A SIM is the (usually) hardware card that gives your phone its “personality”. The SIM is tied to the carrier and contains all the information that the phone needs to talk to your carrier.
As users SLOOOOWLY migrate to using text messages as an extra layer of authentication for logging in to a variety of online accounts, hackers need to figure out how to compromise that.
One way to do that is to tell your carrier that you have a new SIM (typically a new phone). If the hacker is successful, then all of the text messages (which may include password reset messages for things like your email or your bank account) are destined for you will go to the hacker, along with all of the money in your bank account.
In theory phone carriers are not supposed to do a “SIM swap” unless they know the request is coming from you.
But they want to be customer friendly and that is sometimes a challenge when it comes to security.
Recently some Princeton researchers did a test of five major phone carriers – AT&T, T-Mobile US, Tracfone, US Mobile and Verizon – and wrote a study regarding the carrier’s authentication procedures. The results were:
- AT&T – 10 out of 10 fraudulent swaps successful
- T-Mobile US – 10 out of 10 fraudulent swaps successful
- Tracfone – 6 out of 10 fraudulent swaps successful
- US Mobile – 3 out of 10 fraudulent swaps successful
- Verizon – 10 out of 10 fraudulent swaps successful
The problem is that the carriers want to make the process simple for their staff so they ask for secret information only you would know – like you address or email or date of birth. Not so secret.
Sometimes they will try to send a one time password to your phone but if you say that your phone isn’t working, they often give up.
You may remember that Jack Dorsey, the CEO of Twitter, got his own Twitter account hacked following a SIM swap. Source: The Register
If that doesn’t work, they bribe some phone company employees to give them remote access into the phone company systems so that they don’t have to bother trying to trick other employees – they can do the SIM swap themselves. They just enable RDP into the bribed employee’s workstation. Source: Motherboard
Several Congress-critters have written to the FCC’s chairman Ajit Pai suggesting that he do his job and actually regulate the carriers. Don’t count of the FCC doing anything useful.
One thing that you can do is ask the carriers what other security measures they have like passwords and PINs and other measures.
Of course you can lobby your Congress-critters to pass a law forcing the FCC to do what it should do. Of course the carriers don’t want to have to do any more work than they have to, so they will probably drop bags of cash in Congress to get them not to pass such a law (I guess I am a bit pessimistic that DC will actually do anything helpful).
Ultimately, it is important that yoou be vigilant because that is much less painful that trying to regain control of stolen accounts or getting your money back from your bank.