Carriers ignore studies that show they suck at preventing SIM-swap attacks

Originally published at:


So they are going to improve security by sending you two, separate SMS messages. That’s, like, double security, right?


When phone numbers become de facto required identity numbers for the corporate state … telcos lost any reason to innovate.

Additionally finding people’s personal info at this point is a joke considering the many many leaks that have happened over the past 5-10 years. Asking an identity thief to provide birthdates and the like wouldn’t do much to stop them.

1 Like

In all fairness to the cell phone carriers (my god, I can’t believe I’m defending cell phone companies, I feel so dirty) it’s not their fault. Any company using SMS as a ‘security’ mechanism to protect something worth more than a cup of coffee is dancing on the edge of Hanlon’s Razor like a molly-addled frat boy at his first rave.

The system was never designed to provide the level of security required for the role it’s being asked to play. And trying to “fix” it so that it would be the right-too-for-the-job is like trying to upgrade the lock on your kid sister’s diary into something that could successfully secure a bank vault. It’s not gonna happen.

Hell, the US National Institute of Standards issued a clear statement in 2015 that SMS should not be used for authentication. But we live in a world of “Too Big to Fail”, where you may be executed for selling loose cigarettes but if you screw over thousands of people to pump up your bonus the worst thing that might happen is you’ll be forced to pull the ripcord on your golden parachute.

NIST Special Publication 800-63B for reference.

Luckily, our plucky carriers don’t let abject unsuitability get in the way of dreaming even bigger dreams.

If you can’t even keep your customers from being SIM-swapped; why not promote yourself as the gatekeepers of electronic identity, since that’s clearly an area of excellence?

Option to use a Lifeline?

That’s arguably more fairness than the carriers deserve. It is true that SMS is, by design, wildly insecure and not intended to be much more: Mostly travels in the clear from the perspective of the infrastructure, often tepidly encrypted in RF form, minimal guarantees of timely delivery, or delivery at all; and reports on the outfits that handle bulk SMS slinging are mostly of the ‘just don’t even want to think about it…’ school.

However, SIM-swaps, while they are often used to get access to someone’s SMS traffic; are a pure carrier problem: they work because the bar is really, really, low(in terms of cost or risk) to get a carrier to hand over the keys that identify you as one of their customers and subsequently deliver all their traffic to you.

That aspect is entirely on them. I certainly wouldn’t bet on SIMs being 100% ironclad, there has been various cloning and spoofing in the past; but, since subscriber identity is the foundation of billing, that’s an area where technical standards have always been a lot higher and carriers have been much more responsive about resolving weaknesses. Unfortunately, it doesn’t matter all that much because the carriers are crawling with a combination of exploited systems being used for remote access and malicious insiders making changes on behalf of unauthorized 3rd parties. Utterly inadequate internal controls.

It’s also the case that the ease of SIM swaps is one of the reasons why SMS is increasingly seen as lazy or naive. The technical weakness of SMS means that it was always a terrible plan if someone serious was gunning for you; but among attackers who don’t have nation-state telco cooperation powers or hooks into the various backend services that move bulk SMS around, an attack against SMS ‘two factor’ usually means a SIM swap; which is right down at the shady PI tier, deeply unsophisticated.

This topic was automatically closed after 5 days. New replies are no longer allowed.