A study from Princeton University revealed that five major telecommunication providers in the U.S. are vulnerable to SIM swapping attacks.
According to the researchers at Princeton, AT&T, T-Mobile, Tracfone Wireless, US Mobile, and Verizon Wireless were found to be applying insecure procedures with their customer care centers, which could be exploited by attackers to launch SIM swapping attacks. They also tried to trick their customer support into changing a user’s phone number to another SIM without providing proper credentials. It’s said that researchers used 50 SIM cards, 10 with each provider, to call the telco’s customer support.
To quote from the study: “We found that all five carriers used insecure authentication challenges that could be easily subverted by attackers. We also found that attackers generally only needed to target the most vulnerable authentication challenges, because the rest could be bypassed.”
Besides, the research team also evaluated the authentication processes of 140 online services and websites that offer phone-based authentication. The results stated that 17 of the 140 websites were vulnerable and allow a malicious actor to compromise the account with a SIM swapping attack. The Princeton researchers also notified their findings to all the affected companies.
The researchers said, “When providing incorrect answers to personal questions such as date of birth or billing ZIP code, research assistants would explain that they had been careless at signup, possibly having provided incorrect information, and could not recall the information they had used.”
What’s a SIM Swapping Attack?
A SIM Swapping attack is one of the simplest ways for cybercriminals to bypass users’ 2FA protection. In a SIM swap attack, the attacker calls service providers and tricks them into changing a victim’s phone number to an attacker-controlled SIM card. This allows the attacker to reset passwords and gain access to victims’ sensitive data.
In September 2019, Twitter CEO & Co-founder Jack Dorsey’sTwitter account was compromised by a hacking group named Chuckle Squad. Hackers used SIM Swapping Attack technique to take over Dorsey’s account by exploiting the cell carrier vulnerability, which enabled them to post anti-Semitic comments in his account feed. However, Twitter officials clarified that his account is now fixed and there is no sign that Twitter’s systems have been hacked.