Five U.S. telecommunications companies vulnerable to SIM card exchange, study finds

Five of america’s leading prepaid wireless carriers are vulnerable to SIM jacking, according to an academic study published yesterday by Princeton University. It is specifically an attacker who calls a mobile service provider to trick a telecommunications employee into changing a phone number to an attacker-controlled SIM card that enables it to reset passwords and access sensitive online accounts, such as email inboxes, online banking portals, and even cryptocurrency trading systems.

Five U.S. telecommunications companies vulnerable to SIM card exchange, study finds

(From Apple, via ZDNet)

Academics spent much of last year testing five major U.S. carriers to see if they could trick call center employees by changing a user’s phone number to another SIM card without providing proper credentials.

The team noted that atT, T-Mobile, Tracfone, US Mobile and Verizon Wireless were all found to have used vulnerable programs in their customer support centers, allowing attackers to launch SIM card exchange attacks.

In addition, the team analyzed 140 online services and websites and found 17 vulnerable to attackers using SIM card exchange attacks to hijack users’ accounts.

To conduct the research, the team created 50 prepaid accounts (10 per carrier) and made real calls on the only corresponding phone.

After a while, the research team began calling the call centers of various telecommunications companies and making similar requests.

Five U.S. telecommunications companies vulnerable to SIM card exchange, study finds

(Pictured: Lee et al)

The idea was that the attacker would call the telecommunications company’s support center in an attempt to replace the SIM card, but deliberately provided the wrong PIN and account owner details.

When providing incorrect answers to privacy questions such as birth dates or billing code, the research assistant would argue that they were too careless to sign up, causing the wrong information to be provided and difficult to recall for a while.

At this point, after both authentication mechanisms fail, the telecommunications company switches to a third scenario — requiring the last two call logs.

In a complex attack process, an attacker can trick the victim into calling a specific phone number, making the operator’s line of defense vulnerable to compromise.

The researchers say they have successfully tricked all five U.S. prepaid wireless carriers.

At the time of the results of the study published yesterday, the team had already sent noticetoherto the affected parties. After reviewing the results of the study, T-Mobile decided not to use call records for customer authentication.

Unfortunately, there are still four carriers that are using vulnerable authentication processes.