Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

It seems like there's a dead-simple solution to simjacking that I'm not sure why we haven't done: just pass a law that to get a replacement SIM for an existing phone number, you have to show up at one of the carrier's locations in person so they can verify your identity, instead of allowing it to be requested over the phone or online. Legitimate customers will probably want to do it this way anyway, since then they'll get to use their new phone immediately instead of having to wait for the SIM in the mail.


Instead of dictating the solution, let’s just make the network operators liable and let them figure it out.


Does this happen enough to be sure it would be cheaper for them to fix it than to just pay a settlement every time it happens?


That’s up to the lawmakers and the courts. It’s literally in their power to decide the consequences.


Liable for what? Failing to provide security properties that they never offered? The blame for this situation lies with the banks, who are for the most part already legally responsible for covering the losses.


Simjacking is bad even if it doesn't let your bank account get compromised.


Sure, but the scales are completely different. Making a telco fully liable for the simjacking itself would result in maybe one thousand dollars of damages due to the administrative hassle, and likely much closer to the story's $80 after the usual lobbying.

I took the comment I responded to as saying that telcos should be on the hook for the banks' losses as well. The bank fraud amounts described in the article are much larger.


In some countries such as Russia showing up doesn’t help. You can just find a corrupted shop assistant fairly easily. Who will be happy to replace any SIM card for any number in any distant city for not so big award. The worst thing — only this shop assistant will be liable and in some cases for not too much, like a few years in prison. Possible gains from such criminal activity usually cover all the costs.


Or, not using sms for secure authentication which it's not designed nor secure enough . I see it used mainly because it's cheaper than more secure methods like a rolling password generator.

Also, your solution won't solve the problem completely. It's also possible to obtain the data with SS7 network attacks. Granted, this takes a telco level adversary. But telcos are a dime a dozen these days and in some cases even their home access points have been hacked for this. Like Vodafone SureSignal.


We could pass another law that simply makes crime illegal.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: