SIM banks used to be a thing, but they get less common and common every year.
Why they are dying out? Because they are not that easy to source, maintain, scale or achieve super high reliability with them. Also, hard to offer a high availability option when the phone network only (well, in most cases) accepts one device per phone number.
Edito: Additionally, important to note is that most SIM cards can only be used for a prolonged time in that providers phone network. You e.g. can not buy US SIMS, ship them to the EU and host them there. T-Mobile US (and others) cut you off after (usually) 2 months of roaming.
> Also, hard to offer a high availability option when the phone network only (well, in most cases) accepts one device per phone number.
1. I guess it depends on your providers/region. From all three German mobile network providers (Telekom, Vodafone, o2) you can get up to three SIM-Cards for the same number.
2. The VoIP provider Sipgate (sorry again German) gives you as much SIM-Cards and eSIMs as you like (In exchange for money of course). You can route mobile as well as land line numbers to a VoIP-Phone, -Client or mobile phones. They can all ring in parallel.
3. Many years ago, I saw a presentation on a CCC event. (Sadly I can't find a video of it just now.) It was from a guy who documented how he became a mobile provider. He wasn't just reselling, because his numbers terminated in his own Asterisk server! So maybe, people looking for the best solution, should look into how to become a virtual mobile provider.
I suspect they’re still used for outbound scam calls/texts (and maybe inbound too), and probably gray-market voip-pstn interfaces in countries that make int’l voip interchange expensive.
Some cool stuff on aliexpress with 128 SIM card slots and 8 or 16 gsm radios where you can program your choice of imei.
As a Canadian with crappy cellular coverage, I’ve dreamt of having a couple French SIM cards that I could mail to France every so often so it looked while I wasn’t 100% roaming just to have a cheap unlimited data plan with cheaper int’l calling.
To clarify: do you need to forward phone calls, or only forwarding incoming SMS to another phone? (We are working on such a product and would love your feedback and wish list)
Yes, this is (also) on high priority. But it depends alot on the country, some have very strict regulations around this. Which countries are you mostly interested in?
I was feeling the pain of 2FA and 2FA SMS for too long as well and thus build a product, Daito (https://www.daito.io), around the concept of shared 2FA as a service for companies and teams.
In addition to TOTP 2FA (our main service), we also started to offer 2FA via SMS via _physical SIM cards_ hosted in a data center in Germany (we are a German company) as every other solution we tried (Twilio + seemingly 50+ other, non-physical SIM card-based, options by now) was simply not working reliable.
We have been talking to Twilio et al and a lot of telcos, carriers, ISP, providers and seemingly everyone in between: there simply is no easy and reliable solution to this. :(
In our tests the best reliability we could reach for national and international senders&receivers on VOIP-based numbers was only every around 80%. We are still looking for other options, and specially non-VOIP options that are actually affordable, but so far we can only offer a German number (+49). This number however, is way, way more reliable than anything we have seen from others.
We currently support forwarding SMS to an email address, and webhooks for incoming notifications are in the works.
Anytime I think about these issues and this model I always wonder:
Can you get a cellular connection over a wire?
That is, instead of having 500 little radios connecting to one or two nearby towers, can you negotiate a direct connection to the tower and use the entire cellular stack except for the PHY ?
This is pretty much what we have been asking every supplier (telcos etc) over the past 2 years. The answer is always no. And if it is a "Maybe, I think so" it turns into a "no" weeks or months later when have finished digging through the corporate hierarchy.
The only solution that seems to work is old school SIM card hosting in a SIM bank. In some narrow cases, e.g. sender is in the country and receiver is in the same country, you might have pretty good (95%+) reliability of receiving critical SMS (A2P traffic), but still far away from what you'd call reliable.
There exists FOSS that could do this too (start with "osmocombb").
But the real problem here isn't technical, it's a business/legal issue: the carriers and their regulators are trying to minimize (or at least, reduce) the ability for bad actors to operate large numbers of "cell phones" at minimal cost/complexity.
So everything that could be done (technically) to make this work is, in practice, prevented by those business/legal considerations.
Open source stacks are already or basically on the verge of being obsolete in most of the world's telco networks if you want to actually use them. They are incredibly cool and a huge undertaking but no one is saying they are practical for actual usage, and that's ignoring the clear illegality of broadcasting with such firmware.
Osmocom and others like FreeCalypso only work on very old devices with TI Calypso chipsets.
But in this context, I think the supported devices don't matter: the idea is to interface with one-or-more telcos directly at a higher level of the 3GPP stack?
You won't need the air interface - hypothetically just an appropriately rooted femtocell, carrier HSS/HLR/MME that can authn/authz you, and Asterisk server that is secure. Or a flooded Nokia Flexi on a rack shelf, I mean, they look cool, don't they...
Can you please elaborate on SMS 2FA being intercepted or snooped?
(Disclosure: working on a product to prevent exactly that and really curious to hear about those hijacking cases.)
We are a small, founder-led indiehacker company (based in Berlin, Germany) that is enabling companies around the globe to better secure their various SaaS accounts through securely sharing 2FA via our web-based 2FA authenticator solution, https://www.daito.io. We have been growing steadily over the past 2 years and are now looking to extend our team with an experienced rails full stack dev.
We are looking for a professional full stack ruby on rails developer, ideally with some multi-disciplinary experience in the background and at least 5 years of experience in startup environments using the usual tech stack(s).
Benefits & perks:
- No stupid meetings, no politics, no bullshit (+ no outside investors)
- Async & 100% remote work (very autonomous)
- Very small team (you'll work directly with the founders) and your chance to shape our product's future
- 40 hours of work per week max (but we are flexible re contract type, hours worked, etc.)
- We take attention to detail and minimizing tech debt seriously
Please reach out to hello@daito.io with some info about you (linkedin, github, CV, whatever you want to share) and at least a salary range you feel comfortable with.
As a long term 1Password user I can only shake my head. What are their PMs thinking?
If anybody is interested in not upgrading 1Password, maybe my SaaS https://www.daito.io/ , a web-based 2FA Authenticator, is an alternative for you and your team.
Any decent password manager nowadays allows sharing of 2FA tokens, it's not a technical problem, it's a managerial and staff training problem in non-tech industries. It is simply not enforced enough and there are still too many people who are not aware of the risks and can not be bothered to be inconvenienced.
Disclosure: My company is offering a web-based 2FA authenticator (https://www.daito.io/) that explicitly is for sharing 2FA tokens, but not usernames+passwords, thus eliminating a single point of failure. I regularly have discussions about why and sadly why not people are using 2FA. There are tons of small business & mom+pop shops out there who are at risk.
I hope the guidance gets upgraded to a mandatory requirement (as some platforms do) sometime soon.
Not a big fan of a Google Authentcator myself, and didnt want to stay with Authy as well, thus I started working on my own authenticator, which is web-ased: https://www.daito.io/
The main differentiator is that this a web-based authenticator, not an app-based one. The main goal being a fully separate service (thus full separation of concerns) from a password manager. It's not ready for prime time yet, but if you are interested to test it, please reach out.
Why they are dying out? Because they are not that easy to source, maintain, scale or achieve super high reliability with them. Also, hard to offer a high availability option when the phone network only (well, in most cases) accepts one device per phone number.
Edito: Additionally, important to note is that most SIM cards can only be used for a prolonged time in that providers phone network. You e.g. can not buy US SIMS, ship them to the EU and host them there. T-Mobile US (and others) cut you off after (usually) 2 months of roaming.