- Five wireless carriers including AT&T, T-Mobile, Verizon, Tracfone, and US Mobile were found to be vulnerable.
- SIM swapping scams have become a popular attack vector for cybercriminals.
A study by Princeton University researchers showed that five of the major US wireless carriers are susceptible to SIM swapping attacks. The five wireless carriers are AT&T, T-Mobile, Verizon, Tracfone, and US Mobile.
Brief detail about SIM swapping
SIM swapping, also known as port-out or SIM swap scams, has become a popular attack method for cybercriminals. A basic attack scenario involves attackers using social engineering to gain control of the target user’s phone number. From there, they can break into the victim’s banking, social media and other accounts that use the same phone number for multi-factor authentication.
What does the new study reveal about carrier providers?
- To test the resilience of carriers, the researchers created 10 simulated identities that had different names, dates of birth and addresses.
- For each identity, they registered a prepaid account with all five wireless carrier providers. They then created a trail of phone calls and text messages for each registered phone number.
- Later, a small portion of the researchers posed as bad actors and called in the companies’ customer support representatives for sharing personal details. They pretended to be the actual user of the phone number and convinced the representatives to share the date of birth, or billing ZIP code.
- Researchers noted that would-be scammers need to answer just one of the questions asked by customer representatives for authentication to gain control of a victim’s phone number.
What are the other findings?
The researchers also analyzed 145 websites - that use phone-based authentication - to understand the impact of SIM Swap scams. Out of these, researchers could easily compromise 17 websites with just a SIM swap.
How did the companies respond?The wireless carriers have been notified about the shortcomings of their authentication procedures. T-Mobile has responded to the issue by discontinuing the use of call logs for customer authentication, says the study.