A nefarious scheme has emerged to potentially defeat two-factor authentication (2FA), which has become the gold standard in online security. Fortunately, for those of us responsible for securing consumer transactions, this isn’t a quick snatch-and-grab type of attack—and succeeding in the attack often involves significant planning, social engineering, (and possibly some inside help). At its core, this scheme is based on stealing the use of someone’s mobile phone number.
The hack is called a SIM Swap
or SIM-Jacking. The idea is to convince the mobile operator to port or transfer an existing mobile number to another phone (i.e., another subscriber identity module or SIM), which can then send and receive calls and messages that appear to be from the legitimate owner. This also exposes a major flaw in any 2FA security system that depends on SMS reliably delivering one-time verification codes.
Two-factor authentication has been a major tool for more secure authentication, and a major advance over the traditional username and password. While it has taken many forms over the years, 2FA relies on 1.) something you know and 2.) something you have. With the addition of biometrics, that second factor can be expanded to 3.) something you are.
The first widely deployed 2FA enterprise solution was RSA Security's Secure Token
or key fob (see image below) that provided a one-time password for user sign-in that was valid for only 60 seconds. Unfortunately, many of us were unable to read and enter the password within the required 60 seconds indicating that “user convenience” wasn’t high on the objectives list.
The convenience factor changed significantly with the advent of smartphone-based 2FA. Now, communications platform as a service (CPaaS) providers like Twilio offer 2FA capability as an API-driven capability for app developers, so almost any online service can incorporate it easily. Even though it adds a step to the login process, most customers seem to recognize the additional level of protection it provides. Smartphone manufacturers have also updated their software to make the process of passing the verification code from the SMS message to the sign-in process a single click.
The risk is that by using SMS to send a verification code to authenticate the sign-in, the second factor now becomes possession of a phone (any phone) that can receive SMS messages sent to a mobile number previously provided by the customer.
If someone executes a successful SIM Swap, the authentication system will now be sending that verification code to the hacker who controls the number. In essence, a hacker can steal the second factor by duping the phone company into transferring the mobile number to another phone. The legitimate owner will know something is amiss because their phone stopped working, but the crime is typically executed before they can even contact the phone company to report a problem.
Spoofing the 2FA security mechanism is the obvious vulnerability, but a SIM Swap also opens other avenues of opportunity for ne’er-do-wells. Those include access to information about online brokerage accounts, owner contacts, and the ability to send and receive texts that appear to be coming from the legitimate owner of that mobile number. How far a hacker gets depends on the device type and what kind of information (i.e. password hints) they can glean or social engineer out of the legitimate owner.
In effect, any application that relies on a mobile phone number to be in the possession of the legitimate owner (i.e. the person who told you to trust that number) must now be rethought in light of this SIM Swap vulnerability.
A Growing String of Bad News
The most widely reported SIM Swap hack occurred in 2018 when a 15-year-old high school student from Irvington, NY named Ellis Pinsky and several co-conspirators purportedly managed to swindle $23.8 million in digital currency out of the account of investor Michael Terpin, founder and CEO of Bitcoin advisory firm Transform Group
Terpin’s number was hijacked twice, according to published reports
. First, in June 2017 his AT&T account password was changed remotely and allowing the hackers to transfer his number. Prior to hacking the account password, Pinsky and company had made eleven attempts to persuade employees at various AT&T retail locations into doing a transfer. The hackers gained access to Terpin’s accounts, and used his contacts to arrange a personal transaction over Skype with one of his business associates resulting in the loss of “substantial funds.”
Following this attack, AT&T provided Terpin with a higher level of security, requiring him to enter a six-digit code to make any changes to his account. So, it must have come as a surprise when in January 2018, employees at an AT&T store in Norwich, CT transferred his number again without requiring the code. This time the crooks stole $24 million worth of cryptocurrency.
Terpin has now filed a $240 million lawsuit against AT&T, including $200 million in compensatory damages.
The limited regulatory protections and one-way nature of blockchain transactions (i.e., when it’s done, it’s done, and it’s non-reversible) made it a perfect vehicle for cybercrime.
AT&T isn’t alone in this mess, T-Mobile was hit by a breach
of its internal computer systems, which allowed hackers access to customers' account information, including personal info and personal identification numbers (PINs) – leading to an undisclosed number of SIM Swaps.
More recently, a group of 10 hackers in the U.K., Belgium, and Malta, were arrested in a SIM swapping scam
targeting celebrities that allegedly netted $100 million. Criminals collaborated to gain access to victims' phone numbers and control of apps or accounts by changing passwords. For a fuller listing of SIM Swap shenanigans, you can check out this site
So far, we've seen at least three different vulnerabilities exploited as part of SIM Swap scams:
- Smooth Talking: Using social engineering to convince a contact center representative or retail store employee that you’re the true owner of the phone number to influence the swap.
- Rogue Employee: Putting the store employee on the payroll can make it much easier to get them to agree to illicit swaps. Employee complicity was claimed in at least one legal case.
- Internal System Hacking: A disgruntled or dishonest employee may decide, for whatever reason, to commit unauthorized acts, similar to the T-Mobile hack referenced above.
Where Do We Go Now?
At times, the security business is like the myth of Sisyphus—the guy that had to spend eternity pushing a rock up a hill only to have it roll down again. Just when you think you’ve got a hard and fast security solution, someone comes along and kicks your rock back down the hill.
SIM-Jacking security breach is a wakeup call in that it it exploited a vulnerability most of us weren’t even thinking about, and clearly carriers must review their procedures around porting mobile numbers in light of it.
Those responsible for an organization’s security must also rethink any secure transactions we support that rely on a mobile number for 2FA. We must now consider new threat scenarios that emerge in the event that our customer doesn’t control that mobile number.
Now that the existence of this avenue has become known, many organizations must also reconsider their security procedures in light of the growing importance of smartphones providing the critical link in so many secure transactions. The smartphone is taking on far greater importance than a vehicle to make phone calls and points to the need for security systems that recognize this new reality.
This post is written on behalf of BCStrategies, an industry resource for enterprises, vendors, system integrators, and anyone interested in the growing business communications arena. A supplier of objective information on business communications, BCStrategies is supported by an alliance of leading communication industry advisors, analysts, and consultants who have worked in the various segments of the dynamic business communications market.