top | item 28250709

(no title)

mushishi | 4 years ago

How is it possible that some kind of imaginative script can be enough to get SMS sim swapped? Why aren't the operators requiring a strong identification via a passport or something like that? Maybe I'm really dumb but that just boggles my mind, whether or not there exist other types of alternatives to 2FA.

discuss

Destitute|4 years ago

There's not much you can confirm over the phone, except the account PIN and sometimes security hint. But an attacker can pretend to have forgotten it and press that the matter is urgent. If the attacker knows enough about the person, they might be able to convince an agent to make the swap so the agent can:

1) Get on with their day to maybe hit a support request quota 2) Make sure this person doesn't give them a bad customer satisfaction score

cinntaile|4 years ago

You could require verifying your identity using your electronic ID if you want to simswap by calling the helpdesk.

jdavis703|4 years ago

They could require this. Most of the big operators have physical stores where they could do an ID check. There should be an advanced protection mode where SIM swaps and other sensitive operations require physical authentication.

mushishi|4 years ago

Yes this, please!