SIM Swap vulnerabilities/ 2FA risks

  • 30 July 2020
  • 2 replies

Userlevel 6
Badge +12

So with the onset of SIM swap attacks as well as numerous links over the year I wanted to start a discussion to talk about things that we as consumers can do to better protect ourselves. As well as I hope to share information and ideas to T-mobile to improve their security when it comes to our accouts.

For those of you who don’t know about  the scam that has been going on a attacker will pretend to be you to get T-mobile to assign them a sim card with your number. It is a type of account takeover fraud that generally targets a weakness in two-factor authentication and two-step verification in which the second factor or step is a text message or call placed to a mobile telephone. Think whenever a bank for example sends you the little 6 digit code to your phone to reset a password as a example.

I believe T-mobile should have measures in place that allow for a customer to require a instore visit as a pre-requiste before any kind of change like that can occur. T-mobile should also be sending updated alerts before any kind of change happens on the account to both the cell numbers on the account as well as the email address on file. These alerts should require approval before the change itself can actually go through. This would be far more full proof than just having a pin on the account and would prevent this scam from working as easily as it does.

Thankfully, this has not happened to me but it is concerning as T-mobile is really lacking in providing tools for consumers to secure themselves.

2 replies

Chiming in.. I’d recommend combing through the forum threads and reaching out to individuals to point them back to this thread you started. Otherwise this post falls on deaf ears. IDK how many victims are thinking to come to the T-Mobile forums to discuss their issue. You’ll find victims on Reddit as well. 

I just want to point out some things in your post. 

A number of the SIM swap attacks are happening in-person. The in-store visit you’re recommending is the doom of many customers this year especially with the mask-on mandates. Driver’s license or knowledge of SSN tends to defeat the use of the passcode on the account. It comes down to how well-trained the rep is to enforce account security on behalf of the customer. That said, fake ID and you’re in. 

I do like the idea of approval needed before, but if they’re coming in person and arguing that they lost their phone in a boating accident for example then they may argue that they might not have the required access to verify, herein they assert the need to override via SSN or driver’s license. Outside of that approval scenario, email notifications after the fact may not be helpful if the email account recovery # is that cellphone number. If a SIM swap attack is taking place, you can bet they’re headed for the email accounts if not just the bank accounts. Some of those notifications a user may never receive because the attacker’s now intercepting. Android devices don’t immediately sync email outside of Gmail (email service, not the app). There’s generally a 15min wait. That’s enough time to password reset that email account using 2FA via SMS per the SIM swap, intercept that notification email and continue their dirty work. 

What I was thinking was: maybe a separate call to a 3rd party (landline phone at home?) and have someone ready to answer and vouch. Husband requests the change, wife answers the phone. Or child/parent, maybe it’s grandma answering the phone. IDK.. I can only think this wouldn’t be helpful for those who live alone or have no one to vouch for them. Team work makes the dream work?

In some cases I’m thinking not to even enable recovery options for certain accounts/services, because they just end up being new backdoors to your account. 

For example, T-Mobile will enable Google Authenticator -- but an attacker can bypass using security questions. Social engineering for the win? You set up GAuth, and can’t disable SMS 2FA or security questions; so the attacker still performs the SIM swap and renders that authenticator code useless. 

Userlevel 5
Badge +9

This is why I’ve been advised to record completely non nonsensical answers to security questions (I have to write them down so I don’t forget them) and passwords generated by computer. It’s about all you can do, like locking your door, make it so hard to hack you that they move on to the next one...