowledge, wasn’t meant to be a security measure either.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.