Four-fifths of SIM-swap fraud attempts successful

A study by Princeton University has revealed that the authentication procedures used by five leading US pre-paid carriers when a customer attempted to change their SIM card used insecure authentication challenges that could be easily subverted by attackers.

The study, An empirical study of wireless carrier authentication for SIM swaps, by Kevin Lee, Ben Kaiser, Jonathan Mayer and Arvind Narayanan, set out from the baseline that the procedures in question were an important line of defence against attackers. These attackers seek to hijack victims’ phone numbers by posing as the victim and calling the carrier to request that service be transferred to a SIM card the attacker possesses.

The team noted that SIM-swap attacks allow attackers to intercept calls and messages, impersonate victims, and perform denial-of-service (DoS) attacks, and added that they have been widely used to hack into social media accounts, steal cryptocurrencies, and break into bank accounts.

Warnings have existed since 2016 distinguishing SMS-based authentication from other out-of-band authentication methods due to heightened security risks, including SIM change.

Princeton examined the types of authentication mechanisms in place for such requests at five US pre-paid carriers – AT&T, T-Mobile, Tracfone, US Mobile, and Verizon Wireless – by signing up for 50 prepaid accounts, 10 with each carrier, and subsequently calling in to request a SIM swap on each account.

The methodology used to quantify the downstream effects of the vulnerabilities saw the research team reverse-engineer the authentication policies of more than 140 websites that offer phone-based authentication.

The team rated the level of vulnerability of users of each website to a SIM-swap attack. It found 17 websites on which user accounts can be compromised based on a SIM swap alone, such as without a password compromise.

The key finding from the research was that all five carriers used insecure authentication challenges that could easily be subverted by attackers. Princeton also found that in general, callers only needed to successfully respond to one challenge to authenticate, even if they had failed numerous prior challenges.

In each carrier, procedures were generally consistent, although on nine occasions across two carriers, customer service representatives (CSRs) either did not authenticate the caller or leaked account information prior to authentication.

The research also discovered that attackers generally only needed to target the most vulnerable authentication challenges because the rest could be bypassed.

In an evaluation of post-paid accounts at three carriers, the researchers said that they may have found some evidence that some carriers have implemented stronger authentication for post-paid accounts than for pre-paid accounts.

In July 2019, Princeton provided an initial notification of the findings to the carriers it studied and to the US trade association representing the wireless communications industry, the CTIA. In January 2020, T-Mobile informed Princeton that after reviewing its research, it has discontinued the use of call logs for customer authentication.

In a call to action following the research, Princeton advised carriers to discontinue the methods of customer authentication they were using and implement more secure practices.

In addition to calling on carriers to provide optional heightened security for customers, the team implored them to restrict customer support representative access to information before customers authenticated.

The researchers also recommended that websites employ threat modelling to identify vulnerabilities and implement at least one secure multi-factor authentication option.

Analysing the data, Aseem Sadana, group chief operating officer (COO )at cloud communications software and solutions provider IMImobile, observed that SIM-swap fraud was a big concern for the industry, and that the study from Princeton University highlighted that there was still a lot of work to be done. 

“Despite advances in technology, SIM-swap fraud continues to be difficult to detect and prevent, as fraudsters are adapting their techniques,” he said. “As such, mobile operators and banks need to work together to ensure their processes for detecting fraudulent activity are constantly evolving. 

“When it comes to customer data, such as SIM card information, device type and location, mobile operators and banks must be able to run checks in real-time, but at the moment many fraud prevention systems are still reliant on historical data.

“If they work with customer engagement specialists, both parties can put better practices and technologies in place to combat SIM-swap fraud, enabling them to identify risk before customers lose money,” he added.