I used to work tech support for cell phone providers, and while we were trained about fraud, the nature of the industry low wages, high turnover, makes this a security flaw that financial institutions should not risk.
How is SMS a security risk? As far as I know, SMS is closely tied to a person's identity, especially 'know your customer' regulations. I'm curious how it's a security risk; as far as I know they have to be unique, which is good
Wait. Isn't it painfully obvious when you've been simjacked? If your phone suddenly loses signal and refuses to register with the network, you know something is up. You may think it was a malfunction of your phone or your network, but it's pretty much a definition of a modern-day "drop everything you're doing and deal with it" emergency. You can't not be aware of it, or be unsure if it happened to you.
You very much can not be aware of it. Consider what happens when you're simswapped at 2 am. Are you going to notice that? Probably not. And maybe not after you get up and check your phone. Because your phone may be connected to the internet via your home wifi and you don't even notice your phone has no bars and no service because you're still able to browse the web and check email.
But if the attacker already has your info, then couldn't they just add another line to your mobile plan, so your handset continues working, just with a new, unbeknownst to you phone number? That way it wouldn't be noticable on the handset.
The real question is how long do you think it would take you to break into your own Gmail account after the passwords been changed and the attached phone numbers also been changed?
Probably longer than it would take an attacker to drain bank accounts, I figure.
By the time you notice and can react it's too late. There have also been many prominent examples of people who got their cryptocurrency exchange accounts broken into with SIM hijacking which was conducted while the victim was asleep.
Do you live in the US? You don't need an ID to get a phone number here so SMS is not necessarily tied to your identity and it has nothing to do with KYC.
Moreover, you don't want it to be tied to your identity. The fact that anyone can pretend to be you and hijack your phone number is exactly what makes it insecure.
Anyone can walk into a T-Mobile store with a fake driving license with your name on it and claim they need help moving their phone number to their new phone. This is of course your number. They will then receive all of your SMS messages.
Or, you know, they can just bribe the store employees. Has happened before, still happens, will keep happening as long as a phone number is considered important for anything at all.
I used to work tech support for cell phone providers, and while we were trained about fraud, the nature of the industry low wages, high turnover, makes this a security flaw that financial institutions should not risk.