Community

I did and what I saw wasn't that reassuring

https://community.smarty.co.uk/t5/chats-hacks/protecting-against-sim-swap-fraud/m-p/44587/highlight/...

@smartazoid What additional measures would you expect to be in place to prevent a SIM swap attack?

Well the obvious measure would be a password or PIN. I'm not referring to the password to log in to your Smarty account, obviously. I'm referring to a completely separate password/PIN (a 'SIM swap password') that we could set in our Smarty account that would only be used when trying to swap the phone number to a new SIM.

This would help prevent SIM swap attacks because even if the attacker gathered information about the user (name, DOB, address etc) they still wouldn't be able to port the number to a new SIM without knowing this additional piece of information, the SIM swap password.

As it currently stands it seems Smarty asks some questions and then goes ahead with the swap. This seems quite insecure. A SIM swap password would help make this process more secure.

Thoughts?

@smartazoid  It looks like you are asking Smarty to operate a higher level of security than most banks!

The article indicates that they will expect you to pass the basic security before they act. The next protection level is that, if you find your account suspended and did not contact Smarty for a replacement sim, you would alert them that something was wrong at that point and could prevent the port going ahead.

Are you suggesting that the perpetrators can get into your account and request a PAC somehow without you knowing? Does that not indicate that they have obtained your password? How can Smarty prevent that?

Interesting you should mention banks. One of the first search results when Googling 'what is a sim swap attack' is the NatWest 'SIM swap fraud' page and on that page, under 'Top tips to stay safe', their point No. 2 states:

Set up a PIN or password with your phone provider: ask your provider to set up a unique PIN or password on your account, needed to approve any account changes.

Which is exactly what I said. Regarding security levels, I would expect Smarty and other phone operators to have this quite basic level of security around swapping SIMs, especially given how central phones are in the security chain.

And what I'm suggesting (and Nat West mentions) is really not too difficult - it's just an entry in a database. Then, in the scenario where someone contacts Smarty trying to impersonate a user, the impersonator would need to know this SIM swap password in order to proceed. As it currently stands, it seems the impersonator would just need to gather some biographical information about their target and Smarty would allow the swap.

Until OFCOM mandate such a thing, it’s not going to happen.

My recommendation is that OFCOM mandates all UK networks implement an option at account level that locks and prevents a number being ported out when enabled. We have that with .com domains. Why not telephone numbers? Yes, if an account is compromised, the individual can disable the option and port out, but it does prevent anyone hijacking your number through phone support or should they have physical access to your device for any reason.

Hey @smartazoid,

There are really only two ways for someone to take over your SIM / number. 

1) Replacement SIM

2) Port your number out

Replacement SIM - If your services become suspended, we encourage you to reach out to us to find out the reason.

Porting Out - You require a PAC code to do this. Keep in mind that it will be sent to you via SMS. If you happen to receive one of these codes without having requested it, we encourage you to reach out to us. 

SMARTY is following the guidelines set by Ofcom.

We kindly encourage our customers to make sure their online accounts are secure, for instance, by creating strong passwords. You can also request a PAC code and get a replacement SIM through our self-service options. 

If someone is aware of your details and reaches out to our web chat team, confirming all the security questions accurately, we have to recognise them as the account holder. 

Thanks for the information.

> Replacement SIM - If your services become suspended, we encourage you to reach out to us to find out the reason.

How should a Smarty customer contact Smarty in this case? It won't be possible to log in to the Smarty account because Smarty uses SMS for 2FA, and if the service is suspended my phone wouldn't recieve the SMS code, so I wouldn't be able to log in. What is the method for contacting Smarty in this situation?

> we have to recognise them as the account holder

That seems like a problem, since attackers can gather biographical information in order to impersonate a genuine Smarty user. What steps does Smarty take to ensure that the security questions it uses would prevent an attacker in this situtation? It seems like a SIM swap password could be useful.

Hi @smartazoid

You can get in touch with SMARTY'S customer support directly via the website or through email. If your service became suspended for whatever reason, you should still have the ability to connect to Wi-Fi. 

Some details required for account verification are not personal in nature, and require access to your online account to retrieve them.

With all that said, we appreciate your feedback regarding the SIM swap password. 

@smartazoid I think the likelihood of the average user remembering what they've set as their SIM swap PIN/password when it comes to them needing to use it is minimal. If you then enable them to reset/change it through their Smarty account, you may as well just require them to be logged into their Smarty account to request a SIM swap, as at that point the SIM swap PIN/password provides no additional layer of security.

@SmartyTrousers  @smartazoid  I'm thinking that many people would simply use the same pin or password as for their accounts o that they would have more chance of remembering it.