Hold the phone
Some of the biggest US mobile carriers are still failing to protect their customers from so-called ‘SIM-swap attacks’, as new research exploring the phenomenon outlines just how easy it is for criminals to take control of a victim’s phone number.
A SIM-swap attack – or ‘SIM-jacking’ – is a type of account takeover fraud where attackers impersonate victims to hijack their phone number.
With mobile numbers often used as a form two-factor authentication (2FA), or to retrieve lost web account passwords, SIM-swap attacks pave the way for criminals to access the victim’s email and bank account, cryptocurrency wallet, social media, and more.
Growing reports of SIM-swap attacks occurring in the wild include a tech engineer who lost more than $100,000 after criminals ported his SIM card to another device and drained his Coinbase account.
Despite the obvious dangers of SIM-swap attacks, a new study suggests that mobile carriers are not doing enough to protect customers from this emerging threat.
Meet the SIMs
In the study (PDF), published on January 10, researchers outline how they successfully bypassed carriers’ authentication challenges and transferred their putative victim’s mobile service to a different SIM.
Their strategy worked every single time they called up AT&T, T-Mobile, and Verizon – 10 times apiece.
In addition, by reverse-engineering the phone-based authentication policies of 145 websites, the academics from Princeton University also found that attackers could readily use these stolen mobile identities to breach sensitive online accounts.
Seventeen sites, for instance, permitted SMS-based multi-factor authentication (MFA) and password recovery, potentially leaving accounts vulnerable to compromise.
During the study, researchers said their SIM-swapping endeavors were successful in 39 of 50 calls to five prepaid carriers between May and July 2019 – without spoofing caller IDs, deploying any special social engineering tactics, or escalating requests to management.
Claiming that their current SIMs were faulty, they performed the role of attackers who knew only the victim’s name and mobile phone number, and could bait the victim into calling a chosen number.
Asking callers to recount recently dialed numbers as a form of authentication could be circumvented by sending an SMS phishing message with a call-back number, or hanging up after a fleeting call to invite a curiosity-driven call-back.
The academics even documented four instances where staff accepted incoming calls, which attackers can bypass by simply calling the victim long enough for them to pick up the call.
The second most bypassed authentication method in the study was querying the mobile account’s most recent transaction, which researchers noted can be bypassed by topping up the victim’s account with a nominal amount – something only US Mobile, of the five carriers studied, authenticated.
Employees from AT&T, Tracfone, and US Mobile also leaked sensitive personal information prior to authorization, the researchers said, with one AT&T representative permitting multiple guesses, and dropping hints to help the caller.
In a dataset drawn from TwoFactorAuth.org, researchers found that 83 of 145 of websites recommended or mandated insecure authentication configurations – 14 of which had SMS as their sole MFA option.
However, methods classified as ‘insecure’ in the study included SIM and device serial numbers, partly predicated on the risk of being hacked by malicious apps – which can enable attackers to breach accounts without using SIM-jacking.
Other methods deemed insecure included easily guessable security questions like ‘What is your mother’s maiden name?’ as well as payment card information and personal information like date or place of birth, which are readily found on data aggregators, among other sources.
The researchers also identified 10 websites whose advice to enroll in secure authentication schemes was effectively negated by recommendations to use insecure methods as fallback alternatives.
The efforts of security-conscious customers, meanwhile, were undermined by seven websites that automatically enrolled users, without notification, in the relatively insecure SMS-based 2FA via phone numbers provided for other authentication purposes.
Seven websites, including eBay and WhatsApp, offered one-step SMS one-time password logins, which researchers noted are secure against routing attacks when sent over the carrier’s network.
The researchers suggested that websites implement at least one secure MFA option, and phase out the use of SMS-based MFA in favor of authenticator apps and email passcodes.
Carriers, meanwhile, were urged to prioritize security over convenience, given the gravity of SIM-jacking and the comparative rarity of SIM swaps.
“Legitimate SIM swap requests are infrequent, occurring only when a user’s SIM is damaged or lost, when a user acquires a new phone that is incompatible with their SIM, or in other rare cases,” the report reads.
“These requests may become even more infrequent going forward, as users are now waiting longer before switching their devices. Thus, carriers should begin to phase out insecure authentication methods and develop measures to educate customers about these changes to reduce transition friction.”