SIM Card Security Evaluation

February 9, 2025
5 min read
Researches

This research explores how SIM card activation processes work and examines their security to protect users from identity theft.

Goal of This Research

The aim of this research is to evaluate the security of the mobile SIM card authentication process and validate its effectiveness and security against identity theft.

Observation: This research is conducted for educational purposes only, with the intent to raise awareness and promote better security practices.

Initial Setup

For this research, the following materials will be used to validate the security of these mobile carriers:

3x SIM Cards:

  • Vivo
  • Claro
  • TIM

Note: This process will be conducted between 6:00 AM and 11:00 PM Brasília time.

Vivo SIM Security

Required information to activate a Vivo SIM card.

Name: [XXX]
CPF: xxx.xxx.xxx-xx
Birth Date: xx/xx/xxxx
Mother: [XXX]
Region of CPF: [XXX]
CEP: xxxxx-xxx

The above information will be used during the activation process. Seeing this information raises an important question: is it truly necessary to use my own information to activate a SIM?

Activation Process

After purchasing a SIM card and inserting it into your cellphone, you will receive a message prompting you to select the DDD for activation. An interesting aspect of the Vivo SIM card is that if you purchase a VIVO PRÉ, you have the option to choose the state you want it to be associated with.

vivo DDD

In the above message, if you choose a state different from where you purchased the SIM, or even if you choose the same state, it will not affect the activation process. After this initial message, you will receive an SMS with your new number for the device (THIS DOES NOT MEAN YOUR SIM IS ACTIVE).

Vivo Number

You will likely receive an SMS from Vivo after getting your number, informing you that you need to activate your SIM card and validate your identity using facial recognition through a link to the Vivo website. However, this step is not strictly necessary, as you can activate the SIM by directly calling Vivo customer service number instead.

Customer Support Interaction

The Vivo customer support number for clients is *8486. After calling this number, you will be guided through an automated workflow that says: "I can see that your SIM is not yet active. Now we will begin the activation process." Following this initial message, you can proceed to the next step.

You will be asked to provide the required information described at the beginning of this post, this step is considered the most crucial and important for implementing the security validation process, to ensure that the provided information truly belongs to the person making the call.

Note: This workflow may be subject to changes in the future.

Initial Information Requested

CPF (Brazilian ID Number):

  • You will be asked to type your CPF using the phone's keypad to confirm that it is truly your own. Date of Birth:
  • Following the CPF confirmation, you will need to provide your date of birth. Region of CPF Issuance:
  • The next step requires you to confirm the region where your CPF was issued.

Redirection to a Representative

  • The last step, which was recently added, involves a validation step where the company often uses the opportunity to sell additional products to the client. You will be redirected to a call with one of their representatives.
  • At this point, there should ideally be stricter credential and data validation, but this is not implemented.
  • The representative will ask additional questions, which may vary but will remain within the scope of the information mentioned above.

Security Observations

An interesting aspect is that, in many cases, the SIM card may already be active even before completing the call with the representative, if you hang up before reaching this step, there’s a chance that your SIM card will still function without completing the full activation process.

Claro SIM Security

Required information to activate a Claro SIM card.

Name: [XXX]
CPF: xxx.xxx.xxx-xx
Birth Date: xx/xx/xxxx
Mother: [XXX]
Region of CPF: [XXX]
CEP: xxxxx-xxx

Similar to the process of activating the VIVO SIM card, the information mentioned above will be used as requirements for activation. However, the question remains, how secure is this process truly?

Activation Process

After purchasing the SIM card and inserting it into your cellphone, you will receive a welcome message prompting you to press OK to proceed with the activation process.

alt text

Interestingly, Claro also provides the option to choose the DDD for your SIM card

claro DDD

After you have chosen your location, you will receive a message containing your current phone number with the DDD you selected.

Claro Number

Customer Support Interaction

The contact support number for Claro is *1052#. After calling this number, an automated workflow will begin, stating that you are not a client and need to complete the registration of your credentials. It will instruct you to access the Claro website and validate your identity by providing a photo of a valid identification document.

The information mentioned at the beginning of this section will be used during this authentication process.

Note: This workflow may be subject to changes in the future.

Initial Information Requested

CPF (Brazilian ID Number):

  • You will be asked to enter your CPF using the phone's keypad to confirm that it is truly your own. Date of Birth:
  • After confirming your CPF, you will need to provide your date of birth. Region of CPF Issuance:
  • In the next step, you will be required to confirm the region where your CPF was issued.
  • Interestingly, during this step, the correct region of CPF issuance always appears as a single option without being accompanied by any other states, making it easy to identify. CEP (Postal Code):
  • You will then need to provide the CEP (postal code) of your residence. This step does not seem to serve as part of the authentication process but rather as a complementary step for registering your information.

Security Observations

An interesting aspect of this activation process is that, at the end of the call, the automated workflow will repeatedly state that you need to access the link sent via SMS to validate your identity. However, this step is not necessary, as the SIM will already be activated and fully functional once you complete all the steps.

TIM SIM Security

Required information to active a TIM SIM card.

Name: [XXX]
CPF: xxx.xxx.xxx-xx
Birth Date: xx-xx-xxxx
Mother: [XXX]
Region: [XXX]

The information above will be used during the activation process. This raises the same question as before, is this process secure?

Activation Process

After purchasing the SIM card and inserting it into your cellphone, you will receive a message with the phone number and the next steps of activation.

tim welcome message

During the activation process of a TIM SIM card, there are two options: using the website at ativar.tim.com.br or wcad.tim.com.br, and contacting TIM support at *144. For this validation, the support contact call will be used.

Customer Support Interaction

After calling the TIM support number, *144, an automated workflow will begin to activate the SIM. They may instruct you to complete the activation directly through the website. However, since this method sometimes fails, we will disregard this step and proceed with the process over the phone.

The information mentioned at the beginning of this section will be used during this authentication process.

Note: This workflow may be subject to changes in the future.

Initial Information Requested

CPF (Brazilian ID Number):

  • You will be asked to type your CPF using the phone's keypad to confirm that it is truly your own. Date of Birth:
  • Following the CPF confirmation, you will need to provide your date of birth. Region of CPF Issuance:
  • The next step requires you to confirm the region where your CPF was issued.

Security Observations

After the information was provided, the SIM card was already active and didn't require any further information, making it the easiest method to activate a SIM card, as it doesn't require any additional authentication and doesn't even verify if the information provided truly belongs to the person.

Conclusions

After conducting research and testing the authentication flow of three different mobile carriers, it became clear that there are significant similarities that urgently require improvement in terms of security. The authentication process relies on CPF, CEP, date of birth, and the region where the CPF was issued, allowing a phone line to be activated with just this basic information. This makes the setup process overly easy for anyone, prioritizing convenience while neglecting proper security measures.

Another concerning aspect is the feature offered by Vivo and Claro, which allows users to create a SIM card in any state they want. This feature becomes attractive to fraudsters or individuals with malicious intent, as it introduces further vulnerabilities into the process. To mitigate these risks, Claro, Tim, and Vivo must enhance their identity verification processes by correctly implementing Government-issued ID verification and selfie match with ID.

Additionally, removing the option of SIM activation via phone call and restricting the process exclusively to secure online platforms could serve as an effective measure to make identity fraud during SIM activation significantly more challenging. Ensuring these features are applied rigorously not just as optional or theoretical safeguards would strengthen the overall security framework and protect users from fraudulent activity.