Experts Comments On Two-factor Authentication Obsolete In The Face Of SIM Swapping Attacks

In a blog post, security researchers said that many mobile operators aren’t asking the difficult security questions to ensure the caller is the legitimate mobile phone user.

Researchers pointed to a particular Princeton study, where researchers made around 50 attempts across five North American prepaid telecom companies to see if they could successfully port a stolen number (their own) to a SIM card.

The research showed that in most cases a threat actor only needs to answer one question right when questioned by their customer service representative reset the password on the account and port the number over.


EXPERTS COMMENTS
Markus Jakobsson, Founder,  ZapFraud Inc
January 22, 2020
SMS-based 2FA is not doomed
The traditional paradigm is to simply send a secret code by SMS to a registered account holder; the reason why this is vulnerable, whether to social engineering or SIM-jacking, is that anybody with that code can authenticate. A change of paradigm - without much change in the user experience - would instead verify that the SMS is "used" by a person with a recognized device. (For more details, s ....
[Read More >>]
Dewald Nolte, Chief Commercial Officer,  Entersekt
January 21, 2020
Due to the way that the industry uses SMS based verification codes, detection is not always a foolproof way of eliminating this type of attack.
There are two approaches you can use to combat SIM swap attacks; namely, detection and prevention. Due to the way that the industry uses SMS based verification codes, detection is not always a foolproof way of eliminating this type of attack. It can certainly make life more difficult for the perpetrator, but there are advanced techniques available to get around most of the detection techniques. Th ....
[Read More >>]

If you are an expert on this topic:

Submit Your Expert Comments


In this article