Researchers at Princeton University have published a report which states that five major US telecommunications companies are vulnerable to SIM swapping attacks.
During SIM swapping attacks, attackers call one company telecommunications, deceiving staff and persuading her to change the victim's number so that she can connect to a SIM card controlled by the attackers themselves.
Princeton researchers conducted the research them for a year. During this time, five major US telecommunications companies were examined. In particular, they wanted to see if they could deceive call center employees and make them change one user's phone number to another without giving them the correct data and credentials.
According to research, popular companies AT&T, T-Mobile, Tracfone, US Mobile and Verizon Wireless use procedures that attackers could use to perform SIM swapping attacks.
The researchers also examined 140 online services and websites, to see which of these malware could be exploited hackers to violate user accounts. 17 of the 140 websites were actually vulnerable to this type of attack.
For their research, the researchers worked with the five telecommunications companies (supposedly customers) and tried to use SIM cards (10 from each company) and make calls in order to create a realistic call history.
Later, researchers called in the company's customer service centers and asked for a SIM card change, deliberately providing incorrect PIN and account holder information.
According to the procedures provided by companies, if someone does not provide the above information (PIN and account holder details) correctly, they will have to provide details about last two calls he made.
The research team says an attacker could deceive one victim and make it call certain numbers before making the SIM swapping attack in order to get the details of the latest calls. For example, he might say to the victim: “You won a prize, call here. Sorry, wrong number, call here ”. This is how it has the data for the last two calls (if the victim falls into the trap).
Princeton researchers said that used this trick and managed to deceive all five US companies.
In the end, the researchers informed the companies about the issues security, but until a few days before the report was published, four of the five providers were still using the same procedures. Only T-Mobile changed tactics after the investigation.
Services and websites
As for online services and websites (social media networks, e-mail providers, websites, cryptocurrency sites, and more), researchers looked at the authentication procedures they used.
Once the investigators had carried out the SIM swapping attack and had under him control their victim number, they could access victims' accounts at 17 of these sites.
The account recovery process for these sites was solely based on verification through SMS. Once the investigators (or attackers) check the victim's number, they also check the SMS. So they can access other accounts.
More details are provided in the work entitled: "An Empirical Study of Wireless Carrier Authentication for SIM Swaps"