
Ask HN: Why are SIM cards still a thing? - glennos
Using SIM cards in mobile phones seems antiquated. Should there not be a software solution that lets you select which network&#x2F;s the phone should connect to?<p>Feels like this is probably the result of telco networks wanting as much friction as possible to change providers, but is there something more to it?
======
JoachimSchipper
The SIM card is a smart card, i.e. a secure piece of hardware, that protects
the telephone network from the subscriber - most importantly, it ensures that
the network has someone to bill.

In most western countries, SIMs do little else; however, they are full
application platforms, allowing stuff like Kenya's mobile payment network
[https://en.wikipedia.org/wiki/M-Pesa](https://en.wikipedia.org/wiki/M-Pesa).

For what it's worth, you really don't want to have every network provider
negotiate with Samsung for the particular access policy of that network. "Not
compatible with your telephone" indeed!

~~~
mherrmann
Doesn't every login form on the web also protect the respective operator from
the subscriber? Why can't a "software SIM" simply be a username and a
password?

My explanation is that it's difficult to change something that literally the
entire world uses.

~~~
user5994461
Because username and password is a disaster for security. It's sole purpose is
let ANY guy ANY where on the planet connect to your account.

SIM cards are cryptographic hardware tokens. They are much more secure than
passwords.

In fact, they do need a password as well on top of the hardware token, that's
the 'PIN code' you have to enter when you (re)boot your phone.

~~~
mherrmann
Most of the internet runs on usernames/passwords. I understand that a hardware
token (with a PIN) is more secure. But is it worth the added complexity?

~~~
pjc50
The SIM protects the carrier against "account sharing". It allows them to be
sure that a subscriber is only using one phone at once - although it's
portable between phones.

It means that carriers don't have to maintain "sessions" centrally. The SIM
can authenticate you to the base station without the base station having to
check back to see if you're logged in elsewhere - vital in reducing the
latency of cell changes.

(It also stores various bits of technical information for SMS/MMS routing, and
was intended to be a platform for "value added" applications.

~~~
bogomipz
Carriers do maintain sessions centrally though. These are the HLR and VLR -
home location register and visitor location register. This is how "hand offs"
between towers work. Handsets don't authenticate to the base station, the base
station proxies those back to the MSC, mobile switching center and are looked
up in the EIR - Equipment Identity Register.

~~~
eropple
Do you happen to know of a good breakdown of how mobile networks work? I'd
love to know more, but it's hard to get a handle on it to get started.

~~~
bogomipz
Sure:

Its helpful to understand the history of mobile/wireless I think since the
Telecom industry takes acronyms to an insane level. The terminology changes
slightly depending on which generation of mobile is being discussed. This is a
good breakdown of the evolution of mobile networks. I think its a good
starting point:

[http://www1.i2r.a-star.edu.sg/~wongtc/EE5406-Network-
Archite...](http://www1.i2r.a-star.edu.sg/~wongtc/EE5406-Network-
Architectures.pdf)

This is a good resource for understanding more recent and relevant mobile
architecture. This has a lot more detail:

[http://www.slideshare.net/abhishekshringi/gsm-
architecture-1...](http://www.slideshare.net/abhishekshringi/gsm-
architecture-11984082)

If you really want to learn mobile and wireless networking, this is unbeatable
and very thorough, I highly recommend it, grab a used copy.

[https://www.amazon.com/Wireless-Communications-Andreas-F-
Mol...](https://www.amazon.com/Wireless-Communications-Andreas-F-
Molisch/dp/0470741864)

If you just want the 10K view see:

[http://www.telecomspace.com/gsm.html](http://www.telecomspace.com/gsm.html)

~~~
eropple
Guess I've got some reading ahead of me. Thanks!

------
vidarh
On the contrary, it is the result of a concerted effort to _reduce_ friction.

With SIM cards, users can switch to a new phone by just moving the SIM, or
switch to a new provider while keeping their phone (assuming its unlocked) by
just replacing the SIM.

Prior to SIM cards phones where frequently programmed to be tied to a specific
provider.

A pure software solution could work, but requires the network operators to be
able to trust the phone manufacturers to secure it well enough to not let end
users change things in ways they're not supposed to (e.g. consider a hacker
harvesting authentication details from phones). The SIM card is the simple
solution.

~~~
RandyRanderson
Unless you personally know some heads of some major carriers you can't say
that and also it's unlikely carriers do things to reduce friction.

Unlocked phones are still relatively rare in the US so I don't agree with your
second point either.

Network operators trust Gemalto, etc to write the SIM card software and also
the provisioning and tower software. They also trust the phone manufacturer
software as they rigorously test it before it's pushed to it's subs. That's
actually why updates take so long (excl apple, of course).

Note that I have actually worked for some major carriers and have been in
discussions with VPs discussing this very issue. See my other answer further
down the thread.

~~~
cflee
> > With SIM cards, users can switch to a new phone by just moving the SIM, or
> switch to a new provider while keeping their phone (assuming its unlocked)
> by just replacing the SIM.

> Unlocked phones are still relatively rare in the US so I don't agree with
> your second point either.

As you point out, where GSM networks are concerned, this observation is mostly
specific to the US - swapping phones and swapping SIMs has been a reality in
the rest of the world for years.

Instead, the main source of friction is frequency bands. When swapping phones,
it's not often an issue when switching between locally distributed phone
models, since they are the Asia/international models with more band
compatibility. When swapping SIMs domestically, it's not an issue for the same
reason. When swapping SIMs internationally, phone service typically works, but
if you want high speed data _then_ you check for band compatibility.

I'd say that for most of the world, the reduction in friction is real. It's a
pity that the US market is so different.

~~~
djhworld
> swapping phones and swapping SIMs has been a reality in the rest of the
> world for years.

It's still prevalent here in the UK, although the competition is fierce enough
for you to be able to find a vendor that sells a phone unlocked.

------
kalleboo
The actual reason it's still a thing is because changing how thousands of
network operators work in over 200 countries is quite difficult to coordinate.
Even Apple tried to push a soft-SIM and couldn't get it going.

But I'm glad for it, because the foresight of the designers of GSM to put your
private key in a smartcard has absolutely improved consumer choice worldwide.
I can buy an unlocked phone, travel to any country, buy a SIM card at the
airport and pop it in my phone and the GSM(/UMTS/LTE) standards say it must
work.

A software-based system will quickly devolve into a "oh we haven't approved
this phone on our network, sorry we won't activate it" and other anti-consumer
activities you saw on the ESN-registration-based US CDMA networks.

Hopefully when the GSMA adds eSIM to the standard, they add protections for
consumer choice, but in the current corporate climate I fear they won't.

~~~
wyldfire
IMO the fact that the device subsidy is so popular with both consumers and
network operators in the US means that all of this ostensibly anti-consumer
stuff will be with us for a while. The (hard) SIM cards don't even offer the
desired portability if you have to go beg for the device to be unlocked.

~~~
wolfgke
> The (hard) SIM cards don't even offer the desired portability if you have to
> go beg for the device to be unlocked.

It's not the SIM card that is not portable, but the phone that you bought.

------
jacquesm
SIM: Subscriber Identity Module almost says it all, on top of that a SIM can
store your contacts (up to a certain number).

The SIM is what separates your identity from the hardware of the phone (which
has its own identity called 'IMEI').

A 'software solution' would need a carrier, that carrier _IS_ the SIM.

Another nice benefit of having the SIM device is that it makes it much harder
to 'clone' a subscriber ID, something that would regularly happen in the days
before the SIM card, note that the SIM was a development that came along with
GSM, and that GSM was the first mobile phone standard resistant against
cloning. It's one part of the 2FA (something that you have) that gives you
access to the phone network (the other being the PIN code (something that you
know) required to unlock the SIM).

~~~
djhworld
> on top of that a SIM can store your contacts (up to a certain number).

This presented a usability nightmare back in the days of feature phones, where
if you didn't specifically say where to store contacts, it would often default
to the phone's storage rather than SIM, or if you breached the number of
contacts on a SIM you'd have overspill onto the phone memory (sometimes
without realising)

This presented a lot of unnecessary confusion when it came to upgrading
devices, or if you damaged your phone.

~~~
WatchDog
Well by the same token, sims offered a simple way to move contacts between
devices, which was otherwise difficult to do without a pc and proprietary
cables/software to export data from the phone.

------
aq3cn
You know if that happen then flip phone users will have hard time because
network will promote only high end selective phones. SIM card gives you
freedom of putting it in $25 or $640 phone and it works just fine. People with
security, budget and privacy concern go for flip phones. Just like net
neutrality, phone neutrality is a good thing. One should never be forced to
purchase smart phone if he does not want it. A dumb phone just works fine for
calling and text messaging. I have never used internet on my phone and I will
never be excited about it (3G 4G, 5G or anything). I carry my laptop
everywhere I go and it serves my need well.

I must add you can find flip phones cheaper than cost of lightening cables.

~~~
uph
> People with security, budget and privacy concern go for flip phones.

No. That ensures you can't send encrypted messages or do encrypted calls.

Also see one of the reasons Signal moved to sending encrypted messages as data
and stopped supporting encrypted messages sent as sms.

> __SMS and MMS are a security disaster. They leak all possible metadata 100%
> of the time to thousands of cellular carriers worldwide. It 's common to
> think of SMS/MMS as being "offline" or "peer to peer," but the truth is that
> SMS/MMS messages are still processed by servers--the servers are just
> controlled by the telcos. We don't want the state-run telcos in Saudi, Iran,
> Bahrain, Belarus, China, Egypt, Cuba, USA, etc... to have direct access to
> the metadata of TextSecure users in those countries or anywhere else. __

[https://whispersystems.org/blog/goodbye-encrypted-
sms/](https://whispersystems.org/blog/goodbye-encrypted-sms/)

~~~
jacquesm
Well, they at least they no longer leak them to the servers of every
application provider on their smartphone.

~~~
uph
Apps on your smartphone only get access to your messages if you give them
permission.

~~~
jacquesm
Apps _routinely_ ask for many more permissions than they have reason to and
users have been conditioned to just 'get it over with'. Technically you are
right, in practice users hand over the keys to the kingdom without a moments
pause to think of the implications.

Now, you could of course argue that they only have themselves to blame.

~~~
uph
I'd argue that if someone wants to get a flip phone for privacy reasons they
should be able to not download shady apps and give them permissions without
thinking.

~~~
jacquesm
Flip phones have some of the best protections available: the sensors aren't
there. You can't leak your location if there is no GPS module in your phone,
you can't have your camera hacked if there is no camera and so on.

I'd prefer all this stuff came with physical switches so it can be
enabled/disabled in a hack-proof manner.

~~~
icebraining
_You can 't leak your location if there is no GPS module in your phone_

While not as precise, you can definitively leak your location by scanning for
the surrounding cell towers, especially in a city, which usually have hundreds
or thousands of them (Manhattan alone has eleven, for example). I used to run
a Python script on my Nokia phone that logged the tower ID, and I could
reliable tell when I got to work, home, etc.

And that's just for people who control your phone. Your operator has U-TDOA¹,
which is typically accurate to 50m.

The camera part is true, but tape is cheap :)

¹ [https://en.wikipedia.org/wiki/U-TDOA](https://en.wikipedia.org/wiki/U-TDOA)

~~~
jacquesm
Sure, but that's telcos and the local law enforcement. It's not google,
facebook, 500 advertising networks and a whole pile of other parties.

It's also not accurate to within enough resolution start targeting advertising
and other nuisance information at me even if there was a way to present me
that (which there isn't).

I'm well aware of the power of triangulation, I used to go fox hunting.

[http://www.homingin.com/](http://www.homingin.com/)

~~~
icebraining
In some places, "just telcos" doesn't mean much:
[http://www.latimes.com/business/la-fi-
lazarus-20140425-colum...](http://www.latimes.com/business/la-fi-
lazarus-20140425-column.html)

Though European laws are still mostly sane in that regard.

------
bizzleDawg
'eSIM' is on the way to replace sim cards. The biggest challenge of
'downloading a sim card' to a secure enclave on a phone is of course security.

The GSMA and members (i.e. telcos) have been working on secure remote
provisioning. I think it'll take a while for the technology to make it in to
consumer devices, though it's likely to be used in IoT relatively soon.

It takes a long time to spec these things up collaboratively and then even
longer for telco's to act on it!

See: [http://www.gsma.com/rsp/2016/04/27/esim-opportunity-
operator...](http://www.gsma.com/rsp/2016/04/27/esim-opportunity-operators-
innovate/) and [http://www.gsma.com/rsp/](http://www.gsma.com/rsp/) (Warning:
Lots of marketing BS)

~~~
synchrone
Actually there is at least one company already offering Remote-Sim-
Provisioning. [https://medium.com/@ComfortWay_Glob/cwsim-freedom-of-
connect...](https://medium.com/@ComfortWay_Glob/cwsim-freedom-of-connection-
freedom-of-choice-8ab72b1c8f90)

They are selling local data-plans abroad without switching the SIM card by
implementing RSP. Calls are coming in 2017, also promising a portable phone
number later that year.

~~~
lathiat
another interesting company in this space is FlexiroamX, they have a super
flat sim that sticks on top of your existing sim. It lets you soft-switch the
SIM using a "SIM Application" (like mentioned elsewhere in the thread) -
appears as if it unplugs and replugs to the phone.

See picture of the process here:
[https://twitter.com/lathiat/status/758979125751054336](https://twitter.com/lathiat/status/758979125751054336)

Works fantastically and gives me $30/GB data in pretty much any country at
often 4G speeds - with a 12 month expiry on the data (does cost $20 a year or
something for 'membership' but still, usually costs far more than that for a
sim starter pack in every different separate country you go to). Good for
frequent travellers!

Obligatory please use my referral link if you signup :-) Bonus 100MB for both
me and you.
[http://www.flexiroamx.com/referYXBBCJ](http://www.flexiroamx.com/referYXBBCJ)
/ Code YXBBCJ

~~~
glennos
Super interesting. So the overlay tricks the phone into thinking there's 2
SIMs in the phone?

~~~
nhf
It's more like a "proxy" for your SIM card where it can act as its own SIM, or
as a passthrough, depending on software settings.

------
i336_
A form of this has existed for a while but never caught on for fairly
understandable reasons.

Quite a few years ago (2005?) a family member purchased a Samsung-branded
dumbphone on a contract. (Monochrome LCD (something like 128x64?), polyphonic
ringtones, 3 fixed games, a (really slow, GSM data) WAP browser; that was it.
Model SGH-something, I vaguely recall.)

It had no SIM card slot. It was locked to the network (Orange - in Australia
FWIW) via software. In order to unlock it we had to call up the telco and go
through some process, which we decided not to do in the end (whatever it was,
I don't recall), since the phone had less capabilities than the Nokias that
flood India and similar places, so we concluded there was no point selling it
by the time we dug it out one day and tried to figure out what to do with it.
(It's still buried in a box somewhere IIRC.)

I think this is why SIM-less phones are reasonably rare - it's really, really
hard to de-contract them, unlock them and put them into sellable (or whatever)
condition. Then once you've done that the recipient has to go through some
equally arcane process to get the thing linked to a plan/contract too. And
considering the ability to pass a phone on is a fairly major selling point -
phones aren't solely purchased [preconfigured] on plans, then disposed - I
think this was explored somewhat by the industry but ultimately left alone.

Some of the other things I've found in this thread are really interesting,
although I wonder how difficult it is to "unconfigure" such a device to sell
or pass it on.

~~~
catmanjan
It was probably just a CDMA phone - they don't have SIM cards are were
actually quite common a while ago.

~~~
aq3cn
CDMA phone are worse. It is a way for manufacture of mobile phone to keep you
tied to one cellular company.

I always go for GSM supported phones.

------
mianos
For some perspective, check electronupdate's recent 'decapping':
[http://electronupdate.blogspot.com.au/2016/10/decap-of-
cell-...](http://electronupdate.blogspot.com.au/2016/10/decap-of-cell-phone-
sim-card.html) It is not just a little block of secure RAM labelled a
'smartcard'. It contains as much CPU as a low end phone. Amazing.

~~~
kalleboo
And it runs Java!

~~~
bikamonki
Runs Java or the phone runs Java code stored on the SIM?

~~~
kuschku
Runs java, it has its own smartcard processor.

SIMs are smart cards in the exact same way as your NFC-enabled credit card, or
other cards, and many systems use the SIM to store payment data actually.

Android Pay could do exactly that, too – but doesn’t, because one US network
prevented them from storing that on the SIM, so instead it’s stored in normal
memory, which led to safetynet, which led to Android phones being less user-
servicable than even Apple devices.

~~~
aminorex
Name the culprit.

~~~
wolrah
If it's a US cell provider being shitty and restricting technology, it's got
to be Verizon.

They hate anything that isn't under their control.

There are way too many people in the US who think Verizon is their only option
because they haven't tried other providers in a decade.

~~~
gergles
It was indeed Verizon.

------
ex3ndr
Because they handle private keys that is soldered to chip and can't be
retrieved at all. Before sim cards there was something in the phones that can
be easily reprogrammed and you always have to walk to your carrier office to
"program" your phone. Swapping of sim cards is much easier.

~~~
cordite
Usually these unique bits are burned in with fuses as a step in manufacturing
in a non reversible process.

------
dismantlethesun
> Feels like this is probably the result of telco networks wanting as much
> friction as possible to change providers, but is there something more to it?

In 3rd world countries, people regularly swithch their SIMs as they travel
across borders because no one has cross-country access. Taking a SIM out only
uses up a minute of your time, and standizing on a hardwardware dongle like
that is great because if company A goes out of business, you just grab a new
SIM and stick it in.

It's a bit harder in the US, where phones are locked to their providers, and
you need IDs to buy SIMs but that's really all just a regulation issue, not a
technical one.

~~~
pmontra
That's also a 1st world thing. If you travel often between two European
country it might be cheaper to have two SIMs, one for your country and one for
the other one, especially if you pay as you go. Cross border roaming fees are
getting cheaper because the European Commission wants so (luckily) but telcos
are doing their best to regain those money by any other means.

------
mrb
There are many poor design decisions in the cellphone infrastructure, but the
SIM card is probably one of its best pieces.

Broken phone? Pop the SIM card into another phone, and you can immediately
make and receive calls & texts on the new phone using your phone number.

If you had no SIM card, how would you authenticate yourself to the cell
network (that's what the SIM card does)? Going online and then providing a
username/password? This would be horrible security-wise as we all know people
are terrible at picking secure unique passwords. So hackers could try to guess
your password, then they would use your account, receives your calls & texts,
and they could steal your cell data, causing you to receive large cellphone
bills, etc. A total nightmare.

------
raverbashing
> Feels like this is probably the result of telco networks wanting as much
> friction as possible to change providers

No, it is the opposite.

It is _exactly_ done like this so you only need to get the sim card and not
need to have the operator decide for you (of course people shoot themselves in
the foot by signing a long term contract while getting a locked mobile phone)

~~~
kalleboo
I imagine one of the main reasons it was done like this was because when the
GSM standard was designed, a non-insignificant number of phones were fixed
mounted into cars (due to the sheer bulk), and then being able to bring your
smartcard with you in your wallet and swap between phones (cars) would be a
very handy feature.

------
TorKlingberg
I work in the industry. I somewhat agree with you, SIM cards are a hassle, and
I hope they will go away at least partially.

As for why you still need them, I see some reasons:

1\. The alternative may be worse. At least with SIM cards you can switch
operator when you want (if the phone is not carrier locked, bleh), or use a
local prepaid SIM when abroad.

2\. Inertia. Removing the physical SIM would require getting operators and
phone manufacturers to coordinate.

3\. The IM card is what securely identifies the owner of a phone number, and
makes sure they are not two phones with the same number. With a software SIM,
if it is done wrong, you risk getting malware that steals your phone number.

Personally, I think we will eventually see SIM-free data only connections
without a phone number. You really should be able to buy an LTE tablet, get
online and just pay for some data. Apples has been trying a bit with the Apple
SIM, but it is US only, and only works with a few operators.

~~~
Razengan
It says Apple SIM works in over 100 countries:

[http://www.apple.com/ipad/apple-sim/](http://www.apple.com/ipad/apple-sim/)

------
matheweis
Personally I really appreciate the fact that providers have SIMs. Verizon
(major network in the USA) used to NOT have SIMs, and it was a huge pain to
change phones out. Now it's as simple as swapping out the SIM.

I hear you that it should be doable in software, although I'd argue that if
anything you should still need the SIM as a sort of second factor. (Otherwise
you run the risk of people stealing your phone account remotely).

~~~
fernandotakai
same! whenever i travel, i can get a sim card on that country and use my phone
like i was using before.

without that, i would have to either buy a local phone or deal with how
expensive my carrier makes to use internet outside my own country.

------
jlgaddis
As others have pointed out, SIM cards are basically smart cards. There's PKI,
private keys, the ability to perform mutual authentication (although that's
not usually done, at least in .us), and much more.

Honestly, I wish their use would expand into other areas of our lives --
replacing username and password combinations for various devices (working for
an ISP, home routers are one good example).

As much as I'm against the idea of a mandatory "national ID", I'm convinced
that it will happen someday (in .us, where I live). When it does, I believe
it'll be something similar to US DoD's CAC [1]: a physical identification card
that doubles as a smart card. The private keys stored on the card will allow
you to prove your identity to your banks/financial institutions, e-mail
account (100% encryption of all e-mails? Yes, please!), and so on.

[1]:
[https://en.wikipedia.org/wiki/Common_Access_Card](https://en.wikipedia.org/wiki/Common_Access_Card)

~~~
rocqua
Sadly, encrypting e-mail will break all current anti-spam methods.

~~~
jlgaddis
Not exactly. Some methods won't be nearly as effective (such as filtering on
the message body) but others (such as SPF, DKIM, and RBLs) will still work
just as well as they do today.

Now that I think about, just the encryption itself will increase the
computational cost of sending out spam e-mails. While today a spammer can
blast out an e-mail to 100 recipients very quickly, it'll take a fair bit
longer to do once the spammer has to query and retrieve 100 public keys (one
for each of the recipients) and then encrypt the e-mail 100 times over.

~~~
rocqua
A large part of spam detection remains machine learning on message bodies.
Something this would make impossible.

As for encrypting the e-mail 100 times. AES acceleration is great in CPU's,
and you can cache public keys. The only real-ish bottleneck could be key-
generation.

That said, someone else had a decent idea. Require white-listing for encrypted
e-mail.

------
pmontra
My 5 yo phone eventually died at the beginning of October. I put the SIM in my
tablet and I kept going until I received the new one two days later. A pure
software solution would have worked as well, but the SIM is an authentication
token. 2FA are all the rage nowadays and if we went pure software I bet we'll
have to use a separate token anyway.

------
atamyrat
SIM card provides hardware-based, simple and secure authentication of
subscribers to mobile network operators. Until manufacturers start to embed
standardized secure element on all phones, alternative software based
solutions (password, etc.) are more complicated and insecure.

------
smileysteve
> Using SIM cards in mobile phones seems antiquated.

In the U.S., LTE is the first time that CDMA phones have had sim cards, that's
~2 years ago.

The software solution (using IMEI and PUK) is the old technology. It's less
secure; verizon and sprint will charge you ~$40 activation fees, etc.

------
informatimago
The software equivalent would be a TEE (Trusted Execution Environment), but it
relies on hardware support. Only a few arm processors and a few Android phone
support this option. Apple has its secure enclave, but you cannot download
trusted application in it, only Apple can do that.

A 100% purely software solution can be built based on white box encryption.
It's slower and may be more easily attacked than a hardware protection (you
never know if/when some genius mathematician or physician (quantum
cryptographic attacks) breaks your encryption. But it has the advantage that
it can run on all devices. cf. eg.
[https://www.trustonic.com/solutions/trustonic-hybrid-
protect...](https://www.trustonic.com/solutions/trustonic-hybrid-protection)

Then of course, there's the problem of key management and distribution thru
software. Using a physical token has several good security properties.
Replicating them in software (encryption) is difficult and error-prone. For
end users, and service provides, it's much easier to swap a SIM card, than to
install securely cryptographic keys and authentication tokens into his trusted
execution environment even with the help of well written software.

------
bogomipz
I think they are still a thing because of the following:

1) One SIMs are a bit harder to tamper with than the OS of a phone which I am
assuming would be the alternative to a SIM card i.e storing the same
information on NAND flash accessible to the OS. SIMs have some threshold(it
used to be 3) of unsuccessful attempts to read the card. A lock is activated
and can only be unlocked entering the unlock code.

2) Carriers can talk directly to the SIM - A "SIM" is basically a Java applet
that runs on UICC(Universal Integrated Circuit Card - the smart card itself.)
I think a lot of people don't know that SIMs run Java - well Java Card. This
mean that they can remotely lock a SIM card to prevent it from further
accessing their network. If someone stole my phone or even just my SIM card I
could call my carrier and they could lock the SIM remotely and consequently
unlock it. They can also use the SIM to push new PRLs - preferred roaming
lists. This is generally called OTA or over the air provisioning.

3)Convenience, if I use a pre-paid services with an MVNO or travel to another
country and buy a pre-paid SIM while on holiday, I don't need to do anything
else except insert the new SIM and power on the phone. What would the non-SIM
card alternative look like? Its hard to imagine it being easier.

4)Carrier-locked phones, such as what you get when you are under contract to a
carrier. The way phones are locked is by having the phone only accept SIMs
from the carriers network. An unlocked phone will accept a SIM from any
carriers network.

If anyone is interested this DEFCON presentation - "The Secret Life of SIM
Cards", is pretty interesting:

[https://www.defcon.org/images/defcon-21/dc-21-presentations/...](https://www.defcon.org/images/defcon-21/dc-21-presentations/Koscher-
Butler/DEFCON-21-Koscher-Butler-The-Secret-Life-of-SIM-Cards-Updated.pdf)

------
tscs37
>Should there not be a software solution that lets you select which network/s
the phone should connect to?

If I recall correctly german ISPs are trying to find a solution there by
embedding the SIM into the device and then branding it on changing provider.

The problems SIM cards are (trying) solve is largely to "secure" the phone
network. This mostly boils down who to send the large bill when shit goes fan.
(The mobile network is pretty much non-secure, which is why SMS-2FA is not a
good solution at all)

(They're also technically a backdoor for your ISP to do whatever they want)

Anyway, the reason SIM cards haven't died yet is probably because there is not
much reason to replace them. They're tiny (so Apple doesn't kill it for half a
millimeter of thickness) and pretty useful for the ISP to setup certificates
and connection details.

~~~
zerognowl
"Embedded SIM Design Means No More Swapping Cards"
[https://mobile.slashdot.org/story/13/12/19/1938254/embedded-...](https://mobile.slashdot.org/story/13/12/19/1938254/embedded-
sim-design-means-no-more-swapping-cards)

I am struggling to see the point of embedded SIMs as it defeats the purpose of
a SIM card in the first place; that of being portable and transient, of being
able to hot swap your phone number to different devices.

------
frik
At least one can change the SIM and can un-locked phones that dan be used all
around the world and I can easily swap the SIM card. Why change it, it works
great as intended and all software service solutions would mean a middle man
is in the game - that would suck, right? (except you eant to be the middle
man)

------
jaboutboul
There is actually an eSIM (embedded sim) specification
([http://youtu.be/mLouo2mYjAU](http://youtu.be/mLouo2mYjAU)) that was released
quite a while ago by the GSMA and its mostly up to the device manufacturers
and carriers to implement it now.

It lets you virtually subscribe to a network, so for example if you're
traveling, you don't need a local card just pop up some software and choose a
new network.

Apple already has some devices that implement it, AFAIK, the iPad Pros use
this. Apple calls it Apple SIM ([https://techcrunch.com/2016/03/23/explainer-
alert-heres-what...](https://techcrunch.com/2016/03/23/explainer-alert-heres-
what-the-ipad-pros-embedded-apple-sim-means-for-you/))

------
Razengan
> Should there not be a software solution that lets you select which network/s
> the phone should connect to?

Apple have begun a limited initiative towards just that:
[http://www.apple.com/ipad/apple-sim/](http://www.apple.com/ipad/apple-sim/)

Telephone and internet connectivity should really be like electric supply and
other utilities. We should be able to connect wherever we are and pay as-we-go
through our device.

As an interesting aside, here's look at just how complex SIMs are:
[https://news.ycombinator.com/item?id=12674846](https://news.ycombinator.com/item?id=12674846)

They are practically equal to the computers we were using 30 years ago!

------
roaming_taco
The concept of SIM cards will slowly fade over time as M2M/IOT devices start
to emerge as consumer oriented products, devices will become more oriented
around "SoftSIMs" and other embedded or virtual SIM products. The ability for
IOT products to move across multiple networks will become a big aspect of the
IOT, you need full redundancy and reliability when your product can never be
offline.

Why would I want a SIM card with one IMSI on it when I can have a SIM card
with up to 20 IMSIs from various networks all around the world, or even better
the ability to constantly swap and trade IMSIs from various networks, new
connectivity set everyday. A global community calls for global connectivity.

------
trprog
>Feels like this is probably the result of telco networks wanting as much
friction as possible to change providers

I don't understand how you came to this conclusion.

I move between networks very regularly due to frequent travel to different
countries. Pulling out your old sim card and putting in a new sim takes maybe
2 minutes. You are then immediately off your old network and on the new
network. Once you have the sim in your possession you don't need to talk to
anyone, fill in any details, log into anything or even remember anything.

Short of some process that is 100% automatic I can't imagine a more low
friction process.

~~~
RandyRanderson
I and I suspect a lot of other ppl do change sims becuse of high roaming fees.
In that case there is some paperwork involved, some cash and more than 2
minutes.

I think he's contrasting this with soft-SIMs, where there's no physical sim to
switch (maybe an app, provided by the manufacturer) and theoretically no cash
required.

------
mschuster91
Yes, security and flexibility.

1) Security: telco laws these days often require registration of accounts to
your personal ID (i.e. no anonymous usage any more). How would a pure soft-SIM
be able to fetch the data from the network?

2) Flexibility: SIM is pretty much standardized. This means a newcomer MVNO
just has to issue SIM cards and the customer can use any kind of phone (or
other interface, like a modem, a 2G/3G shield, ...) to use the network. And if
a device breaks, then the SIM card usually stays intact and can be placed in a
new device. Not sure how to securely do this with a soft-SIM.

~~~
potatosoup
Wouldn't e.g. a username and password accomplish the same thing as what you're
describing?

~~~
vidarh
Now any hacker that finds a flaw in a mobile OS will be able to impersonate
you with another phone. For what gain?

------
JoshTriplett
SIM cards make it easy to change _phones_ , by moving the SIM card to a new
phone. CDMA phones make this hard, and sometimes impossible. They also make it
a little easier to change carriers, since you can just switch the SIM card.
It'd be even easier to switch if phones had that functionality built-in, so
you could sign up for a new carrier and switch entirely via the phone, but in
that case I think you'd find that carriers frequently broke that
functionality.

------
rxbudian
It's probably to prevent multiple phones using the same number. Some network
infrastructures are quite old and supports only the basic protocols. Even
inside a single Telco company, the hardware is most likely very diverse. That
means any new technologies must be backwards compatible to allow the new
phones to use the old infrastructure. Checking whether a phone number has
already been 'logged in' in another Telecommunication company's network takes
a lot of coordination, and it has to be able to do that globally, in a very
short time (a few seconds at the most). Then they have to deal with what
should be done if the legitimate phone owner is the one that could not log in
(Ie, someone actually used your number somewhere else) etc...etc... it's
opening a big can of worms to get this going.

------
alien3d
Easy to switch telco . Easy to change phone if one out of juice,i do find
power bank kinda hassle sometimes to carry around and charge the out of juice
phone

------
droopybuns
OEM software quality is so diverse that they can't be trusted to execute
something as sensitive as identity.

It also is a classic telco hedge.

Step 1) We need towers to make this thing work. Let's build towers.

Step 2) These towers are super expensive and make the expense amortization
complicated. Let's sell the towers and then lease from the buyer.

Step 3) oh crap. There is no encryption and people are cloning handsets. Let's
use SIM cards to separate sensitive operations from the rest of the device.

Step 4) manufacturing sims is complicated. Let's buy sims from other suppliers
and make them sign off on unlimited liability clauses if their identity
solution is compromised.

It is all about two things: Preventing a single player from having too much
power on the ecosystem and transferring financial risk. There is no evil plan.
It's all rather mundane.

------
maxerickson
Locking devices to networks (as US telcos do) makes it harder to switch
providers than swapping a $5 SIM.

Same with switching devices and keeping a provider. Using a SIM, takes about a
minute. Not using a SIM? Call them or whatever, maybe pay a fee.

------
akytt
Because of a power struggle between os vendors, hardware makers and telcos.
The SIM provides a neutral way for them to coexist. Also, this decouples a lot
if certification. A SIM and a phone are easier to work with than a phonesim

------
sdevoid
Can someone explain the appeal of so-called "slim SIMs"? As I understand it,
this allows you to load two accounts on a single device? And carriers don't
like this aspect---or is it a security concern on their part?

It amuses me that these slim-SIMs, and SIM cards in general, are one of the
few pieces of technology that are utterly opaque to the user and yet are so
widespread.

Edit: For example, I recently upgraded to an iPhone 7, at the Apple store.
This required a new SIM card, but the salesperson was very careful to return
the old SIM card to me. Why? What am I supposed to do with this old SIM card?

------
KON_Air
I think it is more of a traditional security approach of "pairing hardware
with hardware" and a case of "not fixing what is not broken" instead of making
consumers suffer. It just works.

~~~
glennos
Fair assessment. I'd just like to be able to have a few SIMs loaded in
software for travelling, given the typically extortionate roaming fees.

------
xaduha
Have you done any research at all into the topic?

Here I am, asking myself why smartcards aren't so hot in modern 'hacker'
community...

------
Dwolb
There are some solutions out that are in software that are "eSIM" which allow
devices to switch carriers through an OTA update.

Also see a company called SIMless.

There's a lot of market momentum around SIM cards and it keeps a telco's
offering really sticky. It is more effort for people to swap hardware instead
of software.

~~~
vidarh
> There's a lot of market momentum around SIM cards and it keeps a telco's
> offering really sticky. It is more effort for people to swap hardware
> instead of software.

I'd love to see evidence of this. Switching SIMs is something non-technical
users do regularly.

~~~
Dwolb
I'm afraid I don't have hard evidence. The logic is for normal cell phone use
it's more friction to swap a SIM than to have the phone automatically switch
network profiles (non-roaming) or for the user to switch network profiles via
software setting.

For IoT cellular the logic is it's more effort to recall a device and swap a
SIM card than to reprovision the SIM profile via a software dashboard.

I'm sure we could put our minds together to come up with a robust user study.
Thoughts?

~~~
vidarh
It takes ~30 seconds to switch SIMs on my phone. Most phones I've had in the
last 10 years have had dual SIM slots as well.

It's not swapping the SIMs that provides friction when changing providers.

> For IoT cellular the logic is it's more effort to recall a device and swap a
> SIM card than to reprovision the SIM profile via a software dashboard.

If you can reprovision it remotely, you're one flaw away from a hacker being
able to reprovision it. Meanwhile, the SIM design means there's little reason
you'd need to recall it rather than simply send out new SIMs and have users
swap them in.

------
foobarqux
Soft-SIM makes it trivial to sign-up for new mobile plans. This doesn't matter
much domestically (maybe it does for multisim or cart abandonment) but it does
internationally because of high roaming fees, which are a revenue stream
carriers don't want to give up.

------
grymoire1
The SIM smartcard is a cryptographic device that prevents people from
stealing/copying/hijacking/cloning other phones/accounts/billing/credit/etc.

Each SIM has a unique ID that is used to track/bill/identify your phone.

~~~
kalleboo
> Each SIM has a unique ID

To be more precise, the SIM is actually a crypto CPU that stores a private
key, and can perform crypto using that private key on behalf of the phone,
without betraying the key itself.

This is also how Chip-and-PIN debit/credit cards are designed to work (so that
a rogue terminal/skimmer can't just clone the card number), although there are
various real-world implementation flaws with most of those.

------
threeseed
If you have an iPad there is already a software solution:
[http://www.apple.com/ipad/apple-sim/](http://www.apple.com/ipad/apple-sim/)

It contains what is known as a remote provisioning SIM:
[https://www.gsmaintelligence.com/research/?file=81d866ecda8b...](https://www.gsmaintelligence.com/research/?file=81d866ecda8b80aa4642e06b877ec265&download)

So clearly the only thing stopping the industry is the telcos who would very
much like to make it as difficult as humanely possible for you to switch
carriers. Especially in the US where there is a lot of competition and hence
high churn.

~~~
kalleboo
SIM cards actually make it far easier to switch carriers. Compare the
competition in the European market where SIM portability has been there from
day 1 to the situation with CDMA carriers in the US and their refusal to
reprogram ESNs.

A software solution would quickly devolve into the US CDMA system where you
have to get a whole new phone to change providers.

------
ndesaulniers
Esim is on the way. On mobile currently, but you should look it up.

------
nik736
Xiaomi offers a Virtual SIM for years now. [0]

[0]:
[http://en.miui.com/thread-146080-1-1.html](http://en.miui.com/thread-146080-1-1.html)

~~~
roaming_taco
That platform was created by a Canadian company called KnowRoaming, it's
marketed as a "SoftSIM" but it is indeed a fully virtualized multi SIM/IMSI
solution for global roaming.

[https://www.knowroaming.com/softsim/](https://www.knowroaming.com/softsim/)

KnowRoaming is a Canadian MVNO which now owns a full American MNO located out
of Nevada and licensed out of Missouri for spectrum.

------
RandyRanderson
After Apple "broke the back" of the telco monopoly with their 2007 5-year deal
with AT&T[0] it's been a slow progression in North America to the European-
style subscriber-owned phones that are compatible across most networks.

I, and many others were surprised at that deal because, up to that point, ppl
had essentially carrier-owned phones and long contracts that locked subs
(subscribers) to their network. This deal would allow ppl to install any
software from the app store without telco approval.

Telcos see the SIM card as their last beachhead. They are looking for at least
2 revue streams from this NFC SE (Secure Element)[1] real estate:

1 Identity verification - Telcos rent "space" on the SE on which you store
health cards, passports, driver's licenses, etc. 2 Cards - Telcos rent "space"
on which you store credit, gift, debit cards.

Carriers and Issuers (the bank that issues your credit card) are now fighting
over that potential revenue stream (spoiler: it's tiny) while Apple has gone
and deployed it with Apple Watch et al and is making a cut of the transaction
fee. In contrast, the transaction fee is a huge stream however one can imagine
the fun of negotiating a contract between all the parties involved (likely all
multibillion dollar companies with teams of lawyers).

Apple had tried to push a software SIM (containing a SE) but the carriers,
from their POV, rightly and vigorously fought and will continue to fight
against that[2]. Google is also trying with Android Wallet/Pay/...

I suspect Apple will eventually use the same "wedge" approach with one of the
US carriers and the others will fall in line.

[0] [https://www.engadget.com/2010/05/10/confirmed-apple-and-
atan...](https://www.engadget.com/2010/05/10/confirmed-apple-and-atandt-
signed-five-year-iphone-exclusivity-de/) [1]
[https://en.wikipedia.org/wiki/Near_field_communication#Appli...](https://en.wikipedia.org/wiki/Near_field_communication#Applications)
[2] [http://www.thememo.com/2015/07/30/five-years-on-apples-
battl...](http://www.thememo.com/2015/07/30/five-years-on-apples-battle-to-
kill-the-sim-card-is-nearly-over/)

------
noja
<paranoid mode> What possible harm could a non-optional mini computer do to
your phone?

------
markgamache1
Why is asking a forum and not just googling still a thing???

~~~
idle_zealot
Because when you ask a forum you're likely to spark a conversation and gain
insight you may not have otherwise. Also, when others are curious in the
future, when they search Google the discussion will be in the results,
allowing readers in the future to get a decent understanding of the answer and
some related concepts.

------
gok
Regulations.

