There’s a lot of opportunity to tighten up controls around sim swapping. But I’d be cautious about this idea being used to introduce phone number registration legislation (outlawing burner phones). Legislators have tried and failed to do this at least two times that I know about. Legislatively, this could even be achieved indirectly, by creating the correct liability regulations for service providers.
Doesn't creating liability typically cause a lot of undesired side effects? Like poor and marginalized people being unable to swap since they everyone knows people like that are up to no good.
Seems better to mandate a reasonable process. Like if you have connected your sim to your identity you prove your identity to swap. And if you have not, then you can swap by physically presenting the old sim.
Regulating in general causes a lot of unintended side effects, but creating new liability is certainly one of the more effective ways of generating them.
In this specific case (depending on how cynical you are), you might see such a side effect as simply a potential unintended consequence, or you might see it as a potential opportunity for law makers to stealthily pass legislation/regulation they have previously failed to pass.
There’s no way to say that any changes will even come from this letter at the moment. But if you think compulsory phone number registration is a bad thing (and there’s plenty of reasons to be against it), then I’d suggest you pay attention to how this issue develops, as it would be the perfect opportunity to sneak it in.
Instead of trying to shoehorn security into systems that were never meant for authentication (PSTN, social security), how about building one that’s actually fit for purpose?
This seems like it's already a serious and growing problem. It might be best to take a two-pronged approach of quickly implementing process requirements that make such swaps harder for crooks while working to come up with a longer-term technological solution.
It's crazy that a minimum-wage retail mobile store employee is the weak link in a system that protects almost everyone's financial assets from banking and investment accounts to credit cards and crypto-currencies.
I purchased an unlocked iPhone recently from Apple and decided to swap my AT&T SIM to the built in eSIM so that I could free the physical slot while traveling. I walked into an official AT&T store, told the guy what I wanted and within 10min or so I was on my way out. At no point did he ask me to verify any info on the account, he didn't ask for an ID, my name, send a verification text, or even ask for the old SIM. All I gave him was the phone number I wanted ported to the eSIM, and the corresponding IMEI from my phone.
As others have pointed out, regulating SIM swapping might have unintended side effects. A better approach may be to pressure internet companies, and especially email providers, to drop SMS as a method of authentication.
This isn't actually a tech problem. It is a business process problem. Likely don't even need to replace much SIM related tech (encryption, authentication) to do so. Most of it is better procedures and protection from social engineering and fraud.
Faulty procedures and just plain bad basic security practices. The bar is so low that if you wrote up and suggested the current system as a plan for some homework assignment you'd likely fail. Probably get told to rework it and you might scrape by with a pass.
So there are two aspects: 1) Basic confirmation steps are seen as weakly performed. 2) Obvious steps are left out. The fact that its a revelation for them for the need to notify banks that a sim swap occurred is just one example. Really? No one thought that banks would be interested at all? Just how inexperienced are the people designing these processes? And the swap itself. Please tell me that mother's maiden[0] name is not used or that they don't put a lot of faith in using a birthdate as a secret. Details you might find on Facebook/Google etc should only be used to confirm which Fred Smith's account is being modified. Not whether it is Fred authorising the change.
This is a great way to see into the underlying technical debt that likely exists elsewhere in their systems. If they are this sloppy here then other aspects are likely just as bad.
>The fact that its a revelation for them for the need to notify banks that a sim swap occurred is just one example. Really? No one thought that banks would be interested at all?
If I lose my phone, I call Verizon to move service over to last year's model sitting in a drawer somewhere. It'd be very surprising and creepy if Chase somehow knew about or acted on this change.
> Please tell me that mother's maiden[0] name is not used or that they don't put a lot of faith in using a birthdate as a secret.
On that customer service call, I have to give an account PIN. According to them, if I don't know it I have to come into a retail store with photo ID. That seems pretty sensible.
But it's not bulletproof. Probably at least one retail store employee would take a sufficiently large bribe to skip the ID verification step.
Each their own. In general, I'd also like a away of knowing when a SIM swap attempt occurred. An SMS would be fine.
And I'd like my bank to know when a swap occurred for basic fraud detection. Don't need them to know necessarily which mobile provider, but I'd appreciate a way to prevent all my accounts being cleared out the same or next day as a SIM swap. Even the simple act of the bank being able to know so they can temporarily raise security requirements for a few days. A way of registering who to notify on SIM swap would actually be useful.
SIM swaps are only part of the picture. Still have PINs, authenticators, photo ID etc.
For the cost of that integration, the bank could also just implement 2FA correctly. U2F, TOTP, even proprietary crap like Symantec VIP are all inherently resistant to SIM swaps because they keep a secret key on the actual device; PSTN routing doesn't matter.
14 comments
[ 3.1 ms ] story [ 38.9 ms ] threadSeems better to mandate a reasonable process. Like if you have connected your sim to your identity you prove your identity to swap. And if you have not, then you can swap by physically presenting the old sim.
In this specific case (depending on how cynical you are), you might see such a side effect as simply a potential unintended consequence, or you might see it as a potential opportunity for law makers to stealthily pass legislation/regulation they have previously failed to pass.
There’s no way to say that any changes will even come from this letter at the moment. But if you think compulsory phone number registration is a bad thing (and there’s plenty of reasons to be against it), then I’d suggest you pay attention to how this issue develops, as it would be the perfect opportunity to sneak it in.
It's crazy that a minimum-wage retail mobile store employee is the weak link in a system that protects almost everyone's financial assets from banking and investment accounts to credit cards and crypto-currencies.
Faulty procedures and just plain bad basic security practices. The bar is so low that if you wrote up and suggested the current system as a plan for some homework assignment you'd likely fail. Probably get told to rework it and you might scrape by with a pass.
So there are two aspects: 1) Basic confirmation steps are seen as weakly performed. 2) Obvious steps are left out. The fact that its a revelation for them for the need to notify banks that a sim swap occurred is just one example. Really? No one thought that banks would be interested at all? Just how inexperienced are the people designing these processes? And the swap itself. Please tell me that mother's maiden[0] name is not used or that they don't put a lot of faith in using a birthdate as a secret. Details you might find on Facebook/Google etc should only be used to confirm which Fred Smith's account is being modified. Not whether it is Fred authorising the change.
This is a great way to see into the underlying technical debt that likely exists elsewhere in their systems. If they are this sloppy here then other aspects are likely just as bad.
[0] "Maiden", really, it is the 21st century!
If I lose my phone, I call Verizon to move service over to last year's model sitting in a drawer somewhere. It'd be very surprising and creepy if Chase somehow knew about or acted on this change.
> Please tell me that mother's maiden[0] name is not used or that they don't put a lot of faith in using a birthdate as a secret.
On that customer service call, I have to give an account PIN. According to them, if I don't know it I have to come into a retail store with photo ID. That seems pretty sensible.
But it's not bulletproof. Probably at least one retail store employee would take a sufficiently large bribe to skip the ID verification step.
And I'd like my bank to know when a swap occurred for basic fraud detection. Don't need them to know necessarily which mobile provider, but I'd appreciate a way to prevent all my accounts being cleared out the same or next day as a SIM swap. Even the simple act of the bank being able to know so they can temporarily raise security requirements for a few days. A way of registering who to notify on SIM swap would actually be useful.
SIM swaps are only part of the picture. Still have PINs, authenticators, photo ID etc.