In September, when Apple announced their lineup of the 2022 phones, there was a curious modification in the US models. They came with no physical SIM tray.
So the customers in the US who are purchasing a new Iphone 14 would have to put in a request for an esim with their carrier if they already weren’t using esims. Now esims have been around for some time now, but adoption has been pretty slow.
What this change with iPhone will do is that it will bring esim to the mainstream. Android phones will follow suit and have esim only variants, carriers who don’t support esim will now bend over backwards to ensure esim capability.
In short, going by a report that I came across upto 40% of all smartphone connections globally will be on esim by 2025. And this report was published before the iPhone announcement. I can only imagine that this 40% figure will prove to be conservative.
Not just that, the adoption curve in the USA is going to be much faster than the rest of the world.
Now this gives rise to a peculiar situation which I feel is quite risky. Now the way most operators allow you to load an esim to your handset is by sending a QR code to your email which can be scanned using the phone. And easy as that the mobile plan is loaded onto your phone and you can start using the phone for calls, data and messaging. The esim QR code are very often something that can be re-used.
It all seems so convenient right.
Too convenient I say.
This is because, emails are not particularly well protected by a casual user. And now by hacking into an email a mal intentioned actor can get access to your phone as well. And use this phone to log into your bank (your bank account is very likely to be found in the same email account). So the phone which used to be a protector against a weakly protected communication channel (the email) is compromised as a second layer of safety.
Till this point ,the chances of finding a esim QR code in a mail account was slim. But now the first thing someone with access to your email account will do is to search for QR codes from your carrier.
There is a reason why OTPs are much better sent over SMS rather than email.
Identification of you as who you claim to be relied on – “thing you possess (your handset)” and a “thing that you know (your password)”. If you check on both these counts, then you must be who you claim to be and can be trusted with the information / access that you are seeking.
But now with access to just your email password, a bad actor can get access to first you email then your phone and use it to reset passwords for everything that is valuable to you and then trigger OTPs to that compromised phone.
You might ask why this wasn’t such a big problem earlier. With low penetration of esims, the bad actor had to get really lucky to get access to an email which has the QR code in the mail. Now with increased adoption and going by the earlier stated research figure, there is as much as a 40% chance of finding a working esim QR code in your email. Makes that effort a lot more worth while.
