I am not exaggerating when I say that my life is my smartphone. I use it for everything - to email, text, and stalk corgis on Instagram. I also use it to interact with clients and to chat with colleagues on Slack. And I, like so many others, use my phone as a multi-purpose identity management tool. I receive one-time SMS verification codes to verify my identity when I have forgotten a password and need to reset it or to confirm my identity to an online service provider–and I, like many people, use it as a simplistic form of "two-factor" or “multi-factor” authentication (2FA, MFA) for online accounts and apps. Both activities are very common practice for many people and businesses, the SMS one-time codes. Interestingly, it is this unique reliance we have on our phones and our phone numbers as an identity management mechanism that created a severe authentication vulnerability that nobody seems to be talking about; a dangerous threat trend brewing in the dark underbelly of the internet. In recent years, hackers have been increasingly hijacking the phone numbers of high-value targets, completely undercutting our ability to securely rely on what has become a perceived “staple” to many users in their MFA practices.
So… is losing your phone number to a hacker really that big of a deal?
Absolutely. Your phone number is as essential to your identity as your social security number because it is often required by online services as a form of identity verification. Phone numbers, through texts, are also often used as a convenient form of two-factor authentication by the general public, despite the assertion within the cybersecurity community that text verification codes are not actually a valid authentication method. Criminals use illegal SIM Swap attacks, also referred to as a SIM Port Attack or SIM Hijacking, to gain full control of a target’s phone number to steal financial data, takeover social media profiles, change account passwords, leak private photos or documents online, and destroy or sell other digital items of value from victims.
How Does A SIM Swap Happen?
The SIM Swap attack occurs when hackers do what they do best– take advantage of a benign characteristic or feature and use it in a way that is was never intended or designed to be used. Mobile carriers provide their customers with a way to transfer, or “port”, their SIM data to another device. It allows a customer to request to transfer their SIM data to another mobile device. It’s a very legitimate request and it occurs regularly when you upgrade to the newest (but not so different) iPhone. Once an attacker knows your phone number, whether they purchased it online or stole it themselves, they use social engineering to request that the SIM data is transferred to a device they control. A highly-motivated attacker can twist the benign SIM transfer service to their advantage by contacting your telecom company pretending to be you and requesting to “port” a victim’s SIM data. When the SIM Swap is complete, the attacker has absolute, unequivocal control over the user’s phone data including apps, payment methods, and multi-factor authentication mechanisms.
SIM Swapping is one of the worst forms of identity theft that can ever happen to a person. It is as dangerous and catastrophic to an individual as the theft of a social security number, but with more immediate consequences for the victim. Most major email services and online service providers still allow you to reset a forgotten password or authenticate from unrecognized devices using only your phone number and a one-time SMS verification code. The most dangerous account you could lose is your email account, especially if the service allows you to use a “forgot password” feature that enables account access by prompting for your associated phone number and sending an SMS verification code to confirm your identity. Many of these same services, including online banking and social media accounts, also use SMS verification as a form of identity confirmation.
By usurping your phone number, an attacker attains unfettered access to any online account associated with that phone number, including your Gmail account. And the train wreck doesn’t stop there. Even if the phone number associated with an account no longer belongs to the account owner, an attacker can take advantage of that outdated association and still use it to impersonate you to gain access. That's right, an attacker can use a phone number you don’t even remember having to break into an account if it’s still the associated number. The threat level increases exponentially if the attacker manages to use your phone number to get access to your primary email account. Users have to supply an email account for pretty much every account you sign up for online. If a hacker controls your email and your phone number, they unofficially “own” your identity, but online they officially ARE you.
Most of these attacks are carried out against individual targets with the goal of financial gain through identity theft. But what if that changes? What if a prodigious hacker group or, worse, a nation-state entity finds a way to use this attack strategy to go beyond individual identity fraud. There are a variety of ways SIM Swapping could be accomplished including social engineering, whaling, a virtual phone, or a network hack. SMS passcodes can be redirected or intercepted, while individuals are in danger of being victimized by this hack, so are the companies who require their employees to use SMS two-factor to access IT resources.
Two-Factor Authentication (2FA)
Two-factor authentication is a key security practice that any company, big or small, can invest in. There are a number of options for companies to choose from, and IT services such as Microsoft 365 and G-Suite do provide SMS verification codes to companies who have to use 2FA to meet the requirements of internal policy or compliance. Also, as far as two-factor authentication goes, SMS one-time passcodes are the most popular option, because they do not require employees to use hardware or download an app, and they are very user-friendly. Employees feel bogged down, inconvenienced, and frustrated by the learning curve of authenticator applications or hardware tokens. And with corporations like Google (Google Authenticator), Duo, and Microsoft 365 MFA making it infinitely easier to incorporate this authentication mechanism into a login process so many companies have started to adopt it.
The issue here is that Microsoft and many other service providers are enabling their business customers to rely on one-time passcodes sent via text, rather than incorporating an authenticator application feature into their standard packages and offerings. These providers sell security controls and tools to organizations piece-by-piece, rather than integrating these features into their more standard products and services. As a consultant, I often recommend that businesses incorporate two-factor authentication for their employees and IT administrators to help protect the network from unauthorized access. I stress this recommendation regardless of the size of the organization because it is so critical to protecting your information systems, but I do understand that many small businesses have limited monetary and IT resources to dedicate to maturing their cybersecurity program. So, the cost to benefit analysis doesn’t always align for a small or medium-sized business to spend the extra money on a separate authenticator application or service, such as Intune in Microsoft 365 (the most common service provider on the market), even though their profiteering could absolutely lead to the compromise of their customers.
Hackers are only growing increasingly capable of circumventing SMS one-time passwords, and SIM Swapping attacks are just one growing trend in a list of dangerous methods. If an executive or an IT administrator with privileged access is compromised by a SIM swapping hack the ramifications could devastate a business. Executives can authorize huge sums of financial transfers. IT administrators can modify systems and gain access to sensitive data of data within the environment. And given the right role or job position, standard users require to retain access to information such as financial accounts, social security numbers, and even other employees’ phone numbers. A SIM Swapping hack on any one of these types of personnel potentially enables a savvy attacker to commit financial fraud, infect system components with malware or ransomware, and commit mass identity theft.
This still only touches on how SMS Swapping attacks can affect individuals and organizations, but as we watch these types of attacks continue to unfold, we can keep in mind the number of other possibilities. For example, SMS verification codes can be intercepted in a variety of creative and nefarious ways. Some attackers convince users to install applications on their mobile devices and intercept SMS messages, such as banking trojans. They can socially engineer information from users or just physically look at pop-up SMS notifications on an individual’s phone screen if notifications are not hidden when the phone is locked. Or they can take advantage of vulnerabilities such as the basic flaws present in the SS7 protocols used to transmit SMS.
Businesses need to genuinely consider finding an alternative form of two-factor authentication solution to meet their regulatory, compliance, and security needs to prevent this sort of attack. Further, hosted SaaS or PasS providers should re-consider how profitable any one customer is if they are compromised by a lack of security features baked into the offered services and applications. In the meantime, we are here to help you handle any security incidents you may experience as a result of SMS Swapping attacks.
To speak with someone about identifying vulnerabilities in your current authentication policies and practices, please reach out to us at firstname.lastname@example.org.
Learn more about TRUE’s Security Program Development.