Researchers at Princeton University evaluated the SIM authentication procedures at five prepaid U.S. wireless carriers, and found that they all used insecure authentication challenges that could easily be subverted by attackers.
The researchers examined authentication mechanisms in place for swapping prepaid SIM cards at AT&T, T-Mobile, Tracfone, US Mobile and Verizon by signing up for 50 prepaid accounts (10 with each carrier), and subsequently calling in to request a SIM swap on each account.
“Our key finding is that, at the time of our data collection, all 5 carriers used insecure authentication challenges that could easily be subverted by attackers,” they wrote in a paper published last week (PDF). “We also found that in general, callers only needed to successfully respond to one challenge in order to authenticate, even if they had failed numerous prior challenges. Within each carrier, procedures were generally consistent, although on 9 occasions across 2 carriers, CSRs either did not authenticate the caller or leaked account information prior to authentication.”
SIM swap procedures have valid purposes, such as when a user has misplaced their original device or acquired a new device that uses a different size SIM card slot than the device it’s replacing. But when hackers get involved, SIM swaps allow them to intercept calls and messages, impersonate victims and perform denial-of-service (DoS) attacks. They’ve been used to hack into social media accounts, steal cryptocurrencies and break into bank accounts.
The Princeton researchers conducted their experiments from May through July of 2019; in July 2019, they provided an initial notification of their findings to the carriers they studied and to CTIA. In January 2020, T-Mobile informed them that after reviewing the research, it had discontinued the use of call logs for customer authentication.
Jeff Moore, principal of Wave7 Research, said the Princeton study is helpful, as it highlights the need for carriers to improve their authentication policies. T-Mobile has already tightened its defenses again SIM swap fraud, he noted, adding that there have been some high-profile cases of fraudsters using this scam to gain control of a person’s Twitter or Instagram account.
“One thing missing from the study is save desks,” Moore said. “Some carriers, upon hearing about a customer’s intention to change carriers, will quickly send the customer to a save desk, which is basically a customer service group that specializes in persuading customers to remain with their carrier. Sometimes, save desk referrals occur when a customer calls in to request his account number, which is often an indicator that the customer is planning to switch to another carrier.”
The researchers are not the only ones concerned about SIM swap fraud. A group of senators last week sent a letter (PDF) to FCC Chairman Ajit Pai saying the impact of this type of fraud is large and rising. They asked the chairman to provide answers to a series of questions by February 14, including about how the FCC tracks incidents of SIM swapping or port-out fraud and any enforcement actions it has taken.
CTIA, the industry organization that represents operators cited in the study, said wireless operators are committed to protecting consumers and combating SIM swap attacks.
“We continuously review and update our cybersecurity practices and develop new consumer protections. We all have a role to play in fighting fraud and we encourage consumers to use the many tools highlighted in this study to safeguard their personal information,” said Nick Ludlum, SVP and chief communications officer at CTIA, in a statement.
FierceWireless reached out to the carriers cited in the report and did not hear back from all of them before deadline. An AT&T spokesman pointed to this blog the operator posted to inform consumers what they should be looking for and how to avoid getting scammed by a SIM swap. The blog notes that the scammers like to target people with valuable online accounts, which could include a financial account with a lot of money or a social media account with a large following.
US Mobile's security emphasis
US Mobile, an MVNO that uses the networks of Verizon and T-Mobile, posted this response to the Princeton study, noting it couldn’t speak to specific details of the experiments but could surmise from the report that they were likely attempting these SIM swaps via phone calls to the support division.
“Security is a top priority for us at US Mobile and we are always seeking to improve and lead the industry in customer security and privacy,” US Mobile COO Michael Melmed told FierceWireless via email. “For us, as a purely digital carrier whose business takes place entirely online, customer service interactions over the phone represent less than 10% of our total interactions. Furthermore, customers requesting account changes such as SIM swaps over the phone are very rare (<1%). So as a starting point, the 10 experiments likely did not reflect the majority of US Mobile customers or interactions.”
With that being said, “We are always looking for ways to improve and that's why sensitive account changes such as SIM swaps are no longer possible over the phone. They can only be requested while securely logged in to our progressive web app with additional OTP validations,” he said.
In addition, “we believe the best security measures comes from leveraging technology with AI, ML and big data because it helps create more secure environments without creating road blocks and additional hassle for our customers. Arguably, every technique in their Table 1 on its own is vulnerable and can be greatly enhanced by the types of technology and tools we have in the backend.”