Study Shows The Internet Is Hugely Vulnerable To SIM Hijacking Attacks
from the ill-communication dept
U.S. Wireless carriers are coming under heavy fire for failing to protect their users from the practice of SIM hijacking. The practice usually involves conning or bribing a wireless employee to port a victim’s cell phone number right out from underneath them, letting the attacker then pose as the customer to potentially devastating effect. Carriers are facing numerous lawsuits from victims who say attackers used the trick to first steal their identity, then millions in cryptocurrency, or even popular social media accounts.
Last week, six lawmakers, including Ron Wyden, wrote to the FCC to complain the agency isn’t doing enough (read: anything) to pressure carriers into shoring up their flimsy security. This week, a group of Princeton researchers released a study showcasing how both traditional and prepaid wireless carriers remain incredibly vulnerable to such attacks despite several years worth of headlines. In the full study (pdf, hat tip ZDNet), the researchers showed how it was relatively easy to trick wireless company support employees into turning over far more private data than they should, helping to facilitate the illicit SIM swap:
“When providing incorrect answers to personal questions such as date of birth or billing ZIP code, [research assistants] would explain that they had been careless at signup, possibly having provided incorrect information, and could not recall the information they had used,” researchers said, explaining the motives they provided to call center staff.”
After failing the first two steps in confirming a caller’s identity, wireless carriers then move on to a third confirmation option — verifying the last two numbers called from the account. But researchers note that was easy to game as well:
“The research team says that an attacker could trick a victim into placing calls to specific numbers. For example, a scenario of “you won a prize; call here; sorry, wrong number; call here instead.” After the attacker has tricked the SIM card owner into placing those two calls, they can use these details to call the telco’s call center and carry out a SIM swap. Princeton researchers said they were able to trick all five US prepaid wireless carriers using this scenario.”
Despite warning all five of the carriers they tested this trick on, four of the five still hadn’t fixed their security gaps as of the study’s publication. After showcasing how vulnerable mobile carriers are, the researchers took a closer look at what could be done once they had taken over a user’s wireless accounts. As such they tested the multi-factor-authentication practices of 140 of the most popular services and sites, and found that 17 of those services had no systems in place to protect users from SIM hijacking (such as emailing users a one time password to confirm identity and verify the changes were actually requested).
Here’s where, in a functional market with a functioning government, regulators would step in to pressure carriers to do more to actually protect consumers. Instead, the Trump FCC has spent the last three years rubber stamping every fleeting whim of the sector, including gutting most meaningful oversight of the sector, and rubber stamping massive mergers the majority of objective experts say will harm the market.
Filed Under: ajit pai, fcc, ron wyden, scams, sim hijacking, sim swap, social engineering, wireless carriers
Comments on “Study Shows The Internet Is Hugely Vulnerable To SIM Hijacking Attacks”
SMS 2FA has never been secure and never will be
Implement TOTP instead of this shit. I’d rather legitimately forget my password and be locked out of my account forever than some random person getting access to it because they called customer service with a sob story.
Re: SMS 2FA has never been secure and never will be
I scream every time a service tries to get me to sign up for SMS 2FA. How did anyone ever convince technologically illiterate rubes in charge at these businesses that this could ever be a good, oh, right…. yeah…..
As soon as the US wireless carriers figure out a way ti charge a monthly fee for this, they will fix it.
Re: Re:
Account security recovery fee.
More reasons to not conduct financial transactions via a cell phone, certainly not anything related to a saving acct or 401k.
Or it that 409k these days?
Re: Re:
The article title is probably wrong. This attack has nothing to do with SIM cards, and there’s no reason to think a non-wireless phone would be secure against customer service attacks.
Re: Re: Re:
The title is fairly accurate IMO, as the attack relies on number portability. The FCC requires providers to allow wireless numbers to be portable, but they are not required to allow you to transfer a landline number, and many carriers just won’t do it. Since you’re far less likely to be able to port a landline number, it’s far less likely that this kind of attack would succeed.
17 of 140 services, eh? 12%
Of that 12%, how popular are they? Where do they rank?
Of the 156 sms – enabled websites listed, the only ones I saw without account recovery provisions were hushmail, signal, and whatsapp. Of course, those are kinda severe…
You know you can get your account locked with a code. If I call them up, even with all my normal info and want to do anything, I have to tell them my code number. I keep that number stored in LastPass in the Notes area for my normal T-Mobile Online account, that way I can look it up easily enough on whatever device is handy. You don’t want to lose the number.
Re: Re:
You have found a single point of account lockout because if anything happens to your last pass setup you lose both the password and the recovery code.
Re: Re: Re:
Plus if someone else gets control of your T-Moble-online account you loose everything you was attempting to save.
Re: Re:
Pin code security to stop porting scams have been bypassed by the same social engineering techniques explored in the article.
A Journalist went through the 3 times he was hit by port out scams, and he did the whole "require a pin code to do anything" bit, and the scammers just engineered their way around it.
I would also like phone number spoofing to be a little more difficult. You would think that phone companies could tell when a number is spoofed, but alas…
Someone from 111-111-1111 wants me to save on my credit card payments.
Re: Re:
If that could be used to game a thing that actually cost the provider, they’d do something.
Re: Re: Re:
ANI is like caller ID, but for billing calls. It is, accordingly, much harder to spoof.
Re: Re:
Remember, the phone companies know when the displayed number is being spoofed. Rather, they know the actual data about the actual numbers/connections for both ends of the system if they care to check.
They just don’t care.
Re: Re: Re:
It’s not so simple to decide what to do with that data. Some spoofing is legitimate; e.g., you call a toll-free customer service number, and they later call you back with caller ID showing the number you had dialed—even though the real originating number is some probably-foreign call center with a different phone number.
Would law enforcement have cause to hijack suspects' phones?
If so, expect to see pressure to leave it alone in 3… 2… 1…
It seems to me that it’s a rather simple problem to solve by implementing some sort of lock (password) the SIM owner has to input before any swap. Something not easily obtainable such as personal information.
The question is: what are the carriers getting in benefits that keeps them from implementing such security measures?
Re: Re:
As mentioned above, some carriers at least DO already offer such protection…but it doesn’t work. The attack already relies on social engineering the call center employees to disregard policy. If you can’t get them to obey the existing security policies, what are the odds that they’ll obey that one?