Experts Comments On Two-factor Authentication Obsolete In The Face Of SIM Swapping Attacks

In a blog post, security researchers said that many mobile operators aren’t asking the difficult security questions to ensure the caller is the legitimate mobile phone user.

Researchers pointed to a particular Princeton study, where researchers made around 50 attempts across five North American prepaid telecom companies to see if they could successfully port a stolen number (their own) to a SIM card.

The research showed that in most cases a threat actor only needs to answer one question right when questioned by their customer service representative reset the password on the account and port the number over.

Subscribe
Notify of
guest
2 Expert Comments
Newest
Oldest Most Voted
Inline Feedbacks
View all comments
Markus Jakobsson
Markus Jakobsson , Founder
InfoSec Expert
January 22, 2020 10:37 pm

The traditional paradigm is to simply send a secret code by SMS to a registered account holder; the reason why this is vulnerable, whether to social engineering or SIM-jacking, is that anybody with that code can authenticate.

A change of paradigm – without much change in the user experience – would instead verify that the SMS is \”used\” by a person with a recognized device. (For more details, see https://arxiv.org/pdf/2001.06075.pdf)

Whereas this approach does not block SIM-jacking, it makes it pointless in the context of 2FA.

Last edited 2 years ago by Markus Jakobsson
Dewald Nolte
Dewald Nolte , Chief Commercial Officer
InfoSec Expert
January 21, 2020 5:07 pm

There are two approaches you can use to combat SIM swap attacks; namely, detection and prevention. Due to the way that the industry uses SMS based verification codes, detection is not always a foolproof way of eliminating this type of attack. It can certainly make life more difficult for the perpetrator, but there are advanced techniques available to get around most of the detection techniques. This is why a prevention approach is ideal. An omni-channel authentication solution cryptographically binds to a user’s device, removing the reliance on the SIM card for authentication and thereby completely eliminating SIM swap attacks.

Last edited 2 years ago by Dewald Nolte
2
0
Would love your thoughts, please comment.x
()
x