An Empirical Study of Wireless Carrier Authentication for SIM Swaps
We examined the authentication procedures used by five prepaid wireless carriers when a customer attempts to change their SIM card, or SIM swap.
We found that all five carriers use insecure authentication challenges that can easily be subverted by attackers.
We reverse-engineered the authentication policies of over 140 websites that offer SMS-based authentication, and rated the vulnerability level of users of each website to a SIM swap attack.
We found 17 websites on which user accounts can be compromised based on a SIM swap alone. After over 60 days since our disclosure, nine of these websites remain vulnerable in their default configuration.
We provide an interactive dataset of our MFA analysis at over 140 websites here.
In January 2020, T-Mobile informed us that after reviewing our
research, it had discontinued the use of call logs for customer authentication.
In January 2020, Adobe and Online.net informed us that after reviewing our vulnerability disclosures, they have implemented fixes to to prevent user accounts from compromise based on a SIM swap alone.
In February 2020, eBay and Snapchat informed us that after reviewing our vulnerability disclosures, they have implemented fixes to to prevent user accounts from compromise based on a SIM swap alone.
Nine websites remain vulnerable in their default configuration: AOL, Amazon, Finnair, Gaijin Entertainment, Mailchimp, Paypal, Venmo, WordPress.com, and Yahoo. These websites either failed to respond to us, did not understand our vulnerability report, or stated that they won't fix the issue.
Three websites fixed the issue without notifying us: Blizzard, Microsoft, and Taxact. We re-examined these websites in March 2020.