An academic study published by Princeton University pointed out that the five major U.S. prepaid wireless carriers are extremely vulnerable to SIM swapping attacks. It specifically refers to the attacker calling the mobile service provider to induce the telecommunications company employee to change the phone number to the SIM card controlled by the attacker, so that he can reset the password and access sensitive online accounts, such as email inbox, online banking portal, and even cryptocurrency trading systems.
Scholars at the school spent a lot of time testing five major U.S. telecommunications carriers last year to verify that they could deceive call center employees and change user phone numbers to another SIM card without providing proper credentials.
The research team noted that AT&T, T-Mobile, Tracfone, US Mobile, and Verizon Wireless were all found to use vulnerable programs in their customer support centers, which allowed attackers to launch SIM swapping attacks. In addition, the research team analyzed 140 online services and websites and found that 17 of the 140 websites were found to be vulnerable.
When the results of the study were published, the team had sent a notice to the affected parties. After reviewing the results of the study, T-Mobile decided to discontinue the use of call logs for customer authentication after reviewing their research. Unfortunately, four operators are still using vulnerable authentication processes.