Two-factor authentication (TFA) is now a standard part of our online life. We log onto a service, or initiate an online transaction, and just to make sure that we are who we claim to be, our phone beeps, inviting us to reply with a given number typed into a browser, or a text. If our phone is protected by a biometric lock (fingerprint or facial identification), we are fulfilling three security criteria: what we know (the original password); what we have (our phone or tablet), and; who we are (the biometric factor). All well and good, it appears, but what happens if the phone that gets the message is not your phone?
Suppose that this new texted code number has ended up in the hands of someone who’s just received a list of your passwords and logins to your Amazon account?
‘Impossible,’ you say. ‘Those texts and messages are going to my phone number, and no-one else can use it.’
Sadly, this is not the case. SIM hijacking is on the rise, and it allows the bad guys’ phones to look like yours. It is relatively common for a number to be transferred to a new SIM (Subscriber Identity Module if you’re interested), when you change carrier, for example.
The process is meant to be secure. In the UK, you need a PAC (Porting Authorisation Code) from your old carrier, which is then used by the new carrier to match the unique (private) internal SIM number to the (public) phone number. A STAC (Service Termination Authorisation Code) cancels the old contract. Both are obtained from the old SIM – in theory, at any rate – send the text “PAC” to a magic number, and receive the PAC, which you then give to your new provider.
However, social engineering can also be used to transfer numbers. Once data on the Internet has been compromised, this can be abused by the crooks to impersonate you. You think no-one but you knows the name of your first pet, or your kindergarten teacher? Wrong. The answers to these security questions are now in a database being circulated around the black hats of the world, and they can use them for social engineering – persuading the carriers to provide them with a PAC and a STAC, telling them perhaps that their phone’s been stolen or lost, meaning that they cannot use that phone and SIM to obtain a PAC through the automated process.
Once the phone number has been transferred, all kinds of mayhem are possible. All the two-factor authentication methods where a number is texted to your phone become useless. Your bank asks you to confirm an online purchase by texting a confirmatory “YES” to the text sent to “your” phone, or you type in the digits sent to “your” phone. Of course, that number is no longer your phone number, and someone else is receiving these “Open Sesames”.
Indeed, cryptocurrency investments of several hundred thousand pounds have been stolen by this means – and of course, these crypto financial transactions are designed to be untraceable and anonymous.
By contrast to the simple texting of a one-time code, an authenticator app is tied to a particular account – a secret key pair is generated when the two-factor authentication for the account is set up, and this is then used to produce a one-time passcode, often changing every 30 seconds or every minute. This is a much more secure verification method than a text message sent to a phone number.
It is also possible to hack SIM cards, since these are more than just a link between the phone number and the phone itself. All SIM cards can be accessed and reprogrammed on the fly, allowing carriers to add services to the basic menu offered when a SIM is activated.
Some models of SIM may include a kind of browser accessed through SMS codes, but unfortunately, vulnerabilities exist in some SIM browsers that allow the SIM to be taken over by a threat actor, by sending specially crafted text messages, that then allow access to data stored on the phone or even the ability to impersonate the victim.
Again, using social engineering in conjunction with these vulnerabilities, an attacker could take over the victim’s phone, and use it for his own purposes. However, such an attack is less likely than the “identity theft” described above.
What can you do?
Some rules to follow are given below. Although they come from the US Federal Trade Commission, they apply to any country.
Avoid being SIM swapped
Don’t reply to calls, emails, or text messages that request personal information. These could be phishing attempts by scammers looking to get personal information to access your cellular, bank, credit or other accounts. If you get a request for your account or personal information, contact the company using a phone number or website you know is real.
Limit the personal information you share online. If possible, avoid posting your full name, address, or phone number on public sites. An identity thief could find that information and use it to answer the security questions required to verify your identity and log in to your accounts.
Set up a PIN or password on your cellular account. This could help protect your account from unauthorized changes. Check your provider’s website for information on how to do this.
Consider using stronger authentication on accounts with sensitive personal or financial information. If you do use multi-factor authentication, keep in mind that text message verification may not stop a SIM card swap. If you’re concerned about SIM card swapping, use an authentication app or a security key.
If you’re the target of a SIM swap scam
Contact your cellular service provider immediately to take back control of your phone number. After you re-gain access to your phone number, change your account passwords.
Check your credit card, bank, and other financial accounts for unauthorised charges or changes. If you see any, report them to the company or institution.
And always remember that First Response can provide expert advice on this, and other digital attacks. Contact us for more details.