Why YSK:
Because this scenario:
I know what some people are thinking:
My eSIM is tied to my phone, phones these days have encryption, so all I need to do is set a lockscreen password then a thief cannot access any of my data.
WRONG
At least in Android: You can just use some button combo (just look up “[Phone model] hard reset”) to get into the recovery menu and wipe all data, then reboot, and the eSIM is still there!
(Caveat to this: If you happen to have a Google account, it would force a FRP lock, and that would stop access, but most of fediverse does not like those type of online accounts, so: without a SIM PIN and without FRP locks, the eSIM is accessible to a thief)
Now the thief has your bank 2FA Codes!
TLDR: Set a pin on your SIM cards, even if it’s an eSIM (but especially if you use physical SIM cards)
(Curious: Does anyone actually use SIM PINs or do I just have a lot of paranoid regarding tech and potential hacks/exploits)
If you happen to have a Google account, it would force a FRP lock, and that would stop access, but most of fediverse does not like those type of online accounts
I’m sure the majority of the fediverse have a google account tied to their android phone.
I believe this wouldn’t be as simple on iPhone because there is no easy way to do the restore like that on the phone itself.
DFU mode could be used but you’d need to a computer to finalize the restore process and somewhere along the lines will require your Apple ID credentials. Either in iTunes/Finder or when setting up the phone after restore.
Unless the owner has relinquished their account from the phone, then this may be possible using that method.
But having a SIM lock is still an extra layer of protection against these kinds of attacks.
You know, I literally just read about this in my textbook, but I’m trying to cram the last of my classwork for finals so I glossed over it.
Thanks for the reminder, time to set up that PIN…
I’m sure I’m not alone in asking:
- How do you set a SIM PIN on a modern smartphone?
- Can it be more than four digits?
- What’s to stop it being brute forced?
SIM PINs are 4-8 digits
The SIM Chip itself is supposed to limit entry attempts to 3, idk if anyone managed to bypass it
After that, it required a PUK Code, 8 digits I believe. Its sometimes found on the big plastic card thing (its like the size of a credit card, and you pop off a physical sim from it). 10 Attempts.
I think the carrier also has it.
So an attacker needs to either:
- Guess the SIM PIN in 3 tries
- Somehow hack the chip to bypass the limits
- (a) Obtain the plastic card thing or (b) Social engineering to get customer support to provide PUK (I mean if they can manage to trick customer support, they could probably just get a new eSIM (which is immediately issued to their phone through the internet) anyways
or - Somehow guess a 8 digit code in 10 tries
The thing is, I as a kid/teen messed with tech stuff a lot (got my parents SIM cards locked a few times 👀, they got so mad at me lol) and I found that sometimes I can reboot a phone and the 10 attempts on the PUK code would reset… idk how, maybe the SIM card had issues… or maybe it’s a T-Mobile issue.
-
On android, the setting is in Settings>Security>More Security
-
Yes
-
The fact that it can only be attempted three times, after which a much longer PUK code you from your service provider must be used to restore funtionality to the SIM. It also has limited attempts, after which the SIM is locked forever.
Not sure how that works cryptographically, or how robust a physical SIM is against tampering.
The eSIM uses the TPM / SE chip and the physical SIM uses smartcards running Java applets. The SIM type smart cards generally make use of tamper resistant circuits and are set to not allow key extraction, similar to the TPM.
It’s not undefeatable, but both require really expensive hardware and you can only target devices you physically have in your hand so it’s not worth the investment. If you’re law enforcement you don’t even care about unlocking the SIM, you’re just going to the carrier directly instead. If you’re not using that equipment for stealing hardware wallets from rich cryptocurrency owners, you don’t have a chance of return of investment. Also it will fail a lot (destroy the chip)
-
I’ve never used a sim pin in my life. If my phone is stolen I’m more concerned about them getting the data on the device than using my phone number for nefarious things. A hacker would need to know I use X bank, know my password, and then have stolen my phone and used that combination of things to hack my bank account.
Also I’m going to transfer the sim to whatever new phone I get as soon as I get it. So once I know it’s stolen and I’m not getting it back I’m going to transfer it and they lose that access.
but most of fediverse does not like those type of online accounts,
Most of the habitual posters maybe. Most actual users are more normal.
I’ve always used a PIN.
I did not know eSIM is stored outside the normal data partition and survuves factory resets. That doesn’t feel right.
Edit: huh, my eSIM had a default pin set which I had to provide to set one.
The setting is in Security, not SIM card info.
I did not know eSIM is stored outside the normal data partition and survuves factory resets.
Your phones OS knows nothing about the eSIM. On older devices it was entirely a separate component living in it’s own little world. Now it’s integrated into the CPU, still entirely separate from your OS.
That doesn’t feel right.
If someone resets it they don’t want to lose their cell connection. When you’ve lost your sim and need to get it reactivated without that form of authentication it’s a HUGE pain in the ass, and going to a store is the easiest way. I don’t want to drive to a store because I wanted to start fresh on my phone. A factory reset doesn’t wipe your physical sim.
Cool but apparently I need a pass key I don’t have to turn it on…
search “[Carrier Name] default SIM PIN”
if you get it wrong twice, then just forget about it (max 3 attempts), I mean just be careful and don’t let your phone get stolen lol
(Or if you have the PUK (its on the back of the plastic card that comes with your SIM Card (for physical SIMs)) you can just get it wrong 3 times then use the PUK to reset the PIN)
Wait, you have a SIM/eSIM? You bank through your phone?
Well there’s your two main problems right there, separate your banking from your mobile device altogether.
All bank accounts require a phone number. VOIP numbers does not work.
Online banking through a computer requires a phone number for them to send a 2fa code to before letting you log in. (Phone number 2fa is the only 2FA option, and even if not, its often used as a recovery option to whatever other 2fa method there is, effectively making the phone number the weakest link)
But I guess if you don’t like that, you could tell them to disable online banking and avoid using electronics for banking, but then you’d have to either go to the bank every week and wait in an annoying line to verify you’re getting paid and that the amount is correct (cuz you can’t trust employers)
(Or use the sketchy ATM machine that could have card skimmers and fake PIN pads, can sometimes be much more dangerous than online banking IMO)
(Also some people need online banking like my parent have a small bussiness and my mom has to do a bunch of bank transfers every month through online banking…)
My bank does not use a phone number for 2FA… Its handled by their app.
The phone number is now relegated to other personal information you might use to verify who you are… Like address, date of birth, or other security questions like mother’s maiden name
That feels worse…
At least you can change a phone number
How do you change your personal info? Its permanent and unchanging… One databreach and you’re fucked
Idk if I could live life not using ATMs.
Yes, they might have card skimmers, but I would trust the ATMs that’s inside the bank branch would be free of those, as a lot more eyes are on those machines, even cctvs, and any suspicion would immediately get staff’s attention. I would always do the prying test on new ATMs I encounter, if it does anything, and once I’m satisfied with it, I just look for any changes the next time I use it.
Lol my mom taught me to never trust ATM machines and always go inside the branch.
Also for gas stations, never pay at the pump, always go inside to pay…
That’s always been my preference, just go to the bank in person…
