Carriers ignore studies that show they suck at preventing SIM-swap attacks

Now that many online services rely on sending SMSes to your phone to authenticate your identify, thieves and stalkers have created a whole "SIM swap" industry where they defraud your phone company or bribe employees to help them steal your phone account so they can break into all your other accounts.

In the years since SIM swap attacks were first publicized, carriers have faced litigation and congressional scrutiny for the role their lax security played in the attacks. They have added a suite of security measures that are supposed to staunch the bleeding, but as a recent study found, these measures present no real impediment to identity thieves — and after the study was completed, the carriers largely ignored it and its recommendations.

The study — conducted by Princeton's Center for Information Technology Policy (previously) details how researchers were able to bypass carrier security measures such as requiring people to give date of birth and billing ZIP codes by stating that they had been careless during the signup period and couldn't recall what answers they'd given previously. What's more, the researchers found it simple to bypass the carriers' requirement that the subscriber dial two phone numbers to confirm the swap — they just sent fraudulent texts to the real customers telling them they'd won a prize and asking them to dial a certain number to collect it, then followed up by saying they had sent the wrong number originally and asking the victim to dial the second number instead.

80% of the carriers whose security was bypassed in this manner took no steps to fix it.

Despite warning all five of the carriers they tested this trick on, four of the five still hadn't fixed their security gaps as of the study's publication. After showcasing how vulnerable mobile carriers are, the researchers took a closer look at what could be done once they had taken over a user's wireless accounts. As such they tested the multi-factor-authentication practices of 140 of the most popular services and sites, and found that 17 of those services had no systems in place to protect users from SIM hijacking (such as emailing users a one time password to confirm identity and verify the changes were actually requested).

An Empirical Study of Wireless Carrier Authentication for SIM Swaps [Kevin Lee, Ben Kaiser, Jonathan Mayer and Arvind Narayanan/Princeton]

Study Shows The Internet Is Hugely Vulnerable To SIM Hijacking Attacks [Karl Bode/Techdirt]