It's even more ridiculous for a telco CSR to transfer his number to another provider without doing any sort of proper validation beforehand. A simple callback to ensure that the person calling was indeed the owner of the number would have prevented all of this.
I've been doing this to get by SMS based two factor in pen tests for years. The only time it didn't work is when I'd forgotten part of the auto process so I'd hang up and try again
Because support teams aren't coordinated with call attempts you can essentially brute force the process
Also the online portals for number transfer are notoriously weak. There was one MVNO i used for years because their website did no server side auth and I could transfer numbers to new SIMs at will
SMS as an authentication transport is beyond useless - nobody should be implementing it
Does the provider that currently holds the number need to release the number when it's transfered? Or can any random provider port out my number from my current provider?
Most countries have number portability laws now that say the current provider has to release the number.
They can't even hold it over an unpaid debt. Worse, a lot of these laws have government SLAs in them that say x% of transfers have to happen within 2-3 hours (usually 90-99%)
There is zero incentive from any party to add friction to the process for authentication purposes
It really got easy when I noticed the process was automated by a lot of providers a few years ago. I really don't think there was any human oversight on many of these transfers (perhaps a rubber stamp from a cheap offshore pair of eyes for compliance purposes)
The last time I transferred my mobile number, the telco wanted to have the IMSI as well. Then what my phone reported was not what they wanted, so it took a while to sort that out.
But it seems secure enough. It is not easy to get an IMSI for a random phone number.
> It is not easy to get an IMSI for a random phone number
This is easy if you have an SS7 network connection. Comparable to the difficulty of resolving a DNS name to an IP address using an internet connection.
Don't forget number porting is recently new. The FCC started requiring carriers do it in 2003. Since the telco's were forced to do it, you think they are going to put any effort into it unless legally required to do so? They don't care.
There has literally been hundreds of cases reported in the media in the last few years where the phone company ported a phone number either without verification or with "verification" (easily found information) and the victim had their accounts stolen. This has been a documented problem.
Phone companies seem to be starting to take the issue more seriously as of the last few months due to the aforementioned bad press. Verizon just forced me to create a PIN by Jan 24th, 2017. So I didn't have a PIN until less than a month ago.
Landline & VOIP providers rarely have a PIN or security question on file, and CLECs like Level 3 (who supplies Twilio and many others) will approve nearly any port since their customers don't keep customer service records for each number on file with them.
Legally there isn't much you can do beyond a snapback either, depending on how the line is classified you have to complete a simple port within 24hrs if the CSR (customer service record) matches.
Generally, if the CSR partially matches what the new provider gives, the port will be approved as the old CLEC doesn't want any escalation of a port.
