In case you were still in doubt after this SIM port horror story from back in May:
- We examined the authentication procedures used by five prepaid wireless carriers when a customer attempts to change their SIM card, or SIM swap.
- We found that all five carriers use insecure authentication challenges that can easily be subverted by attackers.
- We reverse-engineered the authentication policies of over 140 websites that offer SMS-based authentication, and rated the vulnerability level of users of each website to a SIM swap attack.
- We found 17 websites on which user accounts can be compromised based on a SIM swap alone.
🔐 Do note that 2FA using an Authenticator App/Device – I use Google Authenticator – to get a TOTP still is secure. The problem with SMS is the carriers that swap your phone number to another SIM without properly verifying things.