Forum Discussion
SIM Swap vulnerabilities/ 2FA risks
Chiming in.. I'd recommend combing through the forum threads and reaching out to individuals to point them back to this thread you started. Otherwise this post falls on deaf ears. IDK how many victims are thinking to come to the T-Mobile forums to discuss their issue. You'll find victims on Reddit as well.
I just want to point out some things in your post.
A number of the SIM swap attacks are happening in-person. The in-store visit you're recommending is the doom of many customers this year especially with the mask-on mandates. Driver's license or knowledge of SSN tends to defeat the use of the passcode on the account. It comes down to how well-trained the rep is to enforce account security on behalf of the customer. That said, fake ID and you're in.
I do like the idea of approval needed before, but if they're coming in person and arguing that they lost their phone in a boating accident for example then they may argue that they might not have the required access to verify, herein they assert the need to override via SSN or driver's license. Outside of that approval scenario, email notifications after the fact may not be helpful if the email account recovery # is that cellphone number. If a SIM swap attack is taking place, you can bet they're headed for the email accounts if not just the bank accounts. Some of those notifications a user may never receive because the attacker's now intercepting. Android devices don't immediately sync email outside of Gmail (email service, not the app). There's generally a 15min wait. That's enough time to password reset that email account using 2FA via SMS per the SIM swap, intercept that notification email and continue their dirty work.
What I was thinking was: maybe a separate call to a 3rd party (landline phone at home?) and have someone ready to answer and vouch. Husband requests the change, wife answers the phone. Or child/parent, maybe it's grandma answering the phone. IDK.. I can only think this wouldn't be helpful for those who live alone or have no one to vouch for them. Team work makes the dream work?
In some cases I’m thinking not to even enable recovery options for certain accounts/services, because they just end up being new backdoors to your account.
For example, T-Mobile will enable Google Authenticator -- but an attacker can bypass using security questions. Social engineering for the win? You set up GAuth, and can't disable SMS 2FA or security questions; so the attacker still performs the SIM swap and renders that authenticator code useless.
Contenido relacionado
- Hace 2 años
- Hace 5 meses
- Hace 2 años