Hide Techdirt is off for the long weekend! We'll be back with our regular posts tomorrow.

Study Shows The Internet Is Hugely Vulnerable To SIM Hijacking Attacks

from the ill-communication dept

U.S. Wireless carriers are coming under heavy fire for failing to protect their users from the practice of SIM hijacking. The practice usually involves conning or bribing a wireless employee to port a victim’s cell phone number right out from underneath them, letting the attacker then pose as the customer to potentially devastating effect. Carriers are facing numerous lawsuits from victims who say attackers used the trick to first steal their identity, then millions in cryptocurrency, or even popular social media accounts.

Last week, six lawmakers, including Ron Wyden, wrote to the FCC to complain the agency isn’t doing enough (read: anything) to pressure carriers into shoring up their flimsy security. This week, a group of Princeton researchers released a study showcasing how both traditional and prepaid wireless carriers remain incredibly vulnerable to such attacks despite several years worth of headlines. In the full study (pdf, hat tip ZDNet), the researchers showed how it was relatively easy to trick wireless company support employees into turning over far more private data than they should, helping to facilitate the illicit SIM swap:

“When providing incorrect answers to personal questions such as date of birth or billing ZIP code, [research assistants] would explain that they had been careless at signup, possibly having provided incorrect information, and could not recall the information they had used,” researchers said, explaining the motives they provided to call center staff.”

After failing the first two steps in confirming a caller’s identity, wireless carriers then move on to a third confirmation option — verifying the last two numbers called from the account. But researchers note that was easy to game as well:

“The research team says that an attacker could trick a victim into placing calls to specific numbers. For example, a scenario of “you won a prize; call here; sorry, wrong number; call here instead.” After the attacker has tricked the SIM card owner into placing those two calls, they can use these details to call the telco’s call center and carry out a SIM swap. Princeton researchers said they were able to trick all five US prepaid wireless carriers using this scenario.”

Despite warning all five of the carriers they tested this trick on, four of the five still hadn’t fixed their security gaps as of the study’s publication. After showcasing how vulnerable mobile carriers are, the researchers took a closer look at what could be done once they had taken over a user’s wireless accounts. As such they tested the multi-factor-authentication practices of 140 of the most popular services and sites, and found that 17 of those services had no systems in place to protect users from SIM hijacking (such as emailing users a one time password to confirm identity and verify the changes were actually requested).

Here’s where, in a functional market with a functioning government, regulators would step in to pressure carriers to do more to actually protect consumers. Instead, the Trump FCC has spent the last three years rubber stamping every fleeting whim of the sector, including gutting most meaningful oversight of the sector, and rubber stamping massive mergers the majority of objective experts say will harm the market.

Filed Under: , , , , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Study Shows The Internet Is Hugely Vulnerable To SIM Hijacking Attacks”

Subscribe: RSS Leave a comment
urza9814 (profile) says:

Re: Re: Re:

The title is fairly accurate IMO, as the attack relies on number portability. The FCC requires providers to allow wireless numbers to be portable, but they are not required to allow you to transfer a landline number, and many carriers just won’t do it. Since you’re far less likely to be able to port a landline number, it’s far less likely that this kind of attack would succeed.

Anonymous Coward says:

You know you can get your account locked with a code. If I call them up, even with all my normal info and want to do anything, I have to tell them my code number. I keep that number stored in LastPass in the Notes area for my normal T-Mobile Online account, that way I can look it up easily enough on whatever device is handy. You don’t want to lose the number.

Anonymous Coward says:

Re: Re: Re:

Rather, they know the actual data about the actual numbers/connections for both ends of the system if they care to check.

It’s not so simple to decide what to do with that data. Some spoofing is legitimate; e.g., you call a toll-free customer service number, and they later call you back with caller ID showing the number you had dialed—even though the real originating number is some probably-foreign call center with a different phone number.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...