Doesn't every login form on the web also protect the respective operator from the subscriber? Why can't a "software SIM" simply be a username and a password?
My explanation is that it's difficult to change something that literally the entire world uses.
In practice SIM cards don't give you much physical security anyway.
I transferred my mobile phone number etc over to a new SIM card the other week and all I needed was name, address, DOB and proof of ID... of course my network didnt have any of these on file yet, so I had to first tell them these details, and then show ID to verify that I was who I had just told them that I should be. Yeah... this is the state of consumer mobile security.
None of this required physical access to the phone, I just had to login to their website, with a username and password, and change my details.
On most networks you can steal someones mobile number with just a few minutes of physical access and a bit of planning.
But that's the choice of the network operator. The SIM itself is still completely unique and identifiable, they just chose to allow customers to re-map SIM's on the fly.
and this is the norm all over the world. And SIMs cannot exist without the network operator. So in the end, this is the worst vulnerability of SIM cards.
SIM cards come from an era where mobile phone contracts were much less common and more expensive, and therefore cloning phones cost the providers a lot of money. I assume the security requirements for reissuing SIMs were also higher back then.
Most of the internet runs on usernames/passwords. I understand that a hardware token (with a PIN) is more secure. But is it worth the added complexity?
The SIM protects the carrier against "account sharing". It allows them to be sure that a subscriber is only using one phone at once - although it's portable between phones.
It means that carriers don't have to maintain "sessions" centrally. The SIM can authenticate you to the base station without the base station having to check back to see if you're logged in elsewhere - vital in reducing the latency of cell changes.
(It also stores various bits of technical information for SMS/MMS routing, and was intended to be a platform for "value added" applications.
Account sharing in a telco context is a bad thing all around. Which phone would you like to ring? How do you ensure the charges really are made by (and to) the right person? How will you protect against messages with important information landing with the wrong party?
Authentication in a telco context is a good thing, the fact that the web doesn't have it enabled a large number of applications to flourish, it also made some other things devilishly hard, or even almost impossible.
Carriers do maintain sessions centrally though. These are the HLR and VLR - home location register and visitor location register. This is how "hand offs" between towers work. Handsets don't authenticate to the base station, the base station proxies those back to the MSC, mobile switching center and are looked up in the EIR - Equipment Identity Register.
Its helpful to understand the history of mobile/wireless I think since the Telecom industry takes acronyms to an insane level. The terminology changes slightly depending on which generation of mobile is being discussed. This is a good breakdown of the evolution of mobile networks. I think its a good starting point:
I'd very much argue that a hardware token is more secure, and less complex, especially with multiple devices. It's a lot easier to remember where you put your smart card than to need to get a password store somewhere shareable, to secure that, to remember to put passwords in the store, etc.
We're moving away from usernames and passwords though, into 2-factor systems such as... smart cards (Chip and PIN). Regressing phones back into usernames and passwords is a clear step backwards in security.
Yes, and remember too that SIMs are standardised technology from the mid-1990s, originating in GSM. It's not a trivial matter to change security in globally standardised technology.
(and Even if you did, it would need to be backward-compatible and still support SIM cards)
There is a good deal more to telecoms tech than just the tech side - the standardisation process brings a whole bunch of competitor companies into a room to develop a solution, incrementally over a number of years.
This applies from physical aspects all the way up to higher level concerns like security. It's a fascinating development process.
Who would you want to hold your 'software SIM' username and password? What's to stop someone else from logging in to your account once they have your credentials?
Interesting. I try to keep the number of usernames and passwords I have to an absolute minimum because I don't trust any of those to keep that secret, nor do I trust my computer to not spill the secrets somehow through a browser bug or other drive by exploit.
At the same time I totally trust my sim, it's never been more than 10 meters away from me in the last decade or two, hasn't failed me even once and it would be very hard to get it to cough up its secrets without my cooperation (so rubber hose cryptography would still work).
Contrary to www security the phone system seems - from my perspective - at least to have done a half decent job at integrating 2FA when your average website - 20 years later - is still making up its mind about whether or not that might be a useful thing to add.
If you use actual strong passwords then you are an outlier. Most people use basic words like "password" as shown by every password dump in history. Indeed, most people would use the very same weak password they use for their e-mail for their mobile, and this would reduce protection against spoofing versus continuing to use the SIM system.
What we need is a SIM-type system on the web as well, not to bring the broken web password system elsewhere.
Client TLS certificates have been a thing since forever, but browser makers keep it a pain in the ass, and too many "modern" software stacks don't even consider leveraging the decades of infrastructure that would make their job easier. Add to the fact that identity aggregators want to be producers, but rarely allow themselves to be consumers and we get stuck in the hell that is identity online.
Furthermore, any security system that effectively relies on the user possessing more than one computing device (e.g., using your laptop for access to a password manager or email address) fails for the significant and increasing swath of humanity for which their phone is their [first and] only such device.
My explanation is that it's difficult to change something that literally the entire world uses.