That kind of SIM-swapping technique could be used by attackers to gain control of a victim’s phone number. They can then use that number to reset the victim’s passwords and access, say, their emails and bank accounts.
To test the carriers’ security measures, they called the companies to request for a SIM swap and intentionally provided the wrong PIN number to force the customer service rep to try another authentication method. When asked for the account holder’s date of birth or billing ZIP code, they’d say that they must’ve made a mistake upon signup and provided the wrong information.
The customer service rep would then have to move to a third type of authentication method, which is asking the caller for their two most recently made calls. It was through this method that the researchers were successfully able to complete the SIM swaps. And that’s alarming, since attackers can easily trick victims into calling random phone numbers.
In addition, the researchers examined 140 popular online sites and services that use phone authentication to see what attackers can do with the numbers they hijack. They were easily able to reset passwords on 17 of those services using only the hijacked SIMs, since they weren’t asked additional authentication questions.
The Princeton researchers provided a copy of their findings to the carriers last year, and T-Mobile notified them this month that it doesn’t use call logs as a form of authentication anymore. We’ve reached out to the other four carriers for a statement.