Hacker News new | ask | show | jobs
by user5994461 3521 days ago
Because username and password is a disaster for security. It's sole purpose is let ANY guy ANY where on the planet connect to your account.

SIM cards are cryptographic hardware tokens. They are much more secure than passwords.

In fact, they do need a password as well on top of the hardware token, that's the 'PIN code' you have to enter when you (re)boot your phone.
2 comments
nly 3521 days ago
In practice SIM cards don't give you much physical security anyway.

I transferred my mobile phone number etc over to a new SIM card the other week and all I needed was name, address, DOB and proof of ID... of course my network didnt have any of these on file yet, so I had to first tell them these details, and then show ID to verify that I was who I had just told them that I should be. Yeah... this is the state of consumer mobile security.

None of this required physical access to the phone, I just had to login to their website, with a username and password, and change my details.

On most networks you can steal someones mobile number with just a few minutes of physical access and a bit of planning.

link
URSpider94 3521 days ago
But that's the choice of the network operator. The SIM itself is still completely unique and identifiable, they just chose to allow customers to re-map SIM's on the fly.
link
gcb0 3521 days ago
and this is the norm all over the world. And SIMs cannot exist without the network operator. So in the end, this is the worst vulnerability of SIM cards.
link
makomk 3521 days ago
SIM cards come from an era where mobile phone contracts were much less common and more expensive, and therefore cloning phones cost the providers a lot of money. I assume the security requirements for reissuing SIMs were also higher back then.
link
mherrmann 3521 days ago
Most of the internet runs on usernames/passwords. I understand that a hardware token (with a PIN) is more secure. But is it worth the added complexity?
link
pjc50 3521 days ago
The SIM protects the carrier against "account sharing". It allows them to be sure that a subscriber is only using one phone at once - although it's portable between phones.

It means that carriers don't have to maintain "sessions" centrally. The SIM can authenticate you to the base station without the base station having to check back to see if you're logged in elsewhere - vital in reducing the latency of cell changes.

(It also stores various bits of technical information for SMS/MMS routing, and was intended to be a platform for "value added" applications.

link
jacquesm 3521 days ago
Account sharing in a telco context is a bad thing all around. Which phone would you like to ring? How do you ensure the charges really are made by (and to) the right person? How will you protect against messages with important information landing with the wrong party?

Authentication in a telco context is a good thing, the fact that the web doesn't have it enabled a large number of applications to flourish, it also made some other things devilishly hard, or even almost impossible.

link
bogomipz 3521 days ago
Carriers do maintain sessions centrally though. These are the HLR and VLR - home location register and visitor location register. This is how "hand offs" between towers work. Handsets don't authenticate to the base station, the base station proxies those back to the MSC, mobile switching center and are looked up in the EIR - Equipment Identity Register.
link
eropple 3521 days ago
Do you happen to know of a good breakdown of how mobile networks work? I'd love to know more, but it's hard to get a handle on it to get started.
link
bogomipz 3520 days ago
Sure:

Its helpful to understand the history of mobile/wireless I think since the Telecom industry takes acronyms to an insane level. The terminology changes slightly depending on which generation of mobile is being discussed. This is a good breakdown of the evolution of mobile networks. I think its a good starting point:

http://www1.i2r.a-star.edu.sg/~wongtc/EE5406-Network-Archite...

This is a good resource for understanding more recent and relevant mobile architecture. This has a lot more detail:

http://www.slideshare.net/abhishekshringi/gsm-architecture-1...

If you really want to learn mobile and wireless networking, this is unbeatable and very thorough, I highly recommend it, grab a used copy.

https://www.amazon.com/Wireless-Communications-Andreas-F-Mol...

If you just want the 10K view see:

http://www.telecomspace.com/gsm.html

link
eropple 3519 days ago
Guess I've got some reading ahead of me. Thanks!
link
baybal2 3521 days ago
>It allows them to be sure that a subscriber is only using one phone at once

Only on home network, everybody who knows your IMSI and have low level access to phone network can clone your identity in roaming.

link
user5994461 3521 days ago
There is no added complexity. Just buy a SIM card and put it in your phone. It is very simple and straightforward.

The alternatives are worse in usability AND security.

link
jacquesm 3521 days ago
> But is it worth the added complexity?

If you don't want your account to be hacked: yes.

link
Sanddancer 3521 days ago
I'd very much argue that a hardware token is more secure, and less complex, especially with multiple devices. It's a lot easier to remember where you put your smart card than to need to get a password store somewhere shareable, to secure that, to remember to put passwords in the store, etc.
link