Re: Sim Swap Fraud

RonlWeasley · ‎11-07-2024

This perhaps deserves its own thread but EE's security measures (or lack thereof) are truly dire. Still no 2FA to login to your account, for example. In 2024 this is mind bogglingly abysmal.

Today I heard that other networks are introducing a "SIM lock" facility whereby in their app you can put on a SIM lock which prevents porting your number to a new device or to another network. Sounds like a brilliant idea to me which would eliminate SIM swap fraud. Of course you just switch off the lock if you want to change phone or leave the network, and switch it back on again when you have a new phone.

Where are EE with such a feature? Presumably nowhere since despite their claims otherwise, their inaction over 2FA, despite YEARS of complaining about it, clearly demonstrates they do not give a toss about their customers' security.

Leanne_T · ‎14-07-2024

I am very sorry to hear this @angryoap

Please see our Regulatory documents and codes of practice for the EE Complaints Code of Practice for help going forward.

Leanne.

NW69 · ‎15-07-2024

I don't think their processes for replacement SIMs are that strict. My SIM card was hacked. If someone loses a phone with a SIM card in then they should wait until a new SIM card is mailed out to them. I'm not sure that happens ...

NW69 · ‎15-07-2024

When your number gets hacked/ported over, then you'll understand why SMS is insecure. (And yes, this happened to me ...)

RonlWeasley · ‎15-07-2024

My apologies - seems my post was moved to a new thread. I had originally posted it in a reply to a thread about SIM swap fraud.

Anyway, one of the many disadvantages of SMS based 2fa is here for all to see. Had EE implemented WebAuthn or Passkeys, this could not have happened.

bristolian · ‎15-07-2024

@RonlWeasley wrote:

Anyway, one of the many disadvantages of SMS based 2fa is here for all to see. Had EE implemented WebAuthn or Passkeys, this could not have happened.

I don't see any evidence of SMS as a delivery mechanism being inherently insecure. Delays in sending an SMS are a different issue.

angryoap · ‎15-07-2024

I can give you another example from someone who posted on here before me who was also the victim of a sim swap fraud. He was on a flight at the time the SMS was sent so his phone was in airplane mode. By the time he landed and saw the SMS it was too late and the transfer went ahead. Can you imagine being in a foreign country and finding your phone provided has authorised a sim swap to a scammer? If someone is not calling from the actual phone number on the account there should automatically be at least a 24 hour wait before the PAC code is issued or the person calling should be made to visit an EE store with ID.

bristolian · ‎15-07-2024

@angryoap wrote:

I can give you another example from someone who posted on here before me who was also the victim of a sim swap fraud. He was on a flight at the time the SMS was sent so his phone was in airplane mode.

Again, I don't see how this is the fault of SMS as a delivery mechanism. Phones that are in flight-mode don't have an internet connection for any app-based authentication either.

angryoap · ‎15-07-2024

No they wouldn't have access to any other way of authenticating the request which surely would result in EE not issuing the PAC code? EE should make allowances when they send an SMS that can have such a catastrophic affect on the account holder if they are not in a position to respond immediately. Not everyone is glued to their phone 24 hours a day or has access to it. To simply send an SMS to the account holder and, if they don't respond immediately, issue a PAC code to someone not in possession of the phone linked to that account is, in my opinion, grossly negligent. Through no fault of the account holder they find themselves in a position where a scammer has taken over their identity, is trying to empty their bank accounts, take loans out in their name etc etc. In what circumstances can it be so urgent for someone who is not even in possession of that phone to obtain a PAC code?

RonlWeasley · ‎18-07-2024

You should read up about it.

For starters, your number can be spoofed and the code intercepted, and also you are vulnerable to man-in-the-middle attacks whereby you unwittingly key the sms code into a hacker’s reverse proxy website. There are many other inherent flaws.

WebAuthn with e.g. Yubikey or alternately Passkeys, fixes these vulnerabilities completely since the authentication credentials are not sent by the site you are logging into, they are created locally. Further, the local verifying software will not surrender the credential unless the requesting website is validated, so it eliminates MITM vulnerabilities as well.

Honestly SMS 2FA is rubbish.

bristolian · ‎19-07-2024

@RonlWeasley wrote:

For starters, your number can be spoofed and the code intercepted

SMS is no more-or-less susceptible to interception than voice calls, routing is based on the same central network lookups.

Many of these attacks are based on malware or other device-based interception, and not network-based "hacking" which some popular misconception suggests. To the best of my knowledge, there have been no documented cases of SMS being sent to a mobile phone incorrectly.

All of this is why access to a particular SIM is crucial to unlocking access to an individual number.