In a blog post, security researchers said that many mobile operators aren’t asking the difficult security questions to ensure the caller is the legitimate mobile phone user.
Researchers pointed to a recent Princeton study, where researchers made around 50 attempts across five North American prepaid telecom companies to see if they could successfully port a stolen number (their own) to a SIM card.
The research showed that in most cases a threat actor only needs to answer one question right when questioned by their customer service representative reset the password on the account and port the number over.
"We also found that in general, callers only needed to successfully respond to one challenge in order to authenticate, even if they had failed numerous prior challenges. Within each carrier, procedures were generally consistent, although on nine occasions across two carriers, [customer service representatives] CSRs either did not authenticate the caller or leaked account information prior to authentication," the report said.
With the mobile number in possession, a hacker can then carry out attacks on a victim’s bank account and reset passwords on compromised accounts.
Researchers at PhishLabs pointed to one attack which resulted in the victim having their Coinbase account emptied, which was worth around US$100,000 (£77,000) in cryptocurrency.
They added that targeted organisations can reduce the threat of attacks by using 2FA methods that can’t be exploited remotely.
"Unlike phone number-based 2FA, Authentication App or device-based 2FA requires the user to have physical possession of the token and help remove the risk of mobile carriers falling for phishers whose social engineering skills are on point," said researchers. "Mobile carriers also can reduce SIM swap attacks by requiring extra authentication layers such as PINs for remote services."
Martin Jartelius, CSO at Outpost24, told SC Media UK that when you are using SMS messages as a basis for authentication you are investing a trust in the service provider.
"If you want to mitigate those risks, use a different second factor such as hardware tokens or authenticator software for example Microsoft or Google. Note that offering multiple options for two factor authentication, such as setting up use of an authenticator application AND a phone number, lowers the security to whichever is the least secure option as that will be targeted by attackers," he said.
David Richardson, senior director of product management at Lookout, told SC Media UK that users should make sure their mobile accounts have good security, such as PIN codes or additional security questions.
"If possible, avoid using SMS messages for two-factor authentication - there are a number of authentication apps that provide a similar service. Even though SMS messages are vulnerable, it is better to use them for 2FA than to use nothing at all. Best of all is to use non-SMS based MFA tools, though," he said.