> What is a SIM-swap attack? It’s where a bad guy asks a carrier to port your cell-phone number to their phone.
How do they get away with this in practice? Can't the carrier phone the number for the SIM or txt to attempt to confirm the owner? Or send you an email or postal letter with a code? Or make you go to the store to show ID?
And if you claim to have no access to the above, send a txt/email/letter alert that you have 5 days to reply to before the switch happens?
Do any carriers advertise themselves as having strong security against SIM-swap attacks as a unique selling point?
Step 2: Sob story about how you lost your cell phone.
Step 3: Fake ID / Social engineering.
The five day wait would work well, though it doesn't protect against "I stole the phone and I yanked the SIM or looked at the push notification" attacks.
They could and it could be similar to emergency / fallback access in password managers. Send an SMS to the number (aka current SIM) before approving changes and force the person requesting the change to wait for X hours or days if there's no response to the SMS asking for authorization.
That's what the providers around me do, but I think it's because one of them got sued a while back and we only have about 3 providers pretending to be 10 different companies (aka fake competition).
Yep, I never understood that either.... you have to confirm your old number before you can transfer it to a new telco, so sim swaps are not really a thing.
But it's primarily a US problem, and they have a lot of ID problems, like using their SSN as "passwords", and other stuff that would be impossible anywhere else (like illegal immigrants getting jobs at large companies and enrolling their kids in schools without anyone verifying who they are).
Exactly, it wouldn’t be hard for the mobile providers to require sms confirmation and/or written authorisation before a number is ported out.
I don’t know if it’s government law or phone company laziness getting in the way of SIM security, but giving up on SIM security seems nonsensical and silly. Fix SIM porting security.
How do they get away with this in practice? Can't the carrier phone the number for the SIM or txt to attempt to confirm the owner? Or send you an email or postal letter with a code? Or make you go to the store to show ID?
And if you claim to have no access to the above, send a txt/email/letter alert that you have 5 days to reply to before the switch happens?
Do any carriers advertise themselves as having strong security against SIM-swap attacks as a unique selling point?