My understanding is that you don't even need to do a SIM swap, because the SS7 signaling system is insecure. SIM Swap is likely the easiest way as wage-slave employees are quite pliable to bribes[0]. But if you want to be even more anonymous, you can apparently re-route texts remotely [1].
Yep, the security problems with the mobile system are ghastly.
- Stingrays...
- Operator app pushes to SIM cards...
- Secret GSM processors and software internals
- Voice / text / data "ciphering"
- Protocol-level "emergency" tracking features
- Silent SMS (sounds like its from a bad cop show but its actually a real thing it turns out.) "They do not show up on a display, nor trigger any acoustical signal when received. Their primary purpose was to deliver special services of the network operator to any cell phone." -- sounds like it has a completely legit use...
The list goes on. It's enough to make anyone want to get the tin foil out. But at least in this case there's a simple and clear recommendation: --not to use 2-factor auth by SIM--.
The original purpose of silent SMS was to send voicemail or missed call notifications to handsets, which would trigger an icon to be displayed on the device. Sending a regular SMS would be annoying as the user would have to delete it - after you've listened to your voicemail, another silent SMS can be sent to turn off the notification. Also originally SMS was stored in the SIM itself which had limited memory, so it would be not be very convenient if you didn't receive a voicemail message as your SIM was full. Remember this is a 28 year old feature of GSM.
The tracking argument seems somewhat mute, maybe when this first came to light 10 years ago it wasn't the case, but nowadays I would be very surprised if operators do not keep detailed logs of all the IMEI (unique identifier for a given device) and IMSI (same, but for the SIM) that connect to their towers.
The SIM Swap would seem to be a bit more accessible to the average fraudster. Hacking SS7 apparently requires setting up a "hub" and obtaining a carrier license from a lax country. That is, until we get to the bit about "illicit merchants offering ‘Connection-as-a-Service’ to such hubs."
Carrier license sounds much more involved than what it is. It's not uncommon to sell full SS7 access to companies that are not operators in the regular sense.
If people knew how telcom (and the internet) was held together with bubblegun and duct tape...
Multiple proposed fixes and replacements to SS7, to the best of my knowledge none of them are going anywhere. And even if it was pushed hard, it has to be a global thing.
More than that it's the amount of work and cost. Average consumer doesn't care about it so why fix something that's not broken. People won't pay more for it
I am pretty sure this is how they got Bezos' texts. All you need to do is register a CLEC and then you can get your official hookup to SS7. My experience isn't with messaging but I'd imagine if you bid* to deliver messages to a certain area much lower than other carriers, you can target people.
* Bidding doesn't happen in real time, but you can tell carriers your "rates" so to speak.
In the future, the term SIM Swap will likely be replaced with something like "SIM identity theft" so that banks and telecoms are not liable. Then we can all buy SIM identity protection.
0: https://www.nbcbayarea.com/news/local/mans-1m-life-savings-s...
1: https://www.kaspersky.com/blog/ss7-hacked/25529/
I thought both these vectors were already common knowledge to HN readers.