That kind of SIM-swapping technique could be used by attackers to gain control of a victim’s phone number. They can then use that number to reset the victim’s passwords and access, say, their emails and bank accounts.
To test the carriers’ security measures, they called the companies to request for a SIM swap and intentionally provided the wrong PIN number to force the customer service rep to try another authentication method. When asked for the account holder’s date of birth or billing ZIP code, they’d say that they must’ve made a mistake upon signup and provided the wrong information.
The customer service rep would then have to move to a third type of authentication method, which is asking the caller for their two most recently made calls. It was through this method that the researchers were successfully able to complete the SIM swaps. And that’s alarming, since attackers can easily trick victims into calling random phone numbers.
In addition, the researchers examined 140 popular online sites and services that use phone authentication to see what attackers can do with the numbers they hijack. They were easily able to reset passwords on 17 of those services using only the hijacked SIMs, since they weren’t asked additional authentication questions.
The Princeton researchers provided a copy of their findings to the carriers last year, and T-Mobile notified them this month that it doesn’t use call logs as a form of authentication anymore. We’ve reached out to the other four carriers for a statement.
Update 1/13/2019 2:45 AM ET: A T-Mobile spokesperson has given Engadget the following written statement: “We take the protection of our customers’ accounts very seriously. We have implemented many safeguards and will make continuous improvements as we need to respond to new risks. Most recently, this included changing our authentication processes on T-Mobile prepaid accounts to prevent the use of call log information for authentication.”
Verizon SVP Nick Ludlum has also responded to Engadget with the following written statement: “Wireless operators are committed to protecting consumers and combating SIM swap attacks. We continuously review and update our cybersecurity practices and develop new consumer protections. We all have a role to play in fighting fraud and we encourage consumers to use the many tools highlighted in this study to safeguard their personal information.”