Community

@JP_15928  Just wondering if this could compromise security. Currently, when you report a sim as lost or stolen then the count is suspended until you activate the replacement.

What would stop anybody who managed to access an account from getting the replacement without it going directly to the original customer?

@MSF I work in cyber security so I think I'm in a good position to talk about this from a security standpoint!

That is definitely a valid concern, but I would argue that if an attacker manages to gain access to your Smarty account in order to perform a fraudulent sim swap, this would mean they likely bypassed the 2FA (text/email code), which means they either have access to your sim in some way, or your email account, and at that point you likely have bigger things to worry about.

However, this can likely be mitigated by adding a delay of a few hours, in which during this time the original sim is sent a text message, including the email on the account, that a sim transfer is taking place, and allows the user an option to cancel the transfer and secure their account, after which the original sim is temporarily disabled to prevent use.

Another solution could also be to limit the backup sim cards that a transfer can take place in, for example by only allowing inactive/backup sims sent to the original address listed on the account to be used as transfer candidates, and refusing transfers of inactive sims from different addresses or acquired through different means.

And since many providers offer this option (such as Giffgaff), it is very likely they've criticised this from a security standpoint already and have implemented measures to prevent abuse of this (I believe Giffgaff limits sim transfers during certain hours, in which the primary sim holder may be away such as asleep so that they can be immediately made aware that a sim transfer is taking place).

Nice idea @JP_15928. 

Would the most common / likely way of losing a SIM be the loss / theft or your handset? 

If the majority of lost SIM cases happen via handset loss, would a backup handset need to accompany the backup SIM?

Not sure any of the UK operators would relish the management issues associated with giving customers a backup SIM card. After all, SMARTY currently disconnect the SIM after 6-months of inactivity, typically due to plan being paused - once disconnected / deactivated, re-activation of given SIM is not an option. 

Perhaps once eSIM plans are ubiquitous, having a backup SIM won't be necessary. 

@JP_15928  Yes, I take your point.

One thing I would mention though; if you do not actually sign out of your account, then you do not seem to need two factor verification to get back in. On the web page, I am not asked for any detail if I have not actually signed out - rarely use the app, so not sure if it is similar.

Your web browser session should be timed-out eventually, after a period of inactivity, @MSF.

Not sure how long the period of inactivity would be though. If not, a bad-actor might be able to use that as a vector to your SMARTY account.

@Chalkychap It times out after about half an hour of inactivity on forum, but I do not need passwords etc to log back in - I can simply click on the 'sign in again' notification or the blue icon at top right hand side. From the forum page, I can go straight  to smarty.co.uk and thence to my dashboard without any sign in.

One of the oddities it seems. I also find that the edit function does not work for me as I use Safari browser. If I change to Chrome, it does work.

Okay @MSF, sounds like you've told the Safari browser to remember your SMARTY password (on one or more devices). 

@Chalkychap and yet, every so often, I need to sign in again and it does not remember my email or password.

@Chalkychap Once eSims are introduced and widespread, a lot of this won't really matter anymore, but it seems it's still in it's early stages and phone manufacturers, countries, standards and providers aren't in a rush to implement them, so for now we're stuck with the boring physical sim and the annoyances it brings (unless you have both a handset which supports eSims and a provider which also supports them, which the list of isn't very large right now).

Thanks @JP_15928. It's my understanding EE, O2, Three UK, and Vodafone all offer eSIM plans, subject to the consumer owning an eSIM capable device.

Perhaps, MVNO eSIM support - in the UK - isn't as widespread.