Experts Comments On Two-factor Authentication Obsolete In The Face Of SIM Swapping Attacks

In a blog post, security researchers said that many mobile operators aren’t asking the difficult security questions to ensure the caller is the legitimate mobile phone user.

Researchers pointed to a particular Princeton study, where researchers made around 50 attempts across five North American prepaid telecom companies to see if they could successfully port a stolen number (their own) to a SIM card.

The research showed that in most cases a threat actor only needs to answer one question right when questioned by their customer service representative reset the password on the account and port the number over.

Experts Comments

January 21, 2020
Dewald Nolte
Chief Commercial Officer
Entersekt
There are two approaches you can use to combat SIM swap attacks; namely, detection and prevention. Due to the way that the industry uses SMS based verification codes, detection is not always a foolproof way of eliminating this type of attack. It can certainly make life more difficult for the perpetrator, but there are advanced techniques available to get around most of the detection techniques. This is why a prevention approach is ideal. An omni-channel authentication solution cryptographically .....Read More
There are two approaches you can use to combat SIM swap attacks; namely, detection and prevention. Due to the way that the industry uses SMS based verification codes, detection is not always a foolproof way of eliminating this type of attack. It can certainly make life more difficult for the perpetrator, but there are advanced techniques available to get around most of the detection techniques. This is why a prevention approach is ideal. An omni-channel authentication solution cryptographically binds to a user’s device, removing the reliance on the SIM card for authentication and thereby completely eliminating SIM swap attacks.  Read Less
January 22, 2020
Markus Jakobsson
Founder
ZapFraud Inc
The traditional paradigm is to simply send a secret code by SMS to a registered account holder; the reason why this is vulnerable, whether to social engineering or SIM-jacking, is that anybody with that code can authenticate. A change of paradigm - without much change in the user experience - would instead verify that the SMS is "used" by a person with a recognized device. (For more details, see https://arxiv.org/pdf/2001.06075.pdf) Whereas this approach does not block SIM-jacking, it.....Read More
The traditional paradigm is to simply send a secret code by SMS to a registered account holder; the reason why this is vulnerable, whether to social engineering or SIM-jacking, is that anybody with that code can authenticate. A change of paradigm - without much change in the user experience - would instead verify that the SMS is "used" by a person with a recognized device. (For more details, see https://arxiv.org/pdf/2001.06075.pdf) Whereas this approach does not block SIM-jacking, it makes it pointless in the context of 2FA.  Read Less

Submit Your Expert Comments

What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.

Write Your Expert Comments *
Your Registered Email *
Notification Email (If different from your registered email)
* By using this form you agree with the storage and handling of your data by this web site.