As a director at a cyber-risk investigations company and a former FBI cyber analyst, I'm very familiar with SIM-swapping threats. For many people, the term SIM swapping conjures up an image of a hacker tapping into a phone company, or foreign fighters swapping out SIM cards to avoid government surveillance. In reality, SIM swaps are a legitimate function that happens daily at phone companies around the world. At the most basic level, a SIM swap is used by a telephone service provider to transfer an individual's existing mobile phone number to a new SIM card and phone.
Unfortunately, criminals have learned to use SIM swapping to turn a profit. Criminals trick or bribe phone company employees into transferring a victim's mobile phone number to a new SIM card and phone controlled by the criminal. But why would a criminal want to gain control of someone's mobile phone number?
Enter the modern concept of mobile phone authentication. This is the practice employed by online service providers to verify a user's identity by sending a one-time password to a mobile phone number that previously was linked to that account using two-factor authentication (2FA). While this is an easy way of resetting forgotten passwords, it also allows anyone in control of that mobile number to gain access to email, social media, and financial accounts tied to that number. If the Greek warrior Achilles is representative of 2FA in all its glory, then SMS-based mobile phone authentication is Achilles' heel.
Hacking Three Accounts with One Phone Number
The idea of hacking someone with their phone number was so intriguing, I decided to simulate the hacking of my own accounts using just my mobile phone. I started with my Twitter account, where I selected "Forgot password?" and received an "Enter phone number" option. At this point, I didn't remember ever connecting my Twitter account to my mobile number but figured I'd try.
I immediately received a one-time passcode from Twitter and was able to read the code via a notification on the locked screen of my cellphone. Upon entering the code into Twitter's website, I was prompted to enter a new password and gained full control of the account. Since SMS notifications appear on my phone's locked screen, anyone with physical access to my phone and my phone number could have taken over my Twitter account.
The most disturbing thing about my Twitter experiment is the knowledge that any family member, friend, or co-worker who had my phone number could enter it in Twitter's "Forgot password?" field, pick up my locked phone to view the one-time password, and gain full control of my account. A SIM swap wasn't even necessary.
The privacy implications of this scenario are unsettling, but this also highlights the potential for an individual to have offensive content sent out from their social media accounts, or worse, become implicated in a crime committed by someone who gained control of their accounts. The intruder (for example, estranged spouse or vindictive co-worker) would only need access to the victim's phone number and locked phone. I did receive an email alert from Twitter that my password had been reset, but an attacker could gain access to my email account using the same technique and delete any notifications.
Bolstered by the hack of my Twitter account, I used the same technique against my dated Hotmail account, and achieved the same result. The steps for Hotmail included clicking "Forgot password," entering my (very guessable) email address, and following a prompt to enter my mobile number. A one-time password was sent to my cellphone, allowing me to reset my password and gain access to years' worth of email correspondence, all while bypassing the complex password I had set up for the account. I was starting to see how easily a SIM swapper or nosy individual could gain access to a variety of accounts by controlling a phone number.
At this point, I was in "think like an attacker" mode and searched my Hotmail inbox for financial statements. I found an email from a financial institution and clicked on "View statement." Hacking the financial account required a bit more effort than just entering a mobile number, but the only additional hurdle was entering a Social Security number, which can often be purchased on Dark Web marketplaces. At this point in my experiment, I had gained access to a social media account, an email account filled with financial statements, and a financial account from which I could transfer funds.
What did I learn from hacking my accounts with my mobile phone? Mainly, if my accounts hadn't been linked to my mobile phone and were solely protected by the complex passwords I use, they would have been more secure.
Many online providers suggest adding a mobile phone number as a way to implement 2FA — that is, 1) something you know and 2) something you have. Indeed, 2FA is used to initially link a user's phone number to an online account; however, after the initial confirmation of the phone number, the authentication process often reverts back to single-factor authentication (a phone number) for authenticating accounts.
The false sense of security encouraged by the SMS-based authentication scenario leaves users vulnerable to SIM-swapping attacks and privacy vulnerabilities. Unless you have disabled certain notification features on your phone, someone with access to your locked phone could gain access to your social media, email, and potentially financial accounts with only a publicly available phone number and email address.
This experiment has spurred me to make some immediate changes, which I suggest you consider doing as well:
- I will be deleting my phone number from my online accounts and will authenticate to accounts with complex passphrases and more-robust 2FA options, like Google Authenticator, Microsoft Authenticator, Duo, or a USB hardware authentication device such as YubiKey. (I obviously won't be linking my mobile phone number to these 2FA applications.)
- I will protect sensitive email contents by archiving and backing up email so it's not accessible to an intruder if I'm hacked.
- To protect against SIM swapping, I will add a PIN to my mobile account and plan on requesting that SIM transfers only take place in person for my account.
- To deter mobile phone authentication attacks from opportunistic snoopers, I have disabled notifications on my phone's lock screen.
Bottom line: A key feature advertised to make your account more secure — adding a mobile phone number — has actually proved to be a vector of attack in a growing number of SIM-swapping incidents. The security and privacy implications of this are serious, and the industry needs to move toward more secure authentication mechanisms in lieu of SMS-based mobile phone authentication.
Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "How Medical Device Vendors Hold Healthcare Security for Ransom."