2-step verification doesn't provide the security I expected

Today I went to the closest +Orange France​ shop in Chambéry, France to request a new SIM card, pre-cut to the nano size.

This SIM exchange was easy.
Too easy actually, and I'm coming back with serious doubts on the validity the 2-step auth or verification as we use it today.

Here's the story:

I enter the shop, a lady welcome me and ask the reason of my visit.
I'd like to request a new SIM card
The lady asked my name and my phone number
My name is François Simond, 0699XXXXXX
I'm told that it should be ready in 20 minutes, and I can wait here or run a few errands in the meantime, I choose the later
20 minutes later, I'm back and receive consequently an SMS telling my SIM card is ready.
5 minutes after, a gentleman call my name, we go sit at his desk, he confirms if it's about a new SIM
Yes
He goes to grab an envelope in another room and give it to me, announcing this is my new SIM:
When will it be activated ?
He answers "immediately" and indeed my phone just lost reception.
I thank him and leave the store, ready to get the new SIM in my phone and happy with the service.

Then I start to think a little:

– Did they really deactivated my SIM without any kind of confirmation that the owner requested to?

– Did they really gave a new SIM, with complete access to my phone line, the capability to receive and emit SMS/MMS, and unrestricted ability to send and receive internet packets that can be traced back to me… without knowing anything about who they were giving this to?

Then I thought that I felt confident before that my Google accounts were protected by the additional code generated by the app or sent by SMS as recovery, well: not anymore!
Anyone can gain access to my phone line, they just need to walk in a store, say my name, get a new SIM – disconnecting me in the process.

Bank account? Same thing!

I assumed that anyone capable of making and delivering a new SIM would do so after a careful identity check.
But apparently, it was merely wishful thinking.

Now I have questions:

1/ Does your wireless carrier give new SIM on demand to anyone walking in a store just like +Orange France​ did today?

2/ 2-step auth with SMS as recovery is a joke. Would you recommend disabling the SMS recovery? Is there a risk to be locked out that way?

And.. really.. the privacy and security implications of this simple stupid thing: ouch.
I won't dare listing the various abuses possible using the same operation as an attack.

#supercurioBlog #security #SIM #carrier

 

Source post on Google+

Published by

François Simond

Mobile engineer & analyst specialized in, display, camera color calibration, audio tuning

54 thoughts on “2-step verification doesn't provide the security I expected”

  1. Yeah this is the weakest part of 2 factor using SMS (or phone confirmations). The other risk factor is that someone can 'port' your mobile phone number to another carrier by just signing a form promising it's your number.

  2. Tim Mobile in Brazil, Depending on the store they ask if you want to keep the large chip activated in case you need to use another phone. Warning that if using 2 at the same time this blocks both sim.

  3. For Malaysia carriers, I'm not sure whether the simcard activates immediately. But one cannot just enter a carrier store and request a new sim just by giving phone number and name. The identity card must be provided to verify your identity.

  4. I thought the same thing when I changed out a SIM card last week. All I had to do was provide my name and number, and I had a new SIM and the old one deactivated. I thought surely they would ask for a photo ID.

  5. I don't think it's needed just advised. Then there's the fact that you receive email notifications about someone trying to use the system and you can cancel it if you follow that email

  6. +François Simond​ sms/phone numbers must be really easy to divert security for agencies like NSA.

    But thanks for reminding me of how fragile sms security is, I never did much thinking about that but now I'm about to remove phone numbers from 2 step passwords. With codes is possible to reset password if we don't remember it doesn't it? If so i will grab some codes and dump them encrypted on some usb/local storage just in case I needed it someday.
    It's not the first time that I had to reset the password because I had forgotten it after a long time of not using it. Today my passwords have a method in its constitution and that makes it easy to remember but you never know

  7. Keep in mind, someone must first acquire your password before the SMS code is of any use. Hopefully we all use password managers. Anyone can have your phone or printed codes, but no one should know your password(s).

  8. Phone-telco based auth is weak. Recovery paths in general weaken security.

    Second factor is good, but it needs to be offline/standalone, like Google authenticator. Nothing anyone can change underneath you.

  9. makes me wish I could use a hardware token everywhere
    still it's secure unless you are targeted, 2 factor still keeps you safer from phishing where they don't target you, just any dummy they can trick into falling for their wicked ways.

  10. +François Simond Wow reading messages here it comes as huge surprise that an Indian carrier has better security procedures implemented.

    Here, we have to SMS the sim number of the new card to a toll free number of the carrier. You get confirmation that carrier has received sim change request and new sim will be activated within 4 hours and if you did not put in this request, call the customer care immediately. Then after some time the old son stops working and you can switch to the new sim card. They say up to 4 hours, but usually it's happens within an hour.
    So access to old sim is must if you want quick sim change.
    If you lose your sim or it's damaged and you rang to switch to be one, you need to fill out a form with your photo and address ID.
    That too is activated within an hour or two, but needs documentation.

  11. Tmobile US required government id to access your account for anything, even payment. Changing someone's sim card without id can lead to termination. Sorry the policy is so weak for your cell service

  12. +Kevin Carpenter​ having worked in European telecoms for over 10 years, the SIM is the keeper of the mobile number. You can pop it in to any phone (with whatever IMEI) and you can make and receive calls and texts. SIM swaps are a huge fraud vector allowing you access to a number of service, Orange France should be more careful in how they do them (you may have just had very friendly but stupid staff).

  13. +François Simond​​ j'ai moi même été chez Orange la semaine dernière pour récupérer une nouvelle SIM et ils m'ont demandé ma carte d'identité pour vérifier que j'étais bien le propriétaire de la ligne. Il ne peuvent pas faire mieux à mon sens.

    Donc je ne vois pas trop ou est la faille, si ton magasin t'a délivré la nouvelle SIM sans carte d'identité, alors la faute vient de chez eux et effectivement il faut faire remonter le problème dans leur magasin.

  14. +Olivier Jobert​ Interesting to know some ask an ID sometimes.
    Since what happened to me happened, it means that if you want to gain access to a line, you just need to go to enough stores and ask for replacements, and if they ask the ID you say: "oh sorry I forgot my ID" and retry elsewhere.

    They could indeed implementation methods like +Shripad Kudtarkar​​'s Indian carrier.
    Typically: just like there's an auth code sent by SMS to port your number to a new carrier, they could require the same to verify you already have access to the line when requesting a new SIM.
    And otherwise, require your ID for lost/stolen SIM then send the SIM to the address on file.

    You also have a login/password for the website, they could ask you this.

  15. O2 in the UK send you a text with a code when your in the shop to verify who you are and the number you are using then once that is verified they send another code to allow the simple swap as well as account details and password

  16. +Carlos Miguel Pereira since +Olivier Jobert's experience is different, my experience and other's experience is that wireless carriers who don't implemented automated verification are a weak link.
    Some employees will ask for the ID, some trying to be nice maybe won't.

    I don't expect to have any kind of change on +Orange France, however lesson learned: I will remove the SMS recovery option which weakens the 2-step process (in various ways: typically, a malware app could also intercept the SMS)

  17. +Carlos Miguel Pereira in France, prepaids became rare since contracts started to abandon fixations and provide much better value than prepaid a few years ago.

    It's for a Sosh 5GB/month contract that I'll cancel soon since I'm moving to Sweden.
    Interestingly, I was gonna keep it scaled down to the smallest offer to keep the french phone number in case I need to receive SMS like 2-step stuff from my french bank.
    After that, I think I'll just cancel it instead.

  18. Mobile carriers don't wear the fraud cost of malicious mobile number ports and SIM reissues, banks do. Mobile carriers have little incentive to improve their security procedures as a result. Banks on the other hand are looking into replacement 2FA solutions like software tokens or push message confirmations via their Mobile apps. Hopefully the mobile carriers feel some pain when the banks stop buying millions of text message deliveries from them.

  19. +François Simond considering that it may be possible to duplicate SIM card (at least some of them), and that it is possible to eavesdrop on certain SMS communications (when using weaker encryption) http://security.stackexchange.com/questions/11493/how-hard-is-it-to-intercept-sms-two-factor-authentication even if it was not possible to do what you found it might be dangerous to use SMS only. (similarly dangerous like installing malware on ones Android smartphone and then doing banking on it)

    This weakness has been also abused in practice http://security.stackexchange.com/a/86007

    "For example, in 2015 there was a series of fraudulent money transfers in Germany, where the fraudsters obtained a new SIM card under the customer's name. Similar attacks had happened before, therefore mobile phone providers had improved authentication of customers ordering new SIM cards. To circumvent this, when calling the phone provider, the fraudsters impersonated employees from a mobile phone shop, and claimed to be activating SIMs on behalf of customers"

    Therefore for security conscious people who suspect they might be targeted by the more savvy attackers, I would consider SMS authentication as broken. And rely on a really really good password used only on secure devices as the main security.

  20. +Jaromír Šír thanks for the additional context, the +Stack Exchange is worth a read.
    I think +Daniel Goller puts well the fact that if 2-factor using SMS still improves security from nothing, I should not be expected it stands a chance if the attacker targets you.

    Beside the 2-factor verification aspect, I find concerning the fact that it's so easy to steal anyone's mobile line (even if only temporarily) in France from the two biggest wireless carriers.

  21. I've had similar experiences with AT&T. It seemed to completely depend on the salesperson when I walked into the AT&T store. Most would ask for ID and verify that I was the person that was allowed, but others would just give me what I asked for. I didn't visit the store enough to be known to anyone, and this was a corporate account, which makes it even scarier!

  22. In India, where I'm from, you have to submit a form for a new SIM along with a copy of your driver's license or other government issued ID and a recent passport size photo. Also, you have to be present to submit the form and collect the new SIM. Someone else can't do it in your place without the store receiving some sort of authorization from you. Porting works just like how +Alan Pope​​ described.

    Recently when I got a new SIM at an AT&T store in the US, they asked for my ID too.

Leave a Reply