Five major US telcos are vulnerable to SIM swapping attacks

Ryan Daws is a senior editor at TechForge Media with over a decade of experience in crafting compelling narratives and making complex topics accessible. His articles and interviews with industry leaders have earned him recognition as a key influencer by organisations like Onalytica. Under his leadership, publications have been praised by analyst firms such as Forrester for their excellence and performance. Connect with him on X (@gadget_ry) or Mastodon (

A study conducted by Princeton has found that five major US telcos are vulnerable to "SIM swapping" attacks.

SIM swapping is an increasingly common attack whereby a fraudster persuades a customer’s operator to port their number to a new SIM. In doing so, the fraudster can often access that person’s accounts using two-factor authentication.

The researchers from Princeton each signed up for 10 prepaid accounts on AT&T, Verizon, T-Mobile, US Mobile, and Tracfone.

Armed with a total of 50 new SIMs, the researchers found they were able to persuade the operators to port their numbers by answering just one verification question correctly. Worryingly, it didn’t matter if they got other authentication questions wrong.

To put the carriers’ security to the test, the researchers purposefully gave the wrong PIN number when asked. The operators’ reps sought other data including the account holder’s billing address or date of birth; to which the researchers said they must have made a mistake during signup.

As a final attempt at verification, carriers often ask the person for their most recent couple of calls. This is often when a fraudster is able to gain access given the simplicity in tricking victims to call set numbers.

Given the ease in which the researchers found it to carry out a SIM swap attack, they then set out to examine 140 popular websites to find out what could be achieved with their ill-gained numbers. 17 of the websites allowed the researchers to reset a user’s password using the hijacked number alone.

While it’s clear that many operators need to step up their verification checks before allowing a customer’s number to be ported, there’s also an onus on websites to prevent accounts from being reset using just a phone number.

The Princeton researchers sent their findings to each of the affected operators. T-Mobile, for its part, informed them earlier this month they no longer accept call logs as a form of authentication.

You can find a full copy of the study here (PDF)

Interested in hearing industry leaders discuss subjects like this and sharing their use-cases? Attend the co-located IoT Tech Expo, Blockchain Expo, AI & Big Data ExpoCyber Security & Cloud Expo and 5G Expo World Series with upcoming events in Silicon Valley, London and Amsterdam and explore the future of enterprise technology.

View Comments
Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *