Princeton researchers find some carriers will help criminals steal your SIM

Android Lock Screen
Android Lock Screen (Image credit: Android Central)

What you need to know

  • Princeton researchers wanted to know if 2FA is secure using SMS as a factor.
  • Researchers called carriers trying to transfer (steal) accounts to new SIM cards.
  • Major carriers made it easy to steal prepaid accounts, confirming that SMS is not a secure 2FA method.

Researchers at Princeton University were questioning whether SMS text messaging is a secure authentication method to use as one factor in a two-factor authentication (2FA) setup. The answer turned out to be a resounding no, especially as the team started to attack prepaid plans on the largest mobile carriers.

If an attacker can gain control of a phone number by switching a victim's account to the attacker's SIM card, the attacker can then hijack the verification process that uses SMS by receiving the authenticating text messages instead of the victim. In ten out of ten attempts to steal numbers from prepaid customers on AT&T, Verizon, and T-Mobile, researchers were able to transfer the account to their own SIM card. Attempts on Tracfone and US Mobile were less successful, but those carriers were not completely secure.

In some instances, researchers called trying to steal a user's identity and the customer service representative guided them to the correct identity verification answers, or simply gave the attacker access even after they had guessed incorrectly. The researchers found vast inconsistency, occasional failures to verify identity altogether, and generally enough weakness in the security policies to recommend avoiding SMS as a password authentication method altogether. Since the study was revealed to carriers last year, T-Mobile has said it has updated its verification methods to be avoid less secure checks.

The report suggests carriers abandon all of the lousy, insecure methods currently in use and switch to secure methods like an account password/PIN, or at least a one-time code sent directly to the user via SMS or email. Many of the current forms of identification like street address, date of birth, and some credit card information can be found through public record searches. Identifying info, such as the date of the victim's last payment or the phone numbers of recent callers, can be manipulated or spoofed to fool representatives. Websites are also recommended to cease using SMS as part of a multi-factor authentication scheme.

Two-factor authentication: Everything you need to know

Philip Berne