SIM swap fraud

I've heard rumours about the possibility of SIM-swap "identity theft" (fraud) but wasn't aware of the details ... until reading a couple of recent articles pointing to an academic paper from a team at Princeton University.

The fraud involves socially-engineering the cellphone companies into migrating a victim's cellphone number onto a new SIM card, one in the fraudster's possession. That gives the fraudster control of a factor used in several multifactor authentication schemes ... and in some cases, that's enough to take full control (e.g. resetting the victim's password - another factor). Otherwise, it might take them a bit more effort to guess, steal or brute-force the victim's password or PIN code first. 

Authentication is usually a key control, yet authentication schemes often turn out to have vulnerabilities due to:
  • Fundamental design flaws (e.g. saving passwords unencrypted or weakly encrypted) 
  • Bugs in the software and firmware (e.g. cheat codes - bypasses and backdoors in production, and broken crypto in CPU microcode)
  • Physical hardware limitations (e.g. the tolerances needed for biometrics, allowing fakes and forgeries)
  • Issues in their implementation, configuration and administration (e.g. giving new users the same well-known default passwords or weak password reset mechanisms) 
  • Operational "user" issues (e.g. naively falling for phishing attacks)
Multifactor is stronger than single factor authentication but still not perfect ... hence aside from addressing the vulnerabilities, we should also anticipate control failures and put in place further, supplementary controls to detect and respond to incidents.

The risks are there for authentication to networks, systems, apps and online services in general, but the greater potential impacts in the case of, say, banking, law enforcement and defence imply greater risks, justifying the investment in stronger controls.