There's nothing you can do to prevent a SIM-swap attack


It is tempting to think that users are to blame for their own misfortune. If only they'd had a stronger password! If only they didn't re-use credentials! If only they had perfect OpSec! If only...!

Yes, users should probably take better care of their digital credentials and bury them in a digital vault. But there are some things which are simply impossible for a user to protect against. Take, for example, a SIM-swap attack.

You probably have your phone-number tied to all sorts of important services. If you want to recover your email, log in to a bank, or prove your identity - you'll probably need to receive a call or SMS. If an attacker can take over your phone number, they're one step closer to taking over your accounts.

I keep saying "your phone number", but that's a clever lie. The phone number does not belong to you. It belongs to the network operator and they define which SIM the number points to.

This means a suitably authorised person at the telco can point "your" number to a new SIM card. That's helpful if you've lost your SIM but bad if an attacker wants to divert your number.

What can you do to stop this attack? Nothing.

Oh, you can have a strong and unique password on your account, and you can hope your telco uses TOTP and PassKeys. But it turns out that it is possible to bribe telco employees for the low, low price of US$1000.

If your security rests on a phone number, you've effectively outsourced your security to the most bribeable manager employed by your telco.

Now, I said there's nothing you can do. That isn't quite true. You can attempt to pen-test yourself.

Go to your phone company's account. Set a long password and complex password. Change your mother's maiden name to HK2BY@]'PU,:!VQ;}baTj. Turn on every security measure you can find. Call the phone company from a different phone and explain that you lost your phone and want a new SIM card. If they ask for your mother's maiden name, say "Oh, I set it to a long stream of gibberish". If they ask where to send the SIM, give a trusted friend's address. If your phone company is negligent and send out a new SIM on the basis of poor verification, then you should move your number to a more reputable provider.

It's good fun to try and social-engineer a call-centre worker for your own details. But it's probably illegal to try and bribe someone to hijack yourself.

Anyway, please try to remove your phone number as a critical lynchpin in your security regime.


Share this post on…

  • Mastodon
  • Facebook
  • LinkedIn
  • BlueSky
  • Threads
  • Reddit
  • HackerNews
  • Lobsters
  • WhatsApp
  • Telegram

5 thoughts on “There's nothing you can do to prevent a SIM-swap attack”

  1. says:

    you should move your number to a more reputable provider.

    Except there is no reputable provider. In the absence of liability to compensate for the externality that the cost of security is borne by the phone company and the cost of the breach borne by the customer, the executivs make the rational decision to prioritize their bonuses over security. The same goes for tha banks that use grossly insecure phone-based authentication instead of more expensive methods. If a law established using such is gross negligence and thus the banks were liable for any losses incurred, you can bet this would change overnight.

    In the US, you have the option to use a Google Voice number. As Google absolutely refuses to hire humans for customer service, there are no humans to social-engineer, or store employees to suborn. Sadly, it's not an option in the UK.

    Reply
  2. anon says:

    I can't stand corpware, and so apps and modern websites are of little use today.

    But I gave a past bank a chance, they had a mobile number and would use it with their standard security procedures and policies. Uh-toh.

    So the bank knew everything about me, because they had my money too (hang on, that sounds like a really crap deal). What I did for the phone number is bought a PAYG SIM (with some credit) and put it in the 2nd slot in my simple phone. I never gave anyone but the bank that phone number. The bank also did not have my normal phone number.

    I did not register the new PAYG SIM, meaning that if a scammer has all my data and can nearly get into the bank, they cannot use the same data to get into the mobile phone customer services, even if find the private bank-only phone number. I set a password with the mobile phone customer services though, but when I did call once they didn't ask for it, and did credit top-up checks and the other things they ask for unregistered PAYG. Still questions a scammer couldn't answer, but that isn't the point.

    If "Hi, I'm from your bank" ever phoned, or text me, on the wrong SIM, I would know it was a scammer. My actual bank was not allowed to use the phone number they had for anything, other than security stuff.

    A SIM per financial service is preposterous though, but that is the service economy: get the customers to do work for the company, and maybe more importantly, take on risk. Some kind of virtual SIMs might be plausible, but the unregistered PAYG is actually an important detail to the security I tried to add to online banking and bank services.

    Oh yeah, and if you call anywhere, always withhold your phone number. Orgs love hoovering data to auto-populate their user databases.

    Reply
  3. says:

    Have you tried this? Would love to know how you got on with social-engineering your own number!

    Reply
    1. @edent says:

      Yes. A few times when calling up from my own number, I've said "Oh, I just remember mashing the keyboard for my memorable name. It's probably gibberish." Every single time I've been told that they can't continue the call unless I know the 17th character etc.

      So I am fairly confident in my various ISPs.

      Reply

What are your reckons?

All comments are moderated and may not be published immediately. Your email address will not be published.

Allowed HTML: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> <p> <pre> <br> <img src="" alt="" title="" srcset="">