Study Shows The Internet Is Hugely Vulnerable To SIM Hijacking Attacks
from the ill-communication dept
U.S. Wireless carriers are coming under heavy fire for failing to protect their users from the practice of SIM hijacking. The practice usually involves conning or bribing a wireless employee to port a victim’s cell phone number right out from underneath them, letting the attacker then pose as the customer to potentially devastating effect. Carriers are facing numerous lawsuits from victims who say attackers used the trick to first steal their identity, then millions in cryptocurrency, or even popular social media accounts.
Last week, six lawmakers, including Ron Wyden, wrote to the FCC to complain the agency isn’t doing enough (read: anything) to pressure carriers into shoring up their flimsy security. This week, a group of Princeton researchers released a study showcasing how both traditional and prepaid wireless carriers remain incredibly vulnerable to such attacks despite several years worth of headlines. In the full study (pdf, hat tip ZDNet), the researchers showed how it was relatively easy to trick wireless company support employees into turning over far more private data than they should, helping to facilitate the illicit SIM swap:
“When providing incorrect answers to personal questions such as date of birth or billing ZIP code, [research assistants] would explain that they had been careless at signup, possibly having provided incorrect information, and could not recall the information they had used,” researchers said, explaining the motives they provided to call center staff.”
After failing the first two steps in confirming a caller’s identity, wireless carriers then move on to a third confirmation option — verifying the last two numbers called from the account. But researchers note that was easy to game as well:
“The research team says that an attacker could trick a victim into placing calls to specific numbers. For example, a scenario of “you won a prize; call here; sorry, wrong number; call here instead.” After the attacker has tricked the SIM card owner into placing those two calls, they can use these details to call the telco’s call center and carry out a SIM swap. Princeton researchers said they were able to trick all five US prepaid wireless carriers using this scenario.”
Despite warning all five of the carriers they tested this trick on, four of the five still hadn’t fixed their security gaps as of the study’s publication. After showcasing how vulnerable mobile carriers are, the researchers took a closer look at what could be done once they had taken over a user’s wireless accounts. As such they tested the multi-factor-authentication practices of 140 of the most popular services and sites, and found that 17 of those services had no systems in place to protect users from SIM hijacking (such as emailing users a one time password to confirm identity and verify the changes were actually requested).
Here’s where, in a functional market with a functioning government, regulators would step in to pressure carriers to do more to actually protect consumers. Instead, the Trump FCC has spent the last three years rubber stamping every fleeting whim of the sector, including gutting most meaningful oversight of the sector, and rubber stamping massive mergers the majority of objective experts say will harm the market.