Build it! Improved Security for Two-factor Authentication Over SMS

Is your wireless phone number secure? Wireless service providers play a role in preventing SIM hijacking and unauthorized port-outs.

(This feature is being proposed in response to member questions about making the SMS-based 2FA more secure)

In theory, your wireless phone number is one of a kind and you physically need your phone to read any text messages sent to you.  Compared to online services that can be hacked, a text message to your phone is the best way to prove your identity in the online world. 

This is why a verification code is sent by text message to prove that you are you when logging into an online account.  Your phone number is a big part of your online identity, even if you don’t make traditional phone calls anymore.

The concept should be familiar. If you’ve used services like Uber, products like Nest, or have been asked to give out your phone number while using Facebook you have almost certainly used a form of two-factor authentication (2FA). Companies operating online are using wireless phone numbers as an additional method to verify your identity and sometimes even rely on SMS for password recovery (making the verification code over

SMS is the highest level of security for your online account.

So, sending an extra verification code over SMS provides extra security, but how secure is secure? What, if anything, can wireless providers do to keep this form of authentication secure? 

Can my text messages be hacked?

There are ways to hack text messaging, but cloning aSIM card or intercepting the text message between the operator and the phone is very unlikely. The level of security that the SIM/eSIM provides is very high, despite it being a tiny little chip inside your phone.

The technology behind the SIM (Subscriber Identity Module) and eSIM responsible for ensuring the authentication between the phone and the operator relies on technology similar to what is used in credit card chips and biometric passports. In my years of building telecommunication products and services, I haven’t encountered a single case of SIM card security breach, but on the other side, the cases that involve account hijacking are in the news constantly.

Here are a few articles if you want to dive deeper:

 

Your SIM card is secure, but your phone number might not be

Two of the most common ways of hijacking your phone number and receiving the text messages that are being sent to your number involve social engineering or hacking one of your other accounts

1. Unauthorized SIM swap

One of the most common ways for a wireless number to be hijacked is an unauthorized SIM swap - the process of changing which SIM card is associated with your wireless phone number. 

SIM swaps can only be done by your wireless service provider, and it’s a feature needed when you lose your phone entirely, or to upgrade to a newer SIM card with more functionality (sometimes needed to enable newer services like Wi-Fi Calling or automatic Wi-Fi authentication using AAA). 

To perform a SIM swap most carriers require an in-store visit, where the identity gets verified with physical IDs prior to performing the SIM swap. Needless to say, it relies a lot on the human factor - a vast network of stores, dealerships and partners are a security risk on their own. 

FUN FACT: Modern SIM cards support over the air updates.  Operators fixing network or phone issues by asking you to change your SIM card are doing nothing more than reprovisioning you on the network, something that doesn’t need a new SIM card.

This approach to technical support does more than just create waste, it wastes your time with unnecessary trips to the store. 

Has your wireless provider ever done this to you? Let us know in the comments!


2. Unauthorized wireless phone number port out

The second and potentially most vulnerable scenario is wireless number portability. This was first introduced in Canada in 2007 And it allows you to transfer your phone number from one provider to another - it is yournumber after all.  Usually, it takes anywhere from 5 -120 minutes to port the wireless number to another national carrier (but it takes up to 2 days to port a fixed/home phone number). 

The risky part of portability is that the transaction happens at the new carrier, not the one you are already with.  The new carrier doesn’t have any of your information on file, so they submit a request to your current carrier with a few details to prove your identity and port the number over.

In this situation, a hijacker needs to know your phone number, obviously, but they also need to know the account number with your current carrier (often printed on the mailed invoice) or your SIM card number(printed on the SIM card). These aren’t details that most people keep secure, or worry about repeating in public spaces like the bus or a coffee shop.

Unauthorized port outs are extremely difficult to deal with because you have to deal with two different wireless service providers who have to figure out which one made a mistake and who is the real you.


DISCUSSION: Potential solutions in an all-digital full MVNO setup

Better security controls, retail training, clauses in the 3rd party contractor agreements is not our thing. Handling sensitive information in retail stores or live agents around the world will always carry a certain risk. We are here to figure out how to do this better in the all-digital environment. Here is the outcome of our internal discussion - few additional security features that can help to prevent your wireless number hijacking proposed for our Gorse release.


1. Extra PIN or security question for SIM swaps
 
To swap the SIM you need to log into the app, so there’s one level of security - your user name and password. What if the hijackers get ahold of your login details? We can add an extra layer of security - a PIN number, security question, or two-factor authentication passcode sent to your email address.  

2. Toggle switch to block port outs
 
You can add a layer of account security by blocking port-outs. To unlock it, log in to the app and flip the switch or approve the request by clicking a link in an email we send to you... This needs to be evaluated against the porting rules we talk about below, so there might be limitations on what can be done with this idea.

3. Notification via email and app push in the event of SIM swap and port out
 
If the number is being ported out or SIM swap has been performed we can implement notifications with delivery priority so you can flag if it wasn’t you. In case it was not an authorized action we can react quickly because you can let us know right away. 

4. Additional A2P (application to person) incoming messages controls
 
This one is similar to the toggle switch. Since all applications that send SMS to anyone have to be enabled by carrier (dotmobile) we can create security controls. You could control who is able to send these messages to you. Even if your bank wants to send you a password recovery SMS you might not allow it to be received until you release it.
 
Caveat: this one is complex and would require either very granular controls or be an all or nothing feature. (Alex’s vote is on ‘all or nothing’ with notifications for every time a text message is ‘blocked’ or ‘awaiting approval’).

5. Employing AI to flag suspicious devices making the SIM swaps
 
Since swaps can only happen in the app, we can also detect fraud patterns, such as the same device attempting multiple SIM swaps or logging into a lot of different accounts. We could also prevent the same device (each device has unique IMEI) from being used on multiple accounts by flagging them/delaying SIM swaps or related port requests. 

 
FAIR LIMITATIONS
 
While we should have fairly limitless ways to introduce controls on our end there are a number of limitations that we might not be able to overcome.
 
1. The number portability rules do not allow to interfere in the process of the portability except for these two cases:
  • the telephone number is not working due to a company-initiated suspension; or
  • the telephone number is not working due to a customer or company-initiated termination.
 
2. SIM swap is needed in case of the permanent loss of the device, so we must have this feature.   
 
3. While it might be a good idea to have multiple passwords on the account, most people have trouble remembering just one. Plus, we want to make the joining process as easy as possible and setting two passwords ahead of time would be cumbersome and therefore not a preferred option. 
 
DISCUSS! 
Comments
ALEX BAUMAN
13:44 10/31

It's a careful balance - protecting your account while making sure that you can quickly get a new SIM card up and running if you lose your phone.

Recent Discussions:
Is your wireless phone number secure? Wireless service providers play a role in preventing SIM hijacking and unauthorized port-outs.
The big telecoms finally have unlimited plans, a welcome relief from typically punitive overages. Despite what they want you to believe, however, there is nothing innovative about their approach. Freedom Mobile has been doing unlimited data for years, starting all the way back to when they were still called WIND; so for the better part of a decade, many Canadians have had their data throttled.
We're working on a few things to give you the recognition you deserve for your early support.