SIM Swapping – The End Of 2nd Factor Authentication?

Shimrit Tzur-David | February 24, 2020

Many online services allow, and sometimes require, users to secure their accounts with a registered mobile phone number. This is a common and trusted method for two-factor authentication (2FA), using a phone call or an SMS message to verify identity when logging in from a new device or resetting a password. This standard approach, however, is not always effective in keeping accounts secured. Hackers have clever ways of hijacking a victim’s phone number and thus accessing associated accounts. Attackers can, for example, execute a SIM swapping attack by contacting the mobile carrier, posing as the account owner and claiming to have lost their device or SIM. Once the unsuspecting customer service representative associates the number with the new fraudulent SIM, the attacker easily overtakes the account.

Using this method, even unsophisticated hackers can take control of seemingly well-protected accounts, regardless of password best practices and cybersecurity awareness of the victim.

One well-known example of this was the August 2019 breach of Twitter’s CEO Jack Dorsey’s account on his very own platform. A hacker group known as “Chuckling Squad” managed to take control of Dorsey’s phone number and use it to seize control of his Twitter account. They then continued to freely broadcast profanities to his 4 million followers. Twitter acted fast and managed to detect the breach and restore control of the account within 18 minutes, but needless to say, 18 minutes are more than enough to damage one’s reputation, let alone transfer data or funds. The ordeal served as a reminder to the cybersecurity world – everyone can fall victim to simple hacks if they’re not careful enough.


Security experts suggest two main tips to protect against SIM swaps:

Assigning PIN codes to SIM cards: Most major mobile phone companies allow customers to assign personal identification numbers (PIN) on their accounts to prevent SIM swap attacks. Anyone who tries to transfer the mobile number to a new SIM card must provide the PIN. This surely makes it harder to stage SIM swapping, but it’s not a perfect solution. Attackers have many potential ways of getting access to PIN codes and rendering this measure useless. Not to mention that users tend to forget PIN codes because they don’t use them often. And in that case they might get locked out of their own account.

Virtual and dummy phone numbers: Another popular method to prevent SIM swaps is registering accounts using a virtual phone number – a number that cannot be transferred to a SIM card. There are several services that provide online numbers to receive SMS codes. But these services have their own security flaws and are not supported by all online services, nor are they easy to use.

How to protect accounts against SIM swapping?

The above methods are more of a Band-Aid than a true solution to the simple-yet-dangerous problem of SIM swapping. Organizations that want to protect their accounts against such attacks must seek methods that eliminate SMS codes altogether, while still providing security and ease of use. This is the reason that several German banks have moved, or plan to move, away from SMS-based one-time passcodes (OTP) in order to comply with recently-enacted EU regulation.

Employees and users are usually very likely to choose convenience over security. Memorizing SIM cards PIN codes or handling virtual phone numbers will probably be too much of a hassle for most users, which is why a different solution is needed.

The best possible solution to prevent SIM swapping altogether is to replace password-based credentials that have SMS as a second factor, with multi-factor passwordless authentication. Passwordless offers a more secure method that is friction-less and easy to use, and perhaps more importantly – easy to manage by the organization. This is especially true when considering organizations that would face severe repercussions in the case of account hijacking, and must be protected better than private individuals.

As corporates worldwide move towards passwordless MFA authentication, we see a growing use of push notifications as an alternative to the SMS-based 2FA (Gartner now estimates that 50% of enterprises using mobile authentication will adopt push as a linchpin of authentication by 2020). Considered more difficult to intercept or redirect than SMS-based methods, push authentication validates login attempts by sending access requests to an associated mobile device, providing an easier and more secure authentication mechanism.

Users and companies will always face hackers trying to lay their hands on sensitive and valuable data. CISOs and IT departments shouldn’t make their job easier by outdated authentication technologies. Fortunately, with new security standards such as FIDO2, it’s easier than ever to adopt secure and easy-to-use authentication solutions across the organization. Using passwordless multi-factor authentication not only provides protection against most major account hijacking techniques, including SIM swapping, but also frees the organization from the cumbersome and never-ending challenge of managing password policies and worrying about compromised credentials.