WhatsNew2Day
Latest News And Breaking Headlines

Princeton reveals that five of the largest US airlines do not protect consumers against SIM swap attacks

Are you protected against SIM swap attacks? Alarming Princeton tests show that five of the largest US airlines do not follow authentication protocols

  • AT&T, T-Mobile, Tracfone, US Mobile and Verizon Wireless failed
  • Experts tried 50 SIM swaps and successfully completed 39
  • Acted like the telephone owner and said they had forgotten the answers to security questions
  • Some carriers led them to the correct answer or asked nothing at all

The five largest US airlines do not protect customers against SIM swap attacks, according to a new study.

Researchers at Princeton University contacted AT&T, T-Mobile, Tracfone, US Mobile and Verizon Wireless and discovered that they all “used unsafe authentication challenges that could easily be undermined by attackers.”

Of the 50 sim swap attempts, 39 were successful simply by telling representatives that they had forgotten the answers to the security questions.

The team noted that they had repeatedly given incorrect answers, but were still allowed to switch to another SIM card in a smartphone.

The five largest US airlines do not protect customers against SIM swap attacks, according to a new study

The five largest US airlines do not protect customers against SIM swap attacks, according to a new study

“Our main finding is that at the time of our data collection, all 5 providers used unsafe authentication challenges that could easily be undermined by attackers. We also found that callers generally only had to respond successfully to one challenge to verify, even if they had failed numerous previous challenges, “the team wrote in the study.

SIM swapping is the exchange of one SIM card for another and consumers must contact their network provider to have a representative switch to another card.

DailyMail.com has contacted AT&T, Verizon and US Mobile for comments and has yet to receive a response.

To swap a SIM card, researchers claimed that they had forgotten the answer to the primary security question, and then claimed that the reason they could not answer questions about things like their date and place of birth is that they made an error in setting of the account.

Of the 50 sim swap attempts, 39 were successful simply by telling representatives that they had forgotten the answers to the security questions. The team noted that they had repeatedly given incorrect answers, but were still allowed to switch

Of the 50 sim swap attempts, 39 were successful simply by telling representatives that they had forgotten the answers to the security questions. The team noted that they had repeatedly given incorrect answers, but were still allowed to switch

Of the 50 sim swap attempts, 39 were successful simply by telling representatives that they had forgotten the answers to the security questions. The team noted that they had repeatedly given incorrect answers, but were still allowed to switch

Perhaps most disturbing was the fact that some airlines disclosed personal information to the team that was needed to answer a security question

Perhaps most disturbing was the fact that some airlines disclosed personal information to the team that was needed to answer a security question

Perhaps most disturbing was the fact that some airlines disclosed personal information to the team that was needed to answer a security question

Tracfone and US mobile were found to trade SIMS without asking for authentication.

“Tracfone and US Mobile offered no challenges that our simulated attacker could answer correctly, the team wrote.

“However, customer service representatives at these providers allowed us to perform our SIM swap without ever correctly authenticating: 6 times with Tracfone and 3 times with US Mobile.

What is sim swapping?

Sim swapping is the scam in which a thief transfers the telephone number of a victim to a telephone of the thief.

Once the phone number is transferred to the thief’s phone, that person can then receive or place calls and send text messages with the stolen number.

He or she can then bypass text-based two-factor authentication security measures and intercept text messages that contain security codes needed to reset passwords and access the victim’s online accounts.

Perhaps most disturbing was the fact that some airlines disclosed personal information to the team that was needed to answer a security question.

AT&T gave the announced month of activation and the last payment date and allowed multiple attempts to guess the day.

And representatives brought them to the correct date.

In three cases, US Mobile callers provided the billing address on the account prior to authentication

Verizon allowed the switch after two recently dialed numbers were provided, although researchers failed all previous challenges, such as the PIN

The investigation also showed that all airlines used weak security challenges. One was, for example, the last payment on the account that could undermine an attacker.

An attacker can buy a refill card in a store, submit a refill to the victim’s account and then request a SIM change with the known refill as authentication.

.