Today I went to the closest shop in Chambéry, France to request a new SIM card, pre-cut to the nano size.
This SIM exchange was easy.
Too easy actually, and I'm coming back with serious doubts on the validity the 2-step auth or verification as we use it today.
Here's the story:
I enter the shop, a lady welcome me and ask the reason of my visit.
I'd like to request a new SIM card
The lady asked my name and my phone number
My name is François Simond, 0699XXXXXX
I'm told that it should be ready in 20 minutes, and I can wait here or run a few errands in the meantime, I choose the later
20 minutes later, I'm back and receive consequently an SMS telling my SIM card is ready.
5 minutes after, a gentleman call my name, we go sit at his desk, he confirms if it's about a new SIM
He goes to grab an envelope in another room and give it to me, announcing this is my new SIM:
When will it be activated ?
He answers "immediately" and indeed my phone just lost reception.
I thank him and leave the store, ready to get the new SIM in my phone and happy with the service.
Then I start to think a little:
– Did they really deactivated my SIM without any kind of confirmation that the owner requested to?
– Did they really gave a new SIM, with complete access to my phone line, the capability to receive and emit SMS/MMS, and unrestricted ability to send and receive internet packets that can be traced back to me… without knowing anything about who they were giving this to?
Then I thought that I felt confident before that my Google accounts were protected by the additional code generated by the app or sent by SMS as recovery, well: not anymore!
Anyone can gain access to my phone line, they just need to walk in a store, say my name, get a new SIM – disconnecting me in the process.
Bank account? Same thing!
I assumed that anyone capable of making and delivering a new SIM would do so after a careful identity check.
But apparently, it was merely wishful thinking.
Now I have questions:
1/ Does your wireless carrier give new SIM on demand to anyone walking in a store just like did today?
2/ 2-step auth with SMS as recovery is a joke. Would you recommend disabling the SMS recovery? Is there a risk to be locked out that way?
And.. really.. the privacy and security implications of this simple stupid thing: ouch.
I won't dare listing the various abuses possible using the same operation as an attack.