It seems like there's a dead-simple solution to simjacking that I'm not sure why we haven't done: just pass a law that to get a replacement SIM for an existing phone number, you have to show up at one of the carrier's locations in person so they can verify your identity, instead of allowing it to be requested over the phone or online. Legitimate customers will probably want to do it this way anyway, since then they'll get to use their new phone immediately instead of having to wait for the SIM in the mail.
Liable for what? Failing to provide security properties that they never offered? The blame for this situation lies with the banks, who are for the most part already legally responsible for covering the losses.
Sure, but the scales are completely different. Making a telco fully liable for the simjacking itself would result in maybe one thousand dollars of damages due to the administrative hassle, and likely much closer to the story's $80 after the usual lobbying.
I took the comment I responded to as saying that telcos should be on the hook for the banks' losses as well. The bank fraud amounts described in the article are much larger.
In some countries such as Russia showing up doesn’t help. You can just find a corrupted shop assistant fairly easily. Who will be happy to replace any SIM card for any number in any distant city for not so big award. The worst thing — only this shop assistant will be liable and in some cases for not too much, like a few years in prison. Possible gains from such criminal activity usually cover all the costs.
Or, not using sms for secure authentication which it's not designed nor secure enough . I see it used mainly because it's cheaper than more secure methods like a rolling password generator.
Also, your solution won't solve the problem completely. It's also possible to obtain the data with SS7 network attacks. Granted, this takes a telco level adversary. But telcos are a dime a dozen these days and in some cases even their home access points have been hacked for this. Like Vodafone SureSignal.
How about this? - For those who want a nice, old-fashioned bank - which can be trusted to keep your money safe - we require that the brick-and-mortar banks offer "1960 Versions" of their accounts, where this kinda crap Just Can't Happen?
This does exist. Most brick-and-mortar banks today have the option to make your bank accounts read-only from the internet. I've done this with most of my accounts. To move money around I have to walk into the bank and show ID. For higher value accounts one can even add more restrictions like requiring signature and ID from two people at the same time. Beyond that and less related to this topic one might also look into setting up named trust accounts for additional legal protections of ones life savings.
On a semi-related note some banks also have the option to limit your debit/credit cards to the country you reside in. If you do not see the option ask a banker what options are available to protect your accounts, cards, etc...
For financial institutions that are not local to you there are sometimes options to require that you do a video call with their team to authorize the movement or liquidation of assets/funds.
Can we consider being hacked as something like traffic accident or injury? People are trying to make systems more secure, but if we think of the small but inevitable probability of being hacked, can we build an insurance product around it? On the provider's perspective, it is not easy to verify the insuree is indeed hacked though.
This SIM swap crap is so stupid. How is SIM second factor authentication if you can reset your password with just your phone number? Why can't phones be yubikeys, or just allow only software OTP?
In Norway we have a 2FA provider that all banks use. They have implemented a 2FA solution that is installed on the SIM card itself and locked to that card. You also get a separate hardware key device if you want. This way they would need to hijack both your phone and your 2FA pin.
If you lose your SIM card and don’t have the hardware key you need to go to your bank and identify yourself with a valid ID.
Using regular old SMS as 2FA these days seem highly irresponsible for a company. Regular people might not know better.
Snake oil "2FA" manages to hurt both security (the phone network doesn't provide the imagined security properties) as well as usability (hassling customers to paste a numeric code), so that's not it.
This article itself is journalistic malpractice. The crime is fraud, not theft. Optus is not the party responsible for making this right, the banks that improperly debited his accounts are. By failing to explain the actual legal situation and directing focus towards a minor party, this article will cause other victims to fail at pressing the matter with their banks within the time windows for disputing fraudulent transactions.
Or maybe, the point of the article is the banks largely fixed it and returned the money - as the should've. Meanwhile, telcos drag their heels and do nothing to improve the situation (not unique to Australia). Personally, if I were in the same situation, I'd also be livid at the telco. They issued not one but two eSIMs and were useless at diagnosing the issue.
The banks fixing it most certainly was not the point of the article, as the mention of banks correcting his balances consists of two lines. It also implies he was not made whole fully, but does not explain why.
And what really are the telcos supposed to do here? Banks are attempting to use them to provide security properties they never offered, and most likely can't offer due to their group-project technical architecture. Even if telcos completely secure the SIM reissuing process, then criminal gangs just buy someone who has access to a phone switch.
Banks could very well just not implement snake oil "2FA". For example, they could ship each customer a hardware security token, and require password resets be done in person at a branch. Or they can just keep shouldering the current level of fraud as they seem perfectly content to do. The entire problem has been created by the banks, and this narrative attempting to shift blame onto telcos is counterproductive.
People trust by default, when there's no big flashing red warning sign.
People trust when there seems to be no alternative since no bank is competing on the finer points of security.
People trust when it looks like others trust, because there's safety in numbers.
People trust something more the longer they use it without it biting them.
All these heuristics can be wrong, but they're more practical than a theoretical analysis. Trying to reason about things going wrong is too much effort and can easily leave out a crucial factor.
