SIM Swapping is in the news again, reminding us the US has let this madness continue while other countries took strong steps to stop it. The latest headlines involve celebrity Twitter accounts getting hacked (including Jessica Alba and even the CEO of Twitter himself) but most SIM swaps target ordinary people with more sinister results.
The small removable SIM card in your mobile phone allows it to communicate with your carrier’s cell towers. A SIM swap attack doesn't physically touch your phone. A criminal convinces your mobile carrier (usually by social engineering) to switch your phone number from its current SIM card to a card controlled by the attacker. Having effectively hijacked your mobile phone number, a variety of attacks follow, including bank account takeover by subverting SMS-based two-factor authentication, since text messages intended for your phone now go to the attacker.
Mobile carriers combat SIM swapping with various defenses, but they vary considerably by carrier and country. Within the US it varies wildly:
AT&T customers can enable PIN authentication for service calls, including SIM swaps, but this feature appears to be disabled by default.
Sprint may require customers to authenticate with a PIN or one-time passcode, but only if a SIM swap request is flagged as suspicious by their fraud systems.
T-Mobile reportedly has a secret NOPORT setting that allows them to flag certain transactions for in-store customer authentication, but T-Mobile refuses to discuss or confirm it. T-Mobile performs online PIN authentication for most SIM swap requests.
Verizon recently rolled out a new procedure that disables cellular service on a SIM card when it gets swapped unexpectedly or moved to a different phone. Verizon also allows customers to request a “port freeze” or activate 2-factor SMS authentication.
Banks have led calls for telecom providers to do more because a SIM swap is often followed by mobile bank fraud. After hijacking an account holder’s mobile number, an attacker can intercept texts to perform two-factor account takeover (ATO) plus any calls from the bank’s fraud department.
Early Warning Services, owned by a consortium of major US banks, has pressured American carriers to share SIM swap notifications so banks can act to protect their customers. Carriers do share some limited data, but Early Warning has stated “they could be sharing more.” Mobile carriers in other countries share these notifications in real-time, but the US telecom trade association (CTIA) claims this is harder in the US due to the amount of data involved. Banking insiders suspect the real reason is that banks don’t want to pay carriers enough for this service to make it profitable for them.
There is plenty of blame to go around between US banks, carriers, and government but the problems also point to solutions:
Banks shouldn’t rely on SMS-based two-factor authentication (2FA) since SMS was insecure even before the rise of SIM swapping. On the other hand, even weak 2FA is better than relying solely on PINs or passwords. Banks should invest in more robust multifactor authentication solutions (and some have).
Mobile carriers should share SIM swap data with banks in real-time (through EWS) as they do in other countries. They should also adopt a consistent set of industry-wide defensive measures including robust customer authentication by default, optional port freezes and NOPORT controls, and continuous SIM monitoring such as Verizon recently implemented.
US government shouldn’t discourage carriers from making these changes, as it arguably does today by making phone number portability a higher priority than security. This may require FCC to change the way it operates the Number Portability Administration Center or even legislative changes to the Telecommunications Act of 1996.
SIM swapping can be tamed if we have the will to do it. Tell your mobile carrier you want them to do more to protect you. Tell your bank the same. And tell your congressman to make this a priority.
If you think you may be the victim of a SIM swap attack, here's what you should do.
Michael McCormick is an information security consultant, researcher, and founder of Taproot Security.