security Tight lips sink ships - US Carriers refuse to work with banks and other services to prevent sim swap fraud

[rcmaehl]

Source:
Wired
 

Summary:
Major US carriers refuse to work with 3rd party security services to prevent sim swap fraud despite other countries already having it implemented

 

Quotes/Excerpts:

Quote

A year ago, André Tenreiro was called into a meeting between the CTO of the phone carrier he worked for, one of the largest in Mozambique, and an executive of the country's largest bank. The latter had seen an escalating pattern of fraud based...SIM swap attacks, where hackers trick or bribe a phone company employee into switching the SIM card associated with a victim's phone number.... then use that hijacked number to take over banking or other online accounts. The bank had seen more than 17 SIM swap frauds every month. The problem was only getting worse. "The gentleman from the bank, I could see by his face he was desperate. He wanted to do something but he didn't know what to do," SIM swap hackers rely on intercepting a one-time password sent by text after stealing a victim's banking credentials, or by using the phone number as a password reset fallback. The phone company... offered a straightforward fix: The carrier would set up a system to let the bank query phone records for any recent SIM swaps...before they carried out a money transfer. If a SIM swap had occurred in, say, the last two or three days, the transfer would be blocked. Because SIM swap victims can typically see within minutes that their phone has been disabled. By August of 2018, Mozambique's largest bank was performing SIM swap checks with all the major carriers. "It reduced their SIM swap fraud to nearly zero overnight," According to WIRED's interviews with security firms and executives in the banking and telecom industries, companies in other countries...where the prevalence of mobile payments have made SIM swaps a particularly serious threat...have put similar carrier-checking remedies in place. But there's one country where experts say the fix hasn't taken hold: the US. Security firms and banking executives point to US carriers as the main hurdle. They simply don't make real-time SIM swap data available for the kind of security checks other countries'...have implemented. Security company Telesign has sought to offer SIM swap fraud-checking to US banks, but has found that most US phone companies aren't yet willing to work with them. When WIRED reached out to the four major US carriers, they all either declined to respond on the record or referred questions to CITA, the telecom industry association.

 

My Thoughts:
Similar to what happened to @LinusTech back in 2016. Security companies and banks worldwide have been working with carriers to cut down on the widely successful sim swap fraud. Personally, this is a weak point in some of my accounts on sites that don't support other 2FA such as YubiKey. Honestly, I don't see much of a downside of the carriers allowing companies to see this data and I really want carriers to change their ways so that one of the larger holes in cyber security, people, can have some failsafes when they've been tricked. I'm somewhere between highly disappointed and mildly pissed off at this news.

[Fasterthannothing]

Honestly the easiest way to combat this without checking for a sim swap is a 10min countdown. I'm surprised no one has done it all it would be is a 2fa code is sent only after 10 min with a cancel button and a initial text saying a 2fa code is being sent. This way you have multiple layers of protection. 1. A way to have time to check if your sim card is spoofed since if.it is being spoofed your phone will go offline before you actually send the code and 2. an initial text or email to let you know someone is requesting a 2fa code. 

[Neftex]

@Shorty88jr yea man, waiting 10 minutes is what everyone wants when theyre about to pay for something

[Fasterthannothing]

6 hours ago, Neftex said:

@Shorty88jr yea man, waiting 10 minutes is what everyone wants when theyre about to pay for something

If it means keeping my account secure yeah. Security isn't about convenience. Also I don't know where you bank but I don't need to login to my account to buy something.

[thedemoncowboy]

Hmmm

[justpoet]

Honestly.  Sim fraud sucks…but so does anybody's business process that can be taken advantage because of it.  If the carriers don't want to have to deal with keeping that info in a way that can be handed out cleanly and easily all the time every day…there's no reason for their business practices to have to do so.

 

The entire wireless space from wifi (even the newest WPA3 that's barely starting to get put out) through 5g have well known security holes in them, so using a simple code sent to something wireless as a 2nd factor just doesn't really cut it anymore anyway unless you're using already authenticated and encrypted channels such as a good SSL session…in which case, you already used or don't need the 2nd factor.

 

The better way is using tech that isn't tied to just a sim.  Sure, the sim is a nice "also" security factor, but it can't be expected to be the same, especially as people swap phones or travel, so there will always need to be processes to allow for circumventing it anyway.  There are various hardware tokens (like I have for etrade), apps on devices that mimic the tokens once set up (though, most banking apps aren't even close to secure in the first place, so good luck), as well as more secure platforms such as the secure enclave auth of Apple Pay and dedicated public key encryption devices such as YubiKey, and even an upcoming authentication method called SQRL that you'll probably start to see more about later in the summer or fall.  There's 0 reason a bank shouldn't be requiring a better method of 2nd factor auth these days instead of txt'ing you a number, and if you don't have one available already, handing out a token like etrade does.