Micro Focus is now part of OpenText. Learn more >

You are here

You are here

SIM swapping: Still stupidly simple (so shun SMS)

Richi Jennings Your humble blogwatcher, dba RJA

Cellular provider employees continue to let criminals steal your phone number, say researchers. That’s despite years of publicity about SIM swapping and port-out attacks.

It only goes to prove that when authenticating yourself, you should never, ever rely on SMS, robocalls, or Caller ID. And if your app relies on a phone number to prove your user’s identity—either for 2FA/MFA or credential recovery—stop doing that right now!

It’s not secure, and it never has been. In this week’s Security Blogwatch, we ponder old threat models.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: dodecahedrons.

Sad situation. Seriously, stop.

What’s the craic, Catalin Cimpanu? He reports—five US telcos vulnerable to SIM swapping attacks:

A Princeton University academic study … found that five major US prepaid wireless carriers are vulnerable to SIM swapping attacks. … This allows the attacker to reset passwords and gain access to sensitive online accounts, like email inboxes, e-banking portals, or cryptocurrency trading systems.

According to the research team, AT&T, T-Mobile, Tracfone, US Mobile, and Verizon Wireless were found to be using vulnerable procedures. … Of the five, [only] T-Mobile told the research team they discontinued the use of [vulnerable] customer authentication.

And Ben Lovejoy adds—Alarming test shows US carriers fail to protect you:

They were able to persuade the carriers to assign phone numbers to new SIMs without successfully answering any of the standard security questions. [They] would permit the reassignment even if the attacker had repeatedly given incorrect answers to security questions.

[It] was ridiculously simple: The caller claimed to have forgotten the answer to the primary security question, and then went on to claim that the reason they couldn’t answer questions about things like their date and place of birth is that they must have made a mistake when they set up the account. Unbelievably, customer service representatives then allowed them to authenticate simply by naming the two most recent phone numbers called.

It would be pretty simple to persuade someone to call an unknown number, simply by leaving voicemails or sending text messages. Three carriers even sometimes accepted incoming calls as authentication, meaning an attacker need do nothing more than call the victim.

Need some background? Jump aboard the Brian Krebs cycle—SIM swap (crim)innovations:

Legitimate SIM swaps are a common request. … They usually happen when a customer has lost their mobile phone or when they need to upgrade to a newer model that requires a different-sized SIM card (the small, removable smart chip that ties the customer’s device to their phone number).

[But] the security options available to wireless customers … are largely ineffective against crooked or clueless mobile phone store employees. … Unauthorized SIM swaps enable even low-skilled thieves to quickly turn a victim’s life upside down.

A number of young men have recently been criminally charged with using SIM swapping to steal accounts and cryptocurrencies like Bitcoin from victims. This week, a court in New York unsealed a grand jury indictment against [a] 22-year-old alleged serial SIM swapper … who stands accused of using the technique to siphon $24 million.

Still don’t believe it’s easy? Heed the scary story of throwawayatt:

I purchased an unlocked iPhone recently from Apple and decided to swap my AT&T SIM to the built in eSIM so that I could free the physical slot while traveling. I walked into an official AT&T store, told the guy what I wanted and within 10 min or so I was on my way out.

At no point did he ask me to verify any info on the account: He didn't ask for an ID, my name, send a verification text, or even ask for the old SIM. All I gave him was the phone number I wanted ported to the eSIM, and the corresponding IMEI from my phone.

So how can carriers fix this? A random security guy sounds slightly cynical:

Carriers will not change unless forced to. When it comes to security, my experience is that companies will change only when:

1. They lose money.

2. They violate the law and someone goes to jail. Note that Paying a small fine is just considered the Cost of Doing Business.

3. The CEO loses his job.

But think of the unintended consequences. Alan Welsh shrugs:

Think through all of the scenarios where you might need to change SIMs, and what difficulty you’d like to allow for YOUR account. … If you lose your phone from damage or theft while out of the country … what should the procedure be?

This is not as easy as it sounds. Replacing a SIM in an emergency is a one-off event, seldom encountered. When it occurs, it will likely be critical and urgent. … When it occurs, could you deliver enough proof?

This is why security is so difficult. Most elements appear to be able to deliver great value. … But implemented into a system improperly, you get a horrible result and at great cost.

So deepspace thinks out of the box:

[Yes] regulating SIM swapping might have unintended side effects. A better approach may be to pressure internet companies, and especially email providers, to drop SMS as a method of authentication.

And DigitAl56K agrees:

Companies and services should stop using phone numbers for account recovery. Google whines at you if you don't have a recovery phone number.

I've had friends whose Google accounts and social media were all taken over thanks to SIM hijacking. We shouldn't base security on a model where the more of a target you are, the weaker the security—i.e., at some point you get interesting enough for someone to dial up a carrier and then everything falls over.

Meanwhile,  Olivier Gervais-Harreman—@thewirelessOG—completely agrees:

I completely agree: … SIM swapping is a massive threat, and wireless carriers should be held liable. Our phone numbers are closely linked to our identity. Disable SMS for 2FA when other options are available—e.g., Google Authenticator, Yubikey.

The moral of the story?

Stop using SMS, robocalls, or Caller ID for authentication or identification: It’s not secure—and it never has been.

And finally

And you thought we knew everything there is to know about dodecahedrons?

Previously in “And finally”

You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or sbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE.

Image source: Michael Roach (cc:by-sa)

Keep learning

Read more articles about: SecurityIdentity & Access Management