Oh, the times we are living in. The good old days of number transfer scams are somewhat exhausted, it seems, as carriers are more "woke" to the problem now, and have put safeguards against unauthorized number porting.
Even if you do all the port-out scam precautions that T-Mobile, Verizon, AT&T or Sprint now require, like extra port validation pins or passwords, you can get bamboozled out of a sought-after account access by another method - SIM swapping.
When you lose or your damage your SIM card, or you got a phone that uses a different card size, you can ask your carrier to activate a new one, right? Well, it turns out that there aren't nearly as many safeguards against SIM swapping. If it doesn't work with one rep, you can call other stores in the region, and manage to get one to activate the number on a phone you control, effectively rerouting all security code confirmation text messages to it.
If the victim is at home, they may not even notice they lost signal as they'll be browsing on Wi-Fi, too. How widespread is the phenomenon? A lot, as there are numerous incidents reported each day for hacked social media or bank accounts via SIM swapping. What are the carriers doing about it?
Verizon, T-Mobile and AT&T scored 10 out of 10 for ease of SIM swapping
Not much at the moment, it turns out, at least according to one Princeton University research
(PDF) done by scientists in its Department of Computer Science and Center for Information Technology Policy. Titled "An Empirical Study of Wireless Carrier Authentication for SIM Swaps," the paper discusses findings from an experiment that the researchers (Kevin Lee, Ben Kaiser, Jonathan Mayer, and Arvind Narayanan) did in May, June and July last year.
They signed up for 50 accounts, 10 with each of the largest prepaid carriers in the US - Tracfone, AT&T, T-Mobile, US Mobile and Verizon - and contacted their customer service departments in order to initiate a SIM swap citing various legit reasons. The results?
They found "weak authentication schemes and flawed policies at 5 US mobile carriers from the prepaid market
," and these weaknesses manifested in straightforward SIM swaps without the correct identification. The paper is worth reading in its entirety, but we'll just lift several anecdotes from the researchers' paper here so that one can realize the scale of the problem just this past summer:
2. Some carriers allow SIM swaps without authentication. Tracfone and US Mobile did not offer any challenges that our simulated attacker could answer correctly.
However, customer support representatives at these carriers allowed us to SIM swap without ever correctly authenticating: 6 times at Tracfone and 3 times at US Mobile.
3. Some carriers disclose personal information without authentication, including answers to authentication challenges:
• AT&T. In 1 instance, the representative disclosed the month of the activation and last payment date and allowed multiple tries at guessing the day. Theyalso guided us in our guess by indicating whether we were getting closer or further from the correct date.
• Tracfone. In 1 instance, the representative disclosed the service activation and expiration dates. Neither are used for customer authentication at Tracfone.
• US Mobile. In 3 instances, the representative disclosed the billing address on the account prior to authentication. In 1 instance, a portion of the address was leaked. In 1 instance, part of the email address was disclosed. In 3 instances, the representative disclosed portions of both the billing address and email address.
So, how many times were the researchers able to carry through with the SIM swaps, regardless of the safeguards set in place? You may be surprised to hear that AT&T, T-Mobile or Verizon scored a negative 10 out of 10 efforts, whereas specialized prepaid brands like Tracfone or US Mobile, managed to hold the fort a bit better.
The researchers first shared their results with carriers and the CTIA, then ran another pass in the fall and with postpaid accounts, albeit to inconclusive results. Prepaids are much easier to obtain without credit history and harder to authenticate, of course, and therefore more vulnerable to SIM swaps. When asked for comment by Fierce Wireless
, US Mobile COO Michael Melmed answered the following, which is probably valid for the other such carriers in the study group, too:
...customers requesting account changes such as SIM swaps over the phone are very rare (<1%). So as a starting point, the 10 experiments likely did not reflect the majority of US Mobile customers or interactions.
We are always looking for ways to improve and that's why sensitive account changes such as SIM swaps are no longer possible over the phone. They can only be requested while securely logged in to our progressive web app with additional OTP validations.
...we believe the best security measures comes from leveraging technology with AI, ML and big data because it helps create more secure environments without creating road blocks and additional hassle for our customers. Arguably, every technique in their Table 1 on its own is vulnerable and can be greatly enhanced by the types of technology and tools we have in the backend.