2-step verification doesn't provide the security I expected

Today I went to the closest +Orange France​ shop in Chambéry, France to request a new SIM card, pre-cut to the nano size.

This SIM exchange was easy.
Too easy actually, and I'm coming back with serious doubts on the validity the 2-step auth or verification as we use it today.

Here's the story:

I enter the shop, a lady welcome me and ask the reason of my visit.
I'd like to request a new SIM card
The lady asked my name and my phone number
My name is François Simond, 0699XXXXXX
I'm told that it should be ready in 20 minutes, and I can wait here or run a few errands in the meantime, I choose the later
20 minutes later, I'm back and receive consequently an SMS telling my SIM card is ready.
5 minutes after, a gentleman call my name, we go sit at his desk, he confirms if it's about a new SIM
He goes to grab an envelope in another room and give it to me, announcing this is my new SIM:
When will it be activated ?
He answers "immediately" and indeed my phone just lost reception.
I thank him and leave the store, ready to get the new SIM in my phone and happy with the service.

Then I start to think a little:

– Did they really deactivated my SIM without any kind of confirmation that the owner requested to?

– Did they really gave a new SIM, with complete access to my phone line, the capability to receive and emit SMS/MMS, and unrestricted ability to send and receive internet packets that can be traced back to me… without knowing anything about who they were giving this to?

Then I thought that I felt confident before that my Google accounts were protected by the additional code generated by the app or sent by SMS as recovery, well: not anymore!
Anyone can gain access to my phone line, they just need to walk in a store, say my name, get a new SIM – disconnecting me in the process.

Bank account? Same thing!

I assumed that anyone capable of making and delivering a new SIM would do so after a careful identity check.
But apparently, it was merely wishful thinking.

Now I have questions:

1/ Does your wireless carrier give new SIM on demand to anyone walking in a store just like +Orange France​ did today?

2/ 2-step auth with SMS as recovery is a joke. Would you recommend disabling the SMS recovery? Is there a risk to be locked out that way?

And.. really.. the privacy and security implications of this simple stupid thing: ouch.
I won't dare listing the various abuses possible using the same operation as an attack.

#supercurioBlog #security #SIM #carrier


Source post on Google+