Our friends over at The Register just documented yet another real-world example of a cybercrime known as SIM swapping.
In its most up-front form, here’s the sort of thing that happens.
A crook walks into a mobile phone shop, lets himself get talked into a top-of-the-range new mobile phone to replace the one he says he just lost.
Fell out of his pocket as he was rushing for the ferry and vanished into the harbour, no point in trying to get it back, wouldn’t still be in working order even if it could be dredged up and recovered.
Pulls out his credit card (OK, not literally his credit card, in all likelihood, but a passable clone of someone else’s credit card), and “buys” the new phone.
In fact, he’s not buying it; in non-legalistic terms he’s stealing so he can sell it online the very same afternoon – at half its recommended retail price, he’ll go from listing to sale in a matter of minutes.
But that’s not all: while he’s about it, he gets a new SIM card to replace the one that’s now sunk in the harbour mud, because the new phone isn’t much use without his old number.
Of course, the mobile phone shop carries out an identity check – you can’t be too careful, after all, because you don’t want an imposter to be able to take over someone else’s phone number too easily!
Actually, you can be too careful: the guy just lost his phone, wasn’t expecting to need a new one so doesn’t have his passport with him, seems like a decent chap, and, if the truth be told…
…the sales person at the phone shop knows that even legitimate customersq typically walk out empty-handed, taking the sale and the commission with them, as soon as the purchasing process gets too complicated.
Why swap a SIM?
Our cybercrook just doubled his “returns”: as well as a stolen phone he can flog online, no questions asked, he’s also got someone else’s SIM card that he can use to get at their two-factor authentication (2FA) codes for a while.
Of course, it won’t just be anyone’s SIM card – he’ll have chosen the phone number of a victim for whom he already has login information such as usernames and passwords.
A SIM swap is therefore a simple and annoyingly effective way for a crook to hack your online accounts even after you turn on phone-based 2FA for added security.
That’s because mobile phone numbers aren’t actually phone numbers at all: they aren’t tied to your phone but to your SIM card, with the result that any 2FA process that depends on SMS messages is vulnerable to a SIM swap.
Ironically, SIM cards themselves are very secure: they’re as good as impossible to clone or to modify unofficially.
But the SIM card ecosystem as a whole has a weak point because almost any mobile phone shop can officially issue a replacement SIM card, where the mobile network ties a new SIM to an existing phone number.
That’s a bit like a country that redesigns its passports to make them much harder to forge, but doesn’t also improve the security surrounding the process of applying for a passport in the first place.
How to spot a SIM swap
If you’re the victim of a SIM swap, you do get a vague sort of early warning: your phone goes dead, because a SIM swap not only activates the newly issued SIM, but automatically deactivates the old one at the same time.
Sadly, however, you might not notice your phone is dead for a while, and even when you do, you can’t immediately tell whether it’s due to a permanent SIM swap, or a temporary network outage.
Eventually, you’ll figure it out, but at that point you can’t just call up and report the problem – because your phone no longer works!
Worse still, when you do get through to your mobile phone provider, they may think that you’re the imposter, given that you clearly aren’t the person who previously swapped out the SIM.
In the meantime, you’re locked out from your 2FA-protected accounts as well as from your phone, so you probably can’t get in yourself to kick the crooks back out.
(Typically, the first thing a crook will do with an ill-gotten logon is to go in and change all the authentication and account recovery settings, to make it as hard as possible for you to wrest back control of your account once you realise what has happened.)
What to do?
If you’re in the US, it’s worth remembering that the National Institute for Standards and Technology (NIST) recently updated its official “rules for passwords“, announcing that phone-based 2FA is no longer be considered satisfactory, at least for the public sector.
NIST formed the opinion that the lack of control over the issuing of new SIM cards – something that can be initiated in almost any mobile phone shop – means that they simply aren’t good enough to serve as a tamper-resistant part of any government 2FA system.
If you’re worried about the risks of SMS-based 2FA for your own accounts, consider switching to an app-based authenticator instead, such as the one built into Sophos Free Mobile Security (available for Android and iOS).
Of course, the security of an authenticator app depends on the security of your phone itself, because anyone who can unlock your phone can run the app to generate the next code you need for each account.
Be sure to set a strong lockcode or passphrase – and use a recent phone model that is still officially and actively supported with security patches.
Also, whether you use SMS-based 2FA or not, contact your mobile provider to find out whether they have additional security you can apply to your phone account.
This additional security is typically still prone to social engineering, where a crook with the gift of the gab talks someone in the support team into skipping one or more important security steps, but it’s better than nothing at all.
Oh, and if your phone goes dead unexpectedly, especially when friends and colleagues on the same network have good signals and you would expect the same…
…try borrowing a phone and calling your provider, just in case.
Jeff Caruso
Stop using 2FA? How does that help? That just saves the perp the trouble of going to the phone store and convincing people to let them have your identity.
qwame
Stop using SMS-based 2FA, not stop using 2FA.
Courtney McDowell
Specifically, the article says “stop using SMS-based 2fa.” It also specifically says “use an app-based key generator”. I use Google Authenticator for all my accounts that allow it.
Bryan
I’m likely not the first to reply to this, but none are visible yet…
NIST (and certainly Paul) doesn’t recommend going back to non-2FA methods, but text-message confirmation alone is no longer adequate. Security apps can provide protection and–assuming your passwd is solid–it can’t be cheaply socially engineered like your SIM card can (example in the article). This has happened to a few high-profile targets in the last year, but DeRay McKesson is the only one I can recall ATM.
I’m not using a security myself yet, but this article pushes my burgeoning curiosity into the “all-right-all-RIGHT-I’m-gonna-break-down-and-do-it” zone.
I’ve already got Sophos antimalware installed; I suppose I’m out of excuses.
:-)
Anonymous
The title is misleading. It should relate more to the content of the article since it is two-factor using SMS that is vulnerable to this scam, not two-factor itself.
Paul Ducklin
With hindsight I could have said “via SMS” (or “via the mobile network”) in the headline to avoid any ambiguity…
…but IMO “via mobile phone” conveys pretty clearly that I meant “using the cellular network that you need a SIM to connect to.”
After all, authenticator apps aren’t tied to mobile phones – you can run them on all sorts of other devices, including tablets, laptops and even dedicated hardware.
Similarly, not all SIM-authenticated 2FA systems use SMSes – some use direct messsges and others actually use voice calls to speak the login codes to you.
Bottom line: if the 2FA logon codes reach you thanks to a the phone number of a SIM card, then the system is vulnerable to a SIM swap being used to hijack the codes…
Anonymous
I agree – specifying ‘via your mobile’ implies any app, not necessarily SMS-based ones.
Paul Ducklin
Well…to be scrupulously fair to me (and I am willing to do that :-), I wrote “via your mobile phone”, which is not *quite* the same as “via your mobile”. But I get your point…although I still think the question in the headline is perfectly reasonable.
Given the problems caused by SIM swaps, should you give up on mobile phone based 2FA? I think that is a fair (and common) question, and the article answers it. (No. But if you want to give up on SMS, you can switch to offline, app-based 2FA instead.)
ToTheDumpToTheDumpToTheDumpDumpDump
I recently bought a FIDO security key only to find most providers didn’t support using it for 2FA. Most still use SMS – some let you use an authenticator app.
I am now thinking of getting a cheap Android smartwatch with Google Play, putting a PAYG sim card in it and using that (the authenticator app(s) where possible, the SMS route where that’s all there is) as my “thing I have”. Harder to lose than a phone. Thoughts?
Bryan
I’m not keen on going back to wearing a watch, but your smart watch is an interesting idea. Seems if you only give the number to authenticating entities it’d be far more difficult for an attacker to weasel it away. I’d love to hear Paul’s thoughts on that.
Paul Ducklin
Hmmm. I’m not sure how using a PAYG SIM (pay-as-you-go, known as “prepaid” in some countries) gives you any extra technological security against SIM swaps. Unless, perhaps, you are thinking that if you buy the SIM as a sort of “burner” and only ever use it to receive SMSes, then no crook is ever likely to figure out the number and therefore wouldn’t be able to pull off a SIM swap. (If so, that sounds like security through obscurity to me, so don’t rely on it as anything but a smokescreen.)
Also, forgive my ignorance, but don’t the current smartwatch offerings for Android (and iOS, for that matter) rely on pairing with a mobile phone in your pocket or your rucksack to do the actual cellular telephony part? In other words, the burner SIM doesn’t go into your burner smartwatch…it goes into the burner phone you will also need. If so, the smartwatch is redundant, which will save both money and street cred :-)
ToTheDumpToTheDumpToTheDumpDumpDump
You’re right – you’d have to use the same PAYG sim for all the services and so it would only take an info leak from one of them and you’re back where you started.
“Standalone smartwatch” is the thing – takes a SIM card.
You’d also have to make sure the PAYG SIM stayed alive and wasn’t deactivated.
The main service I couldn’t set up with an auth app or other non-SMS thing was, ironically, PayPal (UK) – I’d heard you could use the Symantec VIP Access app instead but when I went to the “Security Key” webpage in my PP settings, it only offered me the ability to add other phone numbers.
Of course at least PP has *a* type of 2fa, unlike eBay ( !! ).
Bryan
“only take an info leak from one of them and you’re back where you started.”
Do the PAYG services require photo ID and the like? If they’re associated with a different name the Bad Guy Cross Reference would mean you’re no longer low-hanging fruit.
Bryan
yes… burner is how I interpreted the intent, though I didn’t realize they all require pairing an actual phone. Bummer; I was hoping TTDTTDTTDDD found one of the better implementations I’ve seen of security through obscurity.
Granted, StO is a weak line of defense… but this one would’ve been still a sight better than a null root password (because of course our app requires root but hangs if there’s a passwd prompt) bolstered with “but look! I put ssh on a different port!”
:-)
Mindy
seems this can be solved by strengthening the identity proofing standards specifically for issuing/re-issuing a sim card. Perhaps this could be an optional purchase policy for those interested in such protection as SMS 2FA is a good choice for ease of use and security (minus this hack). Bottom make the networks liable for losses and identity theft on such sim cards issued under this policy. — alas Too much money and too many lobbyists for sanity and logic to rule the day.
Paul Ducklin
AFAIK, one reason for making it quick and (comparatively) easy to do SIM swaps is to improve competition and consumer choice. (Remember how hard/impossible mobile providers used to make it – in countries where regulations made it possible, at least – to keep your number when you wanted to switch to a competitor?)
Customers who lose a SIM card want to be able to get a new one quickly, so the power to authorise the activation of new SIMs is highly distributed. And that is bad for security.
As mentioned in the article, many providers do have “lockdown” settings you can opt into. The theory is that you can ask them to make it harder for *you* to get a new SIM, and thereby make it harder for crooks to swap out your SIM from under your nose. But in the Register story we linked to, even that didn’t work – the crooks, it seemed, just tried over and over, presumably fine-tuning their tale of woe each time they failed, until they hit on a magic combination of believable story, persuasive tone of voice, and overly helpful helpdesk staffer – that meant they jumped over the “lockdown” settings that ought to have prevented the attack.
Some countries have tried to add bureaucracy to the SIM swap process – at least one provider in South Africa, for example, requires not only that you show ID, but also that you present an affidavit, which usually means walking voluntarily into a police station to get the relevant document attested. In theory, that should increase the time and effort for any SIM swap, add an extra chance of getting caught, and allow the courts to be tougher on you if you do get caught. In practice, I’m guessing all it does is to give the cops a load of extra front-desk work signing documents for law-abiding folks – meanwhile, the crooks just need to find a crooked employee at a company that makes rubber stamps and pay them to knock out some fake Police Service ones to “authorise” their own “affidavits” sufficiently well to pass muster.
border.terrier@gmail.com
So the things the crook needs, your credit card and or some ID. Knowledge of your passwords.
If you don’t have a choice of using an app, only password and SMS 2FA or password only, using 2FA via SMS is no worse and will still usually be safer than password only – or have I missed something?
I’m just trying to be sure I guess. Using an app is the best option, or a token, but 2FA via SMS is not any worse than password alone, and forces the ‘crook’ to do at least 2 extra steps (get a credit card/ID and clone a SIM)
Paul Ducklin
I mostly agree: it’s better to have one-time codes via SMS that to have no 2FA at all. But, as with so much in the computer security field, “It depends.” For example, if you are using a service that allows password recovery *with an SMS code alone*, as an alternative to other methods (e.g. email to a secondary account) then a SIM swap alone pretty much gives the crook open access to your account. As long as you take this into account.
Also – and perhaps I ought to have made this clearer in the article – the crook doesn’t necessarily need a credit card to pull this off. I just used that approach in my example – where the crook uses the fraudulent purchase of a new phone as a way to squeeze the mobile phone sales guy into doing only a cursory ID check for fear of losing the commission. In the Register story we linked to above, the crooks didn’t go into a store or buy anything, as far as I can tell. They worked their social engineering over the phone, finally persuading a call centre support staffer to accept their word for it that they really were the victim and somehow initiating the SIM swap that way. (I presume they’d need to drop into a store, or provide a delivery address, to receive the new SIM, but as far as I know they didn’t need to go through the trouble of buying a new phone to inveigle themselves into a position to initiate a SIM swap.)
Kabir
The Indian government now requires everyone with a cellphone to link their phone number to their Aadhaar number (a unique biometric-linked identity given to everyone living in India) by the end of this year. So, I presume that in future if anyone wants a replacement for their lost or stolen SIM card, they will need to prove their identity via their fingerprints or iris scan.
Anonymous
Would using a google voice number for 2FA for all your accounts (except for google) work?
Bastion
Factor auth is: something you are (I.e biometric), something you know (I.e a passcode), something you have (I.e a time-gen token), etc.
A passcode by SMS is still just something you know, like a password, so isn’t this really 2SV? Because you are using just one factor in two steps.
People should definitely use real 2FA on their phones: a time code generated by a seed, with NOTHING transmitted by SMS.
Yes, I know that you can enable 2FA and if you don’t have the code, some systems will let you use an alternate code delivery by email or SMS, but this is really reverting the security process to 2SV, which we all know is less secure than 2FA.
So, don’t blame 2FA, blame people who use 2SV – even if they don’t realize they have.
Paul Ducklin
I treat 2FA and 2SV as synonyms, because they are.
The rubric about “something you have, something you know, something you are” is a salesy chant from the late 1990s and early 2000s that has become something of a definition…
…and if you want to be strict about it, an SMS code is very definitely “something you have” (the SIM card in your phone) and not “something you know” (because the one-time code is chosen non-deterministically by the sender of the message – there’s no seed, so there is no secret knowledge you have to compute it yourself).
In truth, an authenticator code is much more “something you know” than an SMS, because it’s based deterministically on a seed that you type in to start the sequence – that seed is essentially a second password, usually stored in a clever way.
The problem is not the issue of what you have/know/are, it’s simply that it turns out SIMs are easier to steal than authenticator seeds.
crisantoandrada
Google Authenticator might be helpful.
im
Is there a way to use the Sophos Authenticator App with google account. Can’t find a way to get a QR code displayed in my google account?
Paul Ducklin
Not sure about Google, but most servers will offer a code to type in, typically a string of mixed letters and digits. This is usually presented as four groups of four characters with dashes in between, e.g. GEZD-GNBV-GY3T-QOJQ, using what is called Base32 encoding. If there’s also a QR code, that’s just an alternative to to save you typing in the text of the code by hand.
Sophos Authenticator let you type in the seed code yourself – use the “Manual Add” option and you will see a prompt along the lines of KEY (Base32 encoding)..