New research shows it’s really, really easy to carry out a SIM-swap attack

Which means it’s also simple to intercept two-factor authentication attempts.


Phone numbers might seem immovable, but they’re actually pretty easy to change if you have the right access. New research from Princeton University reveals that it might be all too easy, in fact — even for phone numbers that don’t belong to you. Researchers were able to request SIM swaps at five major U.S. carriers without any authentication.

Worse than just intercepted calls — SIM swapping — which allows the phone number attached to a SIM card to be changed — allows attackers to receive all phone calls and text messages associated with the swapped phone number. That includes any attempts at two-factor authentication. A site’s SMS-based authentication doesn’t do much good when your linked phone number now belongs to someone else’s SIM card.

The researchers tested 140 sites with two-factor authenticity and found that 17 of them could be compromised with a simple SIM swap.

It’s simple: say you forgot the answer — The Princeton researchers were actually met with some attempt at authentication; it just wasn’t very secure. Okay, it wasn’t secure at all. In many instances, researchers were able to simply coerce the carrier by stating they’d forgotten the answers to their security questions. Some carriers authenticate with incoming calls — which can easily be spoofed. The researchers were able to perform unauthorized SIM swaps on cards from AT&T, T-Mobile, Tracfone, US Mobile, and Verizon Wireless.

Set a PIN and don’t use SMS authentication — The study’s conclusions make it clear that phone providers need to revamp their security, especially when so many important transactions can be completed over the phone. Hopefully this won’t take too long with such damning evidence. According to the project’s website, T-Mobile has already changed its customer authentication methods.

In the meantime, many carriers allow a four-digit PIN to be attached to your wireless account, which should make it more difficult for a SIM swap to be authorized. And you might want to switch to a different method of two-factor authentication, seeing as text messages can be easily intercepted.