Princeton University Department of Computer Science and Center for Information Technology Policy just released a draft report entitled An Empirical Study of Wireless Carrier Authentication for SIM Swaps which examines the authentication procedures for the top five pre-paid wireless carriers in the U.S. Their findings, not surprisingly, is that all five carriers used insecure authentication challenges that could be easily subverted by attackers. We also found that attackers generally only needed to target the most vulnerable authentication challenges, because the rest could be bypassed.
The research appears solid, the methodology is straightforward and the conclusion is difficult to refute. It also largely blames the biggest victim of the recent surge in SIM swapping.
It is easy to call out the carriers for laughably bad protection against identify theft but they never agreed to be your identity guardian; that decision was made for them by a swarm of well meaning but short sited companies and their legions of developers. 2nd factor authentication using text messaging and/or phone calls seemed like a reasonable way to protect users from some of the inherent flaws of password security but it shifted the vulnerability and the responsibility from the service to the carrier. This one neat trick shifted the cost and responsibility for safeguarding your identity from the hundreds of thousands of site users trust with their money and their life to the phone carrier they pay $40/month.
Authentication is not someone else’s problem. It is ALL of our problems. Solving the challenge of secure, reliable and private authentication requires much more that asking users to surrender their phone number. Calling out phone carriers for their (admittedly inadequate) SIM swap procedures is really blaming the victim our our collective laziness.