With 2FA and MFA being adopted across the board, cybercriminals have devised a way to circumvent this security measure with a simple technique. By leveraging the easy security questions that mobile providers ask users when they wish to swap operator but maintain their phone number, threat actors are able to impersonate unsuspecting victims by effectively stealing their mobile number.
One study conducted by researchers at Princeton found that North American prepaid telecom companies, in most cases, would allow customers – or anyone pretending to be a customer – to port their number over with just one correct security answer.
This makes it fairly easy for someone to impersonate a target and obtain access to their phone number and, consequently, to the 2FA authentication key/PIN.
Commenting on the news are the following security professionals:
Dewald Nolte, Chief Commercial Officer, Entersekt:
There are two approaches you can use to combat SIM swap attacks; namely, detection and prevention. Due to the way that the industry uses SMS based verification codes, detection is not always a foolproof way of eliminating this type of attack. It can certainly make life more difficult for the perpetrator, but there are advanced techniques available to get around most of the detection techniques. This is why a prevention approach is ideal. An omni-channel authentication solution cryptographically binds to a user’s device, removing the reliance on the SIM card for authentication and thereby completely eliminating SIM swap attacks.
David Richardson, Sr. Director, Product Management at mobile security specialists Lookout:
First, users should make sure their mobile accounts have good security, such as PIN codes or additional security questions. If possible, avoid using SMS messages for two-factor authentication–there are a number of authentication apps that provide a similar service. Even though SMS messages are vulnerable, it is better to use them for 2FA than to use nothing at all. Best of all is to use non-SMS based MFA tools, though.
Kieran Roberts, Head of Penetration Testing at Bulletproof:
Sim swapping is, in essence, just another social engineering attack.
In this instance, an attacker impersonates a user in order to transfer the phone number of the target, in the same way that users are able to transfer their old mobile number to a new phone when moving between contracts/providers etc.
Now that 2FA and MFA are becoming more ubiquitous, attackers have another layer of security to get around, and SIM swapping is a simple and effective way in which they can attempt to do that, provided that they are able to gain sufficient personal data to successfully impersonate the target.
Mobile carriers are best positioned to defend users from these types of attack. A relatively simple solution would be to enforce a MFA SMS check BEFORE moving the number, which would ensure that the user moving the number has physically access to the sim before the transfer takes place.
In general, the best consumer advice is to protect their personal information: do not reply to calls, SMS or emails requesting personal information, as these could be phishing attempts.
Some carriers may allow users to set a password/pin that must be provided before a number is able to be transferred. This obviously has the disadvantage that if the password/pin is forgotten the user will not be able to transfer their number when moving contracts or to a different provider.
It should be noted that using SMS MFA is still much better than not using any MFA at all, but there are other ways of ensuring 2FA, such as Google Authenticator or Microsoft Authenticator, to name a couple. Since these apps do not use the user’s phone number, a Sim Swapping attack vector would not work against these MFA mechanisms.
Michael Barragry, Operations Lead and Security Consultant at edgescan:
The simplest way to protect yourself from a SIM swap attack is to avoid using SMS for multi-factor authentication whenever possible. Most modern applications and services that support 2FA offer Time-Based One-Time Password (TOTP) implementations such as Google Authenticator.
If SMS is the only option, then many mobile carriers support the option of adding a PIN or password on to the SIM itself. This means that an attacker will need this additional information to successfully compromise the SIM account. However, if a user is unfortunate enough to be targeted by an insider within their mobile carrier, this extra PIN/password will be easily bypassed.
Organisations need to be aware to what extent they are currently exposed to SIM-swap attacks. They should encourage or mandate that their users avoid SMS-based 2FA for especially critical or sensitive applications.
TOTP is the primary 2FA alternative. From a functional perspective, it also offers the advantage of allowing users to access 2FA codes even if they have no mobile carrier coverage. There are many physical solutions available today, such as RSA SecurID and Yubikey, although these bring in the extra logistical step of managing physical devices, catering for lost devices etc.
Each 2FA method carries its own challenges and risks that organisations need to be aware of. For example if you are using an application with 2FA delivered through TOTP, you are implicitly trusting that the application is storing the seed securely on their end. For highly critical service.