Forum Discussion
What steps does Smarty take to prevent a sim swap attack?
smartazoid It looks like you are asking Smarty to operate a higher level of security than most banks!
The article indicates that they will expect you to pass the basic security before they act. The next protection level is that, if you find your account suspended and did not contact Smarty for a replacement sim, you would alert them that something was wrong at that point and could prevent the port going ahead.
Are you suggesting that the perpetrators can get into your account and request a PAC somehow without you knowing? Does that not indicate that they have obtained your password? How can Smarty prevent that?
Interesting you should mention banks. One of the first search results when Googling 'what is a sim swap attack' is the NatWest 'SIM swap fraud' page and on that page, under 'Top tips to stay safe', their point No. 2 states:
Set up a PIN or password with your phone provider: ask your provider to set up a unique PIN or password on your account, needed to approve any account changes.
Which is exactly what I said. Regarding security levels, I would expect Smarty and other phone operators to have this quite basic level of security around swapping SIMs, especially given how central phones are in the security chain.
And what I'm suggesting (and Nat West mentions) is really not too difficult - it's just an entry in a database. Then, in the scenario where someone contacts Smarty trying to impersonate a user, the impersonator would need to know this SIM swap password in order to proceed. As it currently stands, it seems the impersonator would just need to gather some biographical information about their target and Smarty would allow the swap.
Hey smartazoid,
There are really only two ways for someone to take over your SIM / number.
1) Replacement SIM
2) Port your number out
Replacement SIM - If your services become suspended, we encourage you to reach out to us to find out the reason.
Porting Out - You require a PAC code to do this. Keep in mind that it will be sent to you via SMS. If you happen to receive one of these codes without having requested it, we encourage you to reach out to us.
SMARTY is following the guidelines set by Ofcom.
We kindly encourage our customers to make sure their online accounts are secure, for instance, by creating strong passwords. You can also request a PAC code and get a replacement SIM through our self-service options.
If someone is aware of your details and reaches out to our web chat team, confirming all the security questions accurately, we have to recognise them as the account holder.
Thanks for the information.
> Replacement SIM - If your services become suspended, we encourage you to reach out to us to find out the reason.
How should a Smarty customer contact Smarty in this case? It won't be possible to log in to the Smarty account because Smarty uses SMS for 2FA, and if the service is suspended my phone wouldn't recieve the SMS code, so I wouldn't be able to log in. What is the method for contacting Smarty in this situation?
> we have to recognise them as the account holder
That seems like a problem, since attackers can gather biographical information in order to impersonate a genuine Smarty user. What steps does Smarty take to ensure that the security questions it uses would prevent an attacker in this situtation? It seems like a SIM swap password could be useful.
Hi smartazoid
You can get in touch with SMARTY'S customer support directly via the website or through email. If your service became suspended for whatever reason, you should still have the ability to connect to Wi-Fi.
Some details required for account verification are not personal in nature, and require access to your online account to retrieve them.
With all that said, we appreciate your feedback regarding the SIM swap password.
Until OFCOM mandate such a thing, it’s not going to happen.
My recommendation is that OFCOM mandates all UK networks implement an option at account level that locks and prevents a number being ported out when enabled. We have that with .com domains. Why not telephone numbers? Yes, if an account is compromised, the individual can disable the option and port out, but it does prevent anyone hijacking your number through phone support or should they have physical access to your device for any reason.
