• We examined the authentication procedures used by five prepaid wireless carriers when a customer attempts to change their SIM card, or SIM swap.
• We found that all five carriers use insecure authentication challenges that can easily be subverted by attackers.
• We reverse-engineered the authentication policies of over 140 websites that offer SMS-based authentication, and rated the vulnerability level of users of each website to a SIM swap attack.
• We found 17 websites on which user accounts can be compromised based on a SIM swap alone. After over 60 days since our disclosure, nine of these websites remain vulnerable in their default configuration.

Responses

• In January 2020, T-Mobile informed us that after reviewing our research, it had discontinued the use of call logs for customer authentication.
• In January 2020, Adobe and Online.net informed us that after reviewing our vulnerability disclosures, they have implemented fixes to to prevent user accounts from compromise based on a SIM swap alone.
• In February 2020, eBay and Snapchat informed us that after reviewing our vulnerability disclosures, they have implemented fixes to to prevent user accounts from compromise based on a SIM swap alone.
• Nine websites remain vulnerable in their default configuration: AOL, Amazon, Finnair, Gaijin Entertainment, Mailchimp, Paypal, Venmo, WordPress.com, and Yahoo. These websites either failed to respond to us, did not understand our vulnerability report, or stated that they won't fix the issue.
• Three websites fixed the issue without notifying us: Blizzard, Microsoft, and Taxact. We re-examined these websites in March 2020.