In a blog post, security researchers said that many mobile operators aren’t asking the difficult security questions to ensure the caller is the legitimate mobile phone user.
Researchers pointed to a particular Princeton study, where researchers made around 50 attempts across five North American prepaid telecom companies to see if they could successfully port a stolen number (their own) to a SIM card.
The research showed that in most cases a threat actor only needs to answer one question right when questioned by their customer service representative reset the password on the account and port the number over.
The traditional paradigm is to simply send a secret code by SMS to a registered account holder; the reason why this is vulnerable, whether to social engineering or SIM-jacking, is that anybody with that code can authenticate.
A change of paradigm – without much change in the user experience – would instead verify that the SMS is \”used\” by a person with a recognized device. (For more details, see https://arxiv.org/pdf/2001.06075.pdf)
Whereas this approach does not block SIM-jacking, it makes it pointless in the context of 2FA.
There are two approaches you can use to combat SIM swap attacks; namely, detection and prevention. Due to the way that the industry uses SMS based verification codes, detection is not always a foolproof way of eliminating this type of attack. It can certainly make life more difficult for the perpetrator, but there are advanced techniques available to get around most of the detection techniques. This is why a prevention approach is ideal. An omni-channel authentication solution cryptographically binds to a user’s device, removing the reliance on the SIM card for authentication and thereby completely eliminating SIM swap attacks.