The experts said no one has actually done any research on SIM card cloning because the activity is illegal in the country.
If the good guys can’t even participate, the bad guys will always win.[From Schneier on Security: The Ill Effects of Banning Security Research]
Bruce is, as is generally the case, right. Banning research means that only the bad guys will do the research. Hoping that the bad guys won’t find the flaw is a ridiculous strategy: it’s much better to come clean, bite the bullet and then fix it. What does “fix” mean though?
In an odd sort of way, knowing that has system has vulnerabilities means that the existence of vulnerabilities doesn’t render the system useless, because you can build in countermeasures in other areas. That’s no excuse for forgetting all about security though.
The unique identity numbers used to identify the FasTrak wireless transponders carried in cars can be copied or overwritten with relative ease. This means that fraudsters could clone transponders, says Lawson, by copying the ID of another driver onto their device. As a result, they could travel for free while others unwittingly foot the bill. “It’s trivial to clone a device,” Lawson says. “In fact, I have several clones with my own ID already.”[From Technology Review: Road Tolls Hacked]
A system like this will only collapse when a simple vulnerability is exploited if the designers had been so dumb as to invest all of the security in a single factor. No-one would make a payment system like this. For example, it is possible — in fact trivial — to create counterfeits in a closed-loop contactless payment system that I am familiar with, and has been so for years. Yet the system has not collapsed (in has not even been damaged, frankly) by this because the back-end authorisation system is rather clever and can easily spot and generally decline the duplicates.
You don’t have to close all vulnerabilities, at potentially infinite expense, to make a system work. Conversely, the existence of vulnerabilities does not mean a system doesn’t work. How do you know what to do then? Well, that’s what risk analysis is all about.
These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]