Is your wireless phone number secure? Wireless service providers play a role in preventing SIM hijacking and unauthorized port-outs.
(This feature is being proposed in response to member questions about making the SMS-based 2FA more secure)
In theory, your wireless phone number is one of a kind and you physically need your phone to read any text messages sent to you. Compared to online services that can be hacked, a text message to your phone is the best way to prove your identity in the online world.
This is why a verification code is sent by text message to prove that you are you when logging into an online account. Your phone number is a big part of your online identity, even if you don’t make traditional phone calls anymore.
The concept should be familiar. If you’ve used services like Uber, products like Nest, or have been asked to give out your phone number while using Facebook you have almost certainly used a form of two-factor authentication (2FA). Companies operating online are using wireless phone numbers as an additional method to verify your identity and sometimes even rely on SMS for password recovery (making the verification code over
SMS is the highest level of security for your online account.
So, sending an extra verification code over SMS provides extra security, but how secure is secure? What, if anything, can wireless providers do to keep this form of authentication secure?
Can my text messages be hacked?
There are ways to hack text messaging, but cloning aSIM card or intercepting the text message between the operator and the phone is very unlikely. The level of security that the SIM/eSIM provides is very high, despite it being a tiny little chip inside your phone.
The technology behind the SIM (Subscriber Identity Module) and eSIM responsible for ensuring the authentication between the phone and the operator relies on technology similar to what is used in credit card chips and biometric passports. In my years of building telecommunication products and services, I haven’t encountered a single case of SIM card security breach, but on the other side, the cases that involve account hijacking are in the news constantly.
Here are a few articles if you want to dive deeper:
- Two Factor Via Your Mobile Phone - Should You Stop Using It?
- Hey, Stop Using Texts Two-Factor Authentication
- 2 phones, 1 number: How a telecommunications mix-up affected strangers' lives
- Hackers Bypassing Some Types of Security, FBI Warns
- Does Two-Factor Authentication Really Make You Safer?
- Why Two-Factor Authentication Isn’t Always Totally Secure
Your SIM card is secure, but your phone number might not be
1. Unauthorized SIM swap
One of the most common ways for a wireless number to be hijacked is an unauthorized SIM swap - the process of changing which SIM card is associated with your wireless phone number.
SIM swaps can only be done by your wireless service provider, and it’s a feature needed when you lose your phone entirely, or to upgrade to a newer SIM card with more functionality (sometimes needed to enable newer services like Wi-Fi Calling or automatic Wi-Fi authentication using AAA).
To perform a SIM swap most carriers require an in-store visit, where the identity gets verified with physical IDs prior to performing the SIM swap. Needless to say, it relies a lot on the human factor - a vast network of stores, dealerships and partners are a security risk on their own.
FUN FACT: Modern SIM cards support over the air updates. Operators fixing network or phone issues by asking you to change your SIM card are doing nothing more than reprovisioning you on the network, something that doesn’t need a new SIM card.
This approach to technical support does more than just create waste, it wastes your time with unnecessary trips to the store.
Has your wireless provider ever done this to you? Let us know in the comments!
2. Unauthorized wireless phone number port out
The second and potentially most vulnerable scenario is wireless number portability. This was first introduced in Canada in 2007 And it allows you to transfer your phone number from one provider to another - it is yournumber after all. Usually, it takes anywhere from 5 -120 minutes to port the wireless number to another national carrier (but it takes up to 2 days to port a fixed/home phone number).
The risky part of portability is that the transaction happens at the new carrier, not the one you are already with. The new carrier doesn’t have any of your information on file, so they submit a request to your current carrier with a few details to prove your identity and port the number over.
In this situation, a hijacker needs to know your phone number, obviously, but they also need to know the account number with your current carrier (often printed on the mailed invoice) or your SIM card number(printed on the SIM card). These aren’t details that most people keep secure, or worry about repeating in public spaces like the bus or a coffee shop.
Unauthorized port outs are extremely difficult to deal with because you have to deal with two different wireless service providers who have to figure out which one made a mistake and who is the real you.
DISCUSSION: Potential solutions in an all-digital full MVNO setup
Better security controls, retail training, clauses in the 3rd party contractor agreements is not our thing. Handling sensitive information in retail stores or live agents around the world will always carry a certain risk. We are here to figure out how to do this better in the all-digital environment. Here is the outcome of our internal discussion - few additional security features that can help to prevent your wireless number hijacking proposed for our Gorse release.
- the telephone number is not working due to a company-initiated suspension; or
- the telephone number is not working due to a customer or company-initiated termination.
I prefer OTP over the SMS 2FA
I've worked in telecom for years. And I agree, SIM swapping rarely needs to be done unless the SIM itself is physically damaged. I've had customers come in because tech support told them to come into store to do swap(in reality the agent was a. lazy and didn't want to do the work. b. A new rep and didn't know. C. didn't want to deal with the nasty customer and wanted to just get them off the phone. You can also add yet another layer of protection and add a SIM PIN. Be careful of this because if you forget your SIM PIN, you'll have to get a PUK code from your carrier(unless you kept the rest of the card, usually the PUK is also printed on it). In theory using SMS for 2FA sounds secure because usually you'll always have your cell phone with you. But keep in mind, your cell phone number and these companies were never intended to be a form of ID. Using an authenticator app is best practice because if you ever lose your number due to personal economical reasons or had your phone lost/stolen/broken. But at the same time, SMS is nice because you don't have to rely on an internet connection.
I use Two-factor Authentication Over SMS with Google, and Microsoft offers it too, among other service providers. It just makes sense! Technology improves, but so do hackers...
It's a careful balance - protecting your account while making sure that you can quickly get a new SIM card up and running if you lose your phone.