Many banks and corporate IT systems force users to use SMS one-time passwords to secure their accounts, but these can be easily bypassed for most users.
Imagine taking a trip to the gym or swimming pool. Before heading out to your activity, lock your valuables in a locker, meaning your phone and wallet are together. Given that banking providers often send SMS text messages to your phone to approve suspicious transactions, it would certainly be possible if someone could break into the safe deposit box and access your cards and phone (bypassing your phone’s PIN) . Bypass security measures for suspicious transactions.
Such was the fate that awaited Charlotte Morgan, who reported in a Twitter thread after a thief bypassed the locks of her gym locker and the security of her phone to steal money from her bank account and go on a £5,000 shopping spree. Charlotte noticed that all of their PINs, passcodes, and passwords were different.
It’s often claimed in security circles that “physical access is game-over” due to the tremendous power an attacker has with control of your device, but in reality there are concrete steps individuals can take to protect themselves to become a victim to such attacks.
Many personal and corporate accounts often use SMS text messages to transmit one-time passwords to add another layer of security before someone logs into an online account, speaks to an account manager (e.g. via phone banking), or even logs into mobile -Banking apps (modern banking apps even show your card PIN number in the app UI itself).
While SMS one-time passwords aren’t ideal (e.g., if someone was able to intercept the message, they could get the code), the alternative is to use two-factor authentication (2FA) apps or hardware tokens, which many providers don’t consider Use default to reduce user friction.
You may be thinking that someone’s biometrics (fingerprint or facial recognition) or phone PIN number are preventing a malicious actor from gaining access to their text messages. In fact, security measures on a user’s devices usually focus on ensuring that the software running on the phone is up to date and free from malware that could steal data. I personally use apps like iVerify to stay on top of my mobile security; However, these measures can be easily circumvented for most users when it comes to SMS one-time passwords.
By simply removing the SIM card from your phone and inserting it into another phone, you can then receive any SMS 2FA messages sent to that phone number without having to unlock the phone itself. This phone takes over the phone number of the previous phone.
For those of you reading this, if you are able to provide security advice within your organization, you can take steps to protect yourself and your business. By simply activating a PIN lock on your SIM card, you can prevent third parties from using your SIM card on another device without first entering that code (or getting a bypass code from the network provider, known as a PUK code is). This code is also requested when the phone restarts and needs to reconnect to your phone network provider.
An iPhone user can access this feature by navigating to Settings > Cellular Data > SIM PIN to change their SIM PIN and enable it for use. On Android, this can be found under Settings > Security > Set up SIM card lock.
As mobile devices move towards using eSIMs instead of physical SIM cards, this is also likely to be less of a problem in the future. Since Apple iPhone 14s now uses eSIMs exclusively in the US, there is no need to transfer a physical SIM card to another device. However, it is still possible to set up SIM PINs on eSIMs and this could add an extra layer of security, especially if your phone allows reading text messages or taking calls when locked.
While many of us in cybersecurity understand the pitfalls of sending one-time passwords via SMS, the reality is that with many providers we have no choice but to use this. Therefore, it is best to protect yourself as much as possible in these circumstances. SIM PINs are an important measure to help us with this, especially as we rely on physical SIM cards.
Junade Ali is an experienced technologist with interests in software engineering management, computer security research and distributed systems.