[lxgr]

I think this particular issue is specific to North America, due to peculiarities of the NANP phone number scheme (inter-provider texts are routed quite differently from voice calls, if I understand it correctly).

In other countries, the two channels are more closely coupled (but SIM swap and/or number porting attacks are still possible, depending on the provider‘s security protocols).

[tialaramex]

> due to peculiarities of the NANP phone number scheme

I suspect more like due to peculiarities of the United States of America. Such as a disinclination to regulate anything, trusting that somehow this time the most profitable course for corporations will also work out OK for its citizens even if it didn't on previous occasions.

This report lists a long chain of buck-passing companies that have exploited an obvious defect and then escaped any responsibility for the consequences. Notice how the only work they made the hacker do was legal paperwork to cover their backsides, no actual technical countermeasures. Because nobody at these companies cared if it was used this way, they only wanted to make sure if they got sued they would be able to blame somebody else and get away with it.

[closeparen]

Number portability is regulated: https://www.fcc.gov/general/wireless-local-number-portabilit....

The regulation seeks to promote competition and consumer choice. An onerous verification process would undermine that goal. Security is not a consideration.

This is sort of the point with regulation. The regulator makes the rules it thinks are best according to the considerations it thinks are important at the time. If someone later shows up with different considerations, they can go to hell.

[cabaalis]

Pretty sure a hacker would be perpetrating an actual, punishable-by-trial crime in forging those legal documents. That's generally the first regulation that the US imposes.

A disinclination to regulate anything is a good idea in a society that generally punishes bad behavior after the behavior has been perpetrated. I would have doubts for instance about government regulating the process for sending and receiving SMS - would you want every new software or protocol to have to go through some kind of bureaucratic review before it can be used?

[kevin_thibedeau]

That doesn't work well when the criminals are working from a sunny foreign beach resort.

[coliveira]

Exactly, the only thing that the US achieves is creating thieves that have a propensity to go big fast, so they can forever evade the law.

[efreak]

> would you want every new software or protocol to have to go through some kind of bureaucratic review before it can be used?

Absolutely yes if said protocol is to be used by an entire population as a basic means of communication. Either by the government or a non-profit not tied to the industry. Protocols should also not be allowed to be secret if used at scale.

I see no reason to make a distinction between computer protocols and in-person safety protocols. The threat level is different, but it covers just as many (if not more) people.

[pdpi]

A key part of regulation is placing the onus of solving problems on those best equipped to solve them.

You don’t need the government to mandate what the protocols should be, you just fine carriers for allowing this sort of bad outcome and let them sort things out.

[efreak]

This requires trusting "those best equipped" to prioritize the rules over money when the fines aren't significant enough to affect the bottom line.

[batiudrami]

SIM swaps are relatively easy in Australia, requiring only some fairly simple social engineering of staff in a phone store.

Number porting is trickier, requires a name and account number (or DOB in the case of a prepaid account) of the victim and they receive an SMS informing them their number was ported in advance.

[Mandatum]

Yeah getting thee account ID can be a pain, I've learned that the number in the UI and bill is not the identifier they want. Security by poor implementation.

[incompatible]

I couldn't even get my own number ported in Australia (to a new provider on a new SIM). The old provider said the authentication failed. I gave up pretty quickly and just went with a new number.

[pabs3]

I thought they require ID for buying SIMs in Australia, surely they also require ID for switching your number to a new SIM?

[paranoidrobot]

That requirement is there for new or ported-in services.

But when you Sim swap, it's tied to the same account. So if you can convince the minimum wage hourly wage contract employee at a franchisee that you're the account holder, no worries.

Worse, most of those stores are using generic accounts and/or passwords.

Telstra years ago had a policy along the lines that store accounts could be not tied to a specific employee, so long as the store manager/team leader rotated the passwords and kept records. in reality it's something stupidly guessable that rotates only when required and all the staff know them.

Optus effectively has the same thing - I had an issue getting a SIM established and sat with an employee for about an hour as they re-rolled the account about 10 times. By the end I knew the passwords for all the accounts in the store, plus other identifiers and numbers.