Among the dozens of exciting ways to get hacked these days, none are more dangerous than the SIM port-out. Consumers have increasingly started using two-factor authentication to secure everything from Facebook to bank accounts, and often the 2FA security code is sent via a text message. So criminals are following the system, and persuading cell companies via a little social engineering to port out people’s numbers to a different company, putting control of the victim’s cell number — and thus any authentication text messages — in the hands of the criminals.
This has been possible because for years, cell companies haven’t used a robust system to verify customer identity over the phone for a port-out. All the carriers offered some kind of security code to secure your account, but it wasn’t mandatory, and often a combination of name, billing address and social security number — easily taken from something like the Equifax hack! — was enough to port out a number.
At this week’s Mobile World Congress in Barcelona, an industry group that includes all four major US carriers announced a “next-generation mobile authentication platform” that aims to solve 2FA fraud once and for all.
Rather than just addressing the security concerns around porting out numbers, which carriers are doing on their own, the “Mobile Authentication Taskforce” is working on a system that makes SMS messages a viable and secure authentication option. The “highly secure solution” will deliver a cryptographically verified phone number and profile data for users of authorized applications with their consent,” and further verification will come from examining factors like “a network verified mobile number, IP address, SIM card attributes, phone number tenure, phone account type.”
Reading between all the buzzwords, it seems that mobile carriers will use common online tells to flag up suspicious phone numbers — for example, if the number has an American area code and American billing address, the system might flag an attempted log-in from Russia.
The technology will begin internal trials in the “next few weeks,” with a full roll-out expected by the end of the year.
