Five major US telcos are vulnerable to SIM swapping attacks

Five major US telcos are vulnerable to SIM swapping attacks Ryan is a senior editor at TechForge Media with over a decade of experience covering the latest technology and interviewing leading industry figures. He can often be sighted at tech conferences with a strong coffee in one hand and a laptop in the other. If it's geeky, he’s probably into it. Find him on Twitter (@Gadget_Ry) or Mastodon (

A study conducted by Princeton has found that five major US telcos are vulnerable to "SIM swapping" attacks.

SIM swapping is an increasingly common attack whereby a fraudster persuades a customer’s operator to port their number to a new SIM. In doing so, the fraudster can often access that person’s accounts using two-factor authentication.

The researchers from Princeton each signed up for 10 prepaid accounts on AT&T, Verizon, T-Mobile, US Mobile, and Tracfone.

Armed with a total of 50 new SIMs, the researchers found they were able to persuade the operators to port their numbers by answering just one verification question correctly. Worryingly, it didn’t matter if they got other authentication questions wrong.

To put the carriers’ security to the test, the researchers purposefully gave the wrong PIN number when asked. The operators’ reps sought other data including the account holder’s billing address or date of birth; to which the researchers said they must have made a mistake during signup.

As a final attempt at verification, carriers often ask the person for their most recent couple of calls. This is often when a fraudster is able to gain access given the simplicity in tricking victims to call set numbers.

Given the ease in which the researchers found it to carry out a SIM swap attack, they then set out to examine 140 popular websites to find out what could be achieved with their ill-gained numbers. 17 of the websites allowed the researchers to reset a user’s password using the hijacked number alone.

While it’s clear that many operators need to step up their verification checks before allowing a customer’s number to be ported, there’s also an onus on websites to prevent accounts from being reset using just a phone number.

The Princeton researchers sent their findings to each of the affected operators. T-Mobile, for its part, informed them earlier this month they no longer accept call logs as a form of authentication.

You can find a full copy of the study here (PDF)

Interested in hearing industry leaders discuss subjects like this and sharing their use-cases? Attend the co-located IoT Tech Expo, Blockchain Expo, AI & Big Data ExpoCyber Security & Cloud Expo and 5G Expo World Series with upcoming events in Silicon Valley, London and Amsterdam and explore the future of enterprise technology.

View Comments
Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *