Academics at Princeton University have written a paper stating that five US mobile telcos rely upon ‘insecure’ procedures when prepaid customers request a change of SIM. They recommend significant changes to how telcos authenticate customers.
The researchers gave a script to assistants who were not skilled in social engineering, and instructed them to make 50 calls requesting a change of SIM for prepaid accounts. Five different US telcos received 10 calls each. The three operators tested were AT&T, T-Mobile and Verizon Wireless, and the study also tested the authentication protocols of virtual operators Tracfone and US Mobile. For the purpose of the tests, the research assistants only knew:
- the victim’s name and phone number;
- details of the last account top-up on the victim’s account; and
- some phone numbers that the victim had dialed or received.
The assistants were told to pretend that incorrect information had been given during the sign-up for a new account if they could not answer a question asked by the telco, such as the customer’s date of birth. One significant finding was that giving the wrong answers to authentication questions did not make telco staff more wary about authorizing a SIM swap.
We also found that in general, callers only needed to successfully respond to one challenge in order to authenticate, even if they had failed numerous prior challenges.
The virtual operators included in the study had the least secure methods of authenticating users. They would rely upon asking for information which is relatively easy to obtain, such as the victim’s home address or birthday. But worse than that, they sometimes changed the SIM when none of their questions had been answered correctly.
Tracfone and US Mobile did not offer any challenges that our simulated attacker could answer correctly. However, customer support representatives at these carriers allowed us to SIM swap without ever correctly authenticating: 6 times at Tracfone and 3 times at US Mobile.
The researchers were critical of the three network operators examined because they succeeding in swapping their SIMs every time. This is because the operators considered the user’s identity had been sufficiently verified by checking information about the last balance top-up, or about numbers dialed by the user. The researchers argue that these methods are insecure because:
- “An attacker could purchase a refill card at a retail store, submit a refill on the victim’s account, then request a SIM swap using the known refill as authentication”; and
- “Using only the victim’s name and phone number, our simulated adversary could call the victim and leave a missed call or message that would prompt the victim into returning the call to a number known to the attacker. This call would then appear on the outgoing call log and the attacker could use it for authentication”.
Whilst the researchers make valid points, they are also stretching their arguments about telcos exercising insufficient caution. Criminals could spend money with the intention taking over somebody’s account, but they would be risking their outlay. And victims may return missed calls, but nothing guarantees that they would. Nevertheless, T-Mobile subsequently decided they would no longer ask customers about dialed numbers as a means to authenticate them.
The academics make a stronger argument about the few occasions when call center staff authenticated users based on the calls they had received.
…in four instances between AT&T, T-Mobile, and Verizon, we were able to succeed call record verification by providing incoming numbers. This means that the adversary would not even need the victim to place a call; as long as the victim picks up the initial call from the adversary, a valid record in the call log would be generated.
The researchers also made an observation about who they believe is most at risk of SIM swaps.
Based on our experimental results for prepaid accounts, as well as our anecdotal evaluation of postpaid accounts (presented in Appendix A), we hypothesize that current customer authentication practices disproportionately place low-income Americans at risk of SIM swap attacks.
I found this conclusion to be peculiar for various reasons. Firstly, would criminals try to take control of an account if there is very little money stored in that account? Secondly, there are plenty of stories of criminals targeting victims who have invested large amounts in cryptocurrency. What meaningful data analysis has been performed to assess who is placed most at risk by relying on mobile phones for two-factor authentication?
The authors made the following recommendations for telcos.
Every mobile carrier in our study, with one exception, already offers secure methods of customer authentication: password/PIN, one-time passcode via SMS (to the account phone number or a pre-registered backup number), or one-time passcode via email (to the email address associated with the account). Abandoning insecure authentication schemes… may inconvenience customers who are legitimately requesting a SIM swap, but preventing account hijacking attacks is crucial to customers’ privacy and security. Moreover, legitimate SIM swap requests are infrequent, occurring only when a user’s SIM is damaged or lost, when a user acquires a new phone that is incompatible with their SIM, or in other rare cases.
We all understand the reasoning of the authors, but it is possible to nitpick with this recommendation, so I will. Whilst it is refreshing to see the authors admit there are legitimate customer requests, I see very little comparison of the risks on both sides of the relevant equations. Passwords and PIN codes are great… unless the user forgets them. And we know that they get compromised for all sorts of reasons because they are so inconvenient. One solution to this inconvenience has been to develop apps that store passwords on a user’s phone… but that might not be so useful if the phone has been lost or stolen. Passcodes by SMS are not viable if the user does not have their phone. Not every user will offer a backup number, and backup numbers are less likely with poorer customers. Passcodes by email offer a separate channel for communication, but what if the user does not provide an email address, or what if their phone is the only device they use to check email?
The researchers state that requests to change SIM are infrequent. It should be straightforward to present the relevant numbers in order to justify this assertion. It is also rare for criminals to take control of accounts through SIM swaps, so we should be using numbers, not words, to gauge the relative risk. The risk of criminals taking control of somebody’s phone account should be weighed against the risk that a genuine customer is denied access to their phone account. The theft or loss of a phone is often a stressful experience for the customer. It may have occurred in the context of traumatic events. Being disconnected from communicating with others may exacerbate other difficulties that a customer already faces. A security researcher may cooly assert that life would be better if everybody remembered their passwords, everybody provided an email address to contact them, and everybody had a backup phone number. However, it is not obvious that customers would agree with the need for enhanced security when they are trying to restore their phone service whilst dealing with their other troubles.
In contrast, I can find no good reason to object to the academics’ next piece of advice.
We recommend that mobile carriers implement customer authentication for telephone support via a website or app login, or with a one-time password via a voice call. The methods do not require memorization or carrying extra devices and are easy to learn. They also should not pose significant costs to carriers because the infrastructure already exists; all carriers we examined support online accounts via websites and/or mobile applications.
Telcos should also treat customers like adults, giving them the responsibility for deciding how secure their accounts should be.
We recommend that carriers provide the option for customers to enable multi-factor authentication for account change requests, as well as the option to disable account changes by telephone or at a store.
Giving customers choices means they can decide the right balance between security and convenience. And the following recommendation is straightforward common sense.
If someone attempts to authenticate as a customer and is unsuccessful, we recommend that carriers notify the customer and heighten security for the account. An adversary should not be allowed to attempt multiple authentication methods or to repeatedly attempt authentication.
But the following advice is terrible.
Carriers should list all the ways customers can be authenticated over the phone in order to avoid uncertainties regarding risks and defenses.
These academics did considerable work to identify flaws in the authentication procedures of telcos. It is naive to argue we would all better off if criminals were spared that effort by giving them documentation of those procedures. We would also gift them another means to manipulate call center staff by complaining if somebody deviates from the procedures as publicly communicated.
And the academics’ final recommendation is so obvious that it does not need to be made.
Representatives should thoroughly understand how to authenticate customers and that deviations from authentication methods or disclosure of customer information prior to authentication is impermissible.
On the one hand, this is obvious. On the other hand, this recommendation says nothing about how to address the very real reasons that large numbers of relatively low-paid staff will not always behave like automatons.
I have one final observation about the paper, which is that it fails to provide any discussion surrounding the merits or disadvantages of expecting customers to apply for new SIMs in person. Demanding the presentation of photo ID would increase the inconvenience to the customer, but it would also significantly reduce the risk of a customer being impersonated. Perhaps the researchers shy away from this topic because they also know that poor customers are least likely to have photo ID.
This research was performed by Kevin Lee, Ben Kaiser, Jonathan Mayer and Arvind Narayanan of the Department of Computer Science and Center for Information Technology Policy at Princeton University. Their draft paper is freely available from here.