Friend simjacked - please remove SMS authentication, it's incredibly insecure

A friend of mine just got simjacked, his email and his Monzo account hacked. He managed to stop it after some money had been transferred out.

If they had managed to get hold of his Curve login (which only uses SMS as 2FA), they would have had access to all his cards.

Curve, please for the love of all that is good and pure, remove SMS as an authentication method and put something more secure in place!

7 Likes

I totally agree with this. SMS should never be used as a form of 2FA (two-factor authentication) because of the ease with which mobile numbers can be moved to a SIM card possessed by a fraudster.

Another problem with SMS for 2FA with UK mobile numbers in particular is that UK mobile networks, unlike mobile networks in many other countries, issue SIM cards with the SIM PIN disabled, which doesn’t encourage users to change the SIM PIN to a PIN of their choice. Therefore if the SIM is stolen (usually while inside a device), then the SIM can be used by the thief to receive SMS as a form of 2FA.

5 Likes

Hey @NFH and @dinosm, thanks for your feedback about authentication and security in the Curve app. I hope your friend is okay and wasn’t too rattled by the experience @dinosm!

Thanks @Curve_Joel , hopefully Curve will listen.

My friend is alright, he caught it as they tried to get into his bank account (some of those fintechs also rely on SMS way too much).

1 Like

If you Google “SMS 2FA”, then the top results are all very negative, not positive, about using SMS for 2FA:

https://blog.sucuri.net/2020/01/why-2fa-sms-is-a-bad-idea.html

2 Likes

The idea behind it -enhanced security- is good in the sense it’s better than nothing or close to nothing as people using a browser on a computer are less secure than an app in your possession on your mobile.

It’s better than nothing but I don’t think it’s a great form of security although Google’s Android can read the SMS which is a quite good security measure for what it is so maybe something like that where you need to enter your unlock PIN would work well.

2 Likes

Nobody is questioning that it’s better than nothing. However, if a financial institution is to implement 2FA, then SMS is a very poor way of doing so. There are several better ways, for example push notification to an app.

3 Likes

They had in-app 3DS verification at first which worked perfectly fine as far as I know, then for some reason Curve decided to reduce security by moving to SMS. Completely insane.

As proven again and again security is not Curve’s top priority.

4 Likes

You can still use it - when the 3DS prompt shows up during an online payment :credit_card:, just hit the link “Send to my Curve app” :calling: where you can then confirm the transactions :white_check_mark: instead of having to enter 6 digits code from SMS. :black_nib: I use it all the time… :+1:

Truth is it was the opposite way :upside_down_face: in the past - Curve app prompt as primary method for 3DS with SMS as backup method (via link in a 3DS screen). I think Curve switched it because of many users were complaining :face_with_symbols_over_mouth: and having issues :triumph: with app prompts (not me at all). :man_shrugging:

2 Likes

Exactly and I think integration of a 2FA shouldn’t be that hard OR at least give the users options to choose between the three, sms, 2FA, 3DS. @Curve_Joel

2 Likes

Having multiple options for 2FA based on our previous options is a great idea @Robka7. I have taken this feedback on board to pass to the product team.

4 Likes

That’s all as a community we ask :joy:especially as investors to hope improve the quality of product especially from the people that use the product, to provide an overall better profit and service for all new users :pray:t3:

5 Likes

Just making a (rare) post to stay updated on this. Absolutely ridiculous that Curve aren’t using a stronger form of TFA at such a mature product stage. This should be high priority - and it wouldn’t take too long to implement relatively.

2 Likes

I will disagree on that one. SMS 2FA should not even be offered as an option. You have a lovely app, which can produce notifications for payments, and TOTP could be used as 2FA for logging on to the app itself.

Unfortunately the problem is not solved if you offer more secure 2FA options but keep the insecure one on offer as well, because most people (who are not cybersec-literate) will of course choose the easiest one.

EDIT: Just to give an update on how easy it is to get simjacked, my friend found out the scammer went to an EE store (his mobile network) with a fake driver’s licence in my friend’s name, and got the employee there to give the scammer a new SIM for my friend’s number. That simple.
I don’t have more details at the moment - I know EE do allow a password to be set on accounts for phone support, but not sure if they ask for that password for in-store actions.

1 Like

Well that could be argued as only applicable to the U.K. as someone mentioned earlier and from my personal experience, in Europe virtual all network providers, when they provide you with a SIM, there’s always a pin that you must enter upon receiving a sim.
The beauty of being in the U.K. is that now, however unfortunate the event, and my grievances go out to the person that this happened to, but it will allow the police to view footage from the store and now have an actual picture of the person hopefully so if he attempts such a scam in the future they would be able to locate him/her.
Also another thing about the U.K. is that pretty much everything is insured so generally speaking, again as unfortunate as the event is, likely all of persons financial difficulties faced from this event will be reimbursed, it’s mostly sad the U.K. providers do not provide a slightly higher level of security on their sims, because Im honestly shocked, how easily your friends has been simjacked.

Maybe some of my points won’t be correct, or maybe you know more than me in this regard, but do let me know if you disagree would love to hear what you have to say. Hopefully @Curve_Joel will be watching our discussion and note it down :eyes::joy:

That would help if your phone was stolen while switched off, or if your SIM card was stolen by itself, but not in the case of simjacking, as the new SIM the scammer gets from the store has a new PIN, and the PIN comes with the SIM (it’s printed in the SIM documentation).

While that’s certainly a consolation and good insurance is always recommended, it’s much more preferable to educate people and companies about how to keep their digital lives secure in the first place, to avoid having to think about claiming on any insurance :wink:

Plus, I am not sure what, if any, insurance would cover this. Mobile phone insurance usually covers unauthorised calls, but that’s only if your phone is actually stolen. I am not aware of any insurance that would pay me back my bank balance if stolen in a simjacking case - although, and this is very much to the point of this thread, there is a strong case to make against banks who only offer weak security like SMS; if you can show the bank or financial institution is liable for the loss precisely because of the weak security they offer, then they will have to refund you, so I guess there’s that.

That would be my first port of call, hopefully this is under way.

It’s not just the UK providers, look at the classic vishing video on YouTube, US and other countries’ networks are just as bad.

No, a SIM PIN helps if the SIM is stolen in all circumstances:

  • If the phone is switched on, then the SIM can’t be used without entering the phone PIN or using biometric authentication. If the SIM is removed from the phone, then its PIN is required.
  • If the phone is switched off, then the SIM can’t be used without entering the SIM PIN.

UK mobile networks are negligent to issue SIM cards with the SIM PIN disabled.

Yes, that’s what I said, perhaps I wasn’t as clear as I would have liked. A SIM PIN helps if your SIM is physically stolen. However, nowadays I would argue even that is not necessary. As you say:

So in this case (the most usual case), a SIM PIN is unnecessary.

That is indeed a case where a SIM PIN would help, however realistically, with most people’s phones, SMS messages will show content on screen even when the phone is locked, so no need to remove the SIM if you want to intercept messages on a phone you stole.

A SIM PIN would indeed help with that - but how many stolen phones are actually switched off?

However, my overarching point was that a SIM PIN has no bearing on simjacking. When you get a new SIM (whether legally or through a scam), the new SIM comes with a new PIN printed on the documentation that comes with the new SIM (which is given to the scammer that gets the new SIM), so a SIM PIN does nothing to help with simjacking.

1 Like

Thanks for this great discussion everyone, it’s exactly this sort of constructive feedback that I’m looking for in the Community!

I’ll be directing our information-security and product teams to this topic so that they can read this thread for themselves. To create a better driving force behind alternative ideas for authentication, I’d recommend writing your ideal solution in our “ideas” section. By using the vote button, we can much better gauge the demand for a feature/ product change which helps to make a case for changes to the relevant teams.

2 Likes

Hi @Curve_Joel,

Please refer the relevant teams to the topic below as well, similar concerns, as the ones in this topic, were already expressed when Curve announced to change the way to log in (from email to SMS) in Juli 2021. Thank you.

https://community.curve.com/t/we-re-changing-how-you-log-into-curve/30651/94?u=poeliev

1 Like