A Princeton study found that five major U.S. wireless carriers are vulnerable to SIM swapping attacks.
SIM swapping is a growing form of fraud in which an attacker convinces a mobile operator to transfer a victim’s phone number to a new SIM card controlled by the attacker. Once the number is ported, the attacker can often bypass two-factor authentication and gain access to the victim’s online accounts.
Researchers at Princeton set up 50 prepaid accounts—ten each on AT&T, Verizon, T-Mobile, US Mobile, and Tracfone—and used the new SIMs to test the carriers’ account-porting procedures.
They discovered that, in many cases, simply answering one verification question correctly was enough to authorize a port. Other authentication questions were sometimes ignored even when answered incorrectly. In some tests the researchers intentionally provided the wrong PIN; carrier representatives then asked for additional details such as billing address or date of birth. The researchers replied that they must have made an error when signing up, and the carrier representatives often proceeded despite inconsistencies.
Carriers commonly request recent call logs as a final verification step. This is a weak point because attackers can easily trick victims into making calls to specific numbers, creating call history that appears legitimate and enabling the port.
After demonstrating how easily numbers could be hijacked, the researchers examined 140 popular websites to assess the potential impact of compromised phone numbers. They found that 17 sites allowed an account password to be reset using only the hijacked phone number, enabling account takeover without additional proof of identity.
The study highlights two areas that need improvement: mobile operators should strengthen verification before allowing a number to be ported, and websites should avoid relying solely on a phone number for account recovery or password resets.
The Princeton team shared their findings with the affected carriers. T-Mobile reported that, based on these and related concerns, it has stopped accepting call logs as a form of authentication.
The full study is available in PDF form from the researchers.