Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


01:00 PM
Nicole Sette
Nicole Sette
Connect Directly
E-Mail vvv

I 'Hacked' My Accounts Using My Mobile Number: Here's What I Learned

A feature that's supposed to make your account more secure -- adding a cellphone number -- has become a vector of attack in SIM-swapping incidents. Here's how it's done and how you can protect yourself.

As a director at a cyber-risk investigations company and a former FBI cyber analyst, I'm very familiar with SIM-swapping threats. For many people, the term SIM swapping conjures up an image of a hacker tapping into a phone company, or foreign fighters swapping out SIM cards to avoid government surveillance. In reality, SIM swaps are a legitimate function that happens daily at phone companies around the world. At the most basic level, a SIM swap is used by a telephone service provider to transfer an individual's existing mobile phone number to a new SIM card and phone.

Unfortunately, criminals have learned to use SIM swapping to turn a profit. Criminals trick or bribe phone company employees into transferring a victim's mobile phone number to a new SIM card and phone controlled by the criminal. But why would a criminal want to gain control of someone's mobile phone number?

Enter the modern concept of mobile phone authentication. This is the practice employed by online service providers to verify a user's identity by sending a one-time password to a mobile phone number that previously was linked to that account using two-factor authentication (2FA). While this is an easy way of resetting forgotten passwords, it also allows anyone in control of that mobile number to gain access to email, social media, and financial accounts tied to that number. If the Greek warrior Achilles is representative of 2FA in all its glory, then SMS-based mobile phone authentication is Achilles' heel.

Hacking Three Accounts with One Phone Number
The idea of hacking someone with their phone number was so intriguing, I decided to simulate the hacking of my own accounts using just my mobile phone. I started with my Twitter account, where I selected "Forgot password?" and received an "Enter phone number" option. At this point, I didn't remember ever connecting my Twitter account to my mobile number but figured I'd try.

I immediately received a one-time passcode from Twitter and was able to read the code via a notification on the locked screen of my cellphone. Upon entering the code into Twitter's website, I was prompted to enter a new password and gained full control of the account. Since SMS notifications appear on my phone's locked screen, anyone with physical access to my phone and my phone number could have taken over my Twitter account.

The most disturbing thing about my Twitter experiment is the knowledge that any family member, friend, or co-worker who had my phone number could enter it in Twitter's "Forgot password?" field, pick up my locked phone to view the one-time password, and gain full control of my account. A SIM swap wasn't even necessary.

The privacy implications of this scenario are unsettling, but this also highlights the potential for an individual to have offensive content sent out from their social media accounts, or worse, become implicated in a crime committed by someone who gained control of their accounts. The intruder (for example, estranged spouse or vindictive co-worker) would only need access to the victim's phone number and locked phone. I did receive an email alert from Twitter that my password had been reset, but an attacker could gain access to my email account using the same technique and delete any notifications.

Bolstered by the hack of my Twitter account, I used the same technique against my dated Hotmail account, and achieved the same result. The steps for Hotmail included clicking "Forgot password," entering my (very guessable) email address, and following a prompt to enter my mobile number. A one-time password was sent to my cellphone, allowing me to reset my password and gain access to years' worth of email correspondence, all while bypassing the complex password I had set up for the account. I was starting to see how easily a SIM swapper or nosy individual could gain access to a variety of accounts by controlling a phone number.

At this point, I was in "think like an attacker" mode and searched my Hotmail inbox for financial statements. I found an email from a financial institution and clicked on "View statement." Hacking the financial account required a bit more effort than just entering a mobile number, but the only additional hurdle was entering a Social Security number, which can often be purchased on Dark Web marketplaces. At this point in my experiment, I had gained access to a social media account, an email account filled with financial statements, and a financial account from which I could transfer funds.

Lessons Learned
What did I learn from hacking my accounts with my mobile phone? Mainly, if my accounts hadn't been linked to my mobile phone and were solely protected by the complex passwords I use, they would have been more secure.

Many online providers suggest adding a mobile phone number as a way to implement 2FA — that is, 1) something you know and 2) something you have. Indeed, 2FA is used to initially link a user's phone number to an online account; however, after the initial confirmation of the phone number, the authentication process often reverts back to single-factor authentication (a phone number) for authenticating accounts.

The false sense of security encouraged by the SMS-based authentication scenario leaves users vulnerable to SIM-swapping attacks and privacy vulnerabilities. Unless you have disabled certain notification features on your phone, someone with access to your locked phone could gain access to your social media, email, and potentially financial accounts with only a publicly available phone number and email address.

The Takeaway
This experiment has spurred me to make some immediate changes, which I suggest you consider doing as well: 

  • I will be deleting my phone number from my online accounts and will authenticate to accounts with complex passphrases and more-robust 2FA options, like Google Authenticator, Microsoft Authenticator, Duo, or a USB hardware authentication device such as YubiKey. (I obviously won't be linking my mobile phone number to these 2FA applications.)
  • I will protect sensitive email contents by archiving and backing up email so it's not accessible to an intruder if I'm hacked.
  • To protect against SIM swapping, I will add a PIN to my mobile account and plan on requesting that SIM transfers only take place in person for my account.
  • To deter mobile phone authentication attacks from opportunistic snoopers, I have disabled notifications on my phone's lock screen.

Bottom line: A key feature advertised to make your account more secure — adding a mobile phone number — has actually proved to be a vector of attack in a growing number of SIM-swapping incidents. The security and privacy implications of this are serious, and the industry needs to move toward more secure authentication mechanisms in lieu of SMS-based mobile phone authentication.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "How Medical Device Vendors Hold Healthcare Security for Ransom."

Nicole Sette is a Director in the Cyber Risk practice of Kroll, a division of Duff & Phelps. Nicole is a Certified Information Systems Security Professional (CISSP) with 15 years of experience conducting cyber intelligence investigations and technical analysis. Nicole served ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
11/23/2019 | 3:04:19 AM
Re: Common Sense always rules out
Looking forward to more details regarding it
User Rank: Ninja
11/21/2019 | 1:32:31 PM
Re: Common Sense always rules out

One thing I didn't elaborate on in the article is that both my Pixel and Apple phones' default settings with notifications 'turned on' reveal the first line of a text on the notifications screen. [The onetime code comes through usually since it's in the first line].

I do believe it is less user-error and more of a structural/endemic vulnerability, since the presumption is that a majority of users will leave their phones on the default setting. [Please correct if I'm wrong about that - it's possible that the default for notifications varies for different versions of different mobile phones]
  • Interesting point, so from a technical and security standpoint, most individuals will install certain security tools (controls) to ensure or reduce the chances of it being compromised. A number of security individuals verify the patches are up-to-date, install Antivirus, HIDS, Firewall and other mechanisms (checks and balances). The same should apply to the phone, it is not any different since the operating system is based on Linux or Linux variant. So in this case you may be wrong about that, they give you the box but it is up to you on how to fill it. We should apply the same principles to the phone as we do the computer.



Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.2.0, BinaryHeap is not panic-safe. The binary heap is left in an inconsistent state when the comparison of generic elements inside sift_up or sift_down_range panics. This bug leads to a drop of zeroed memory as an arbitrary type, which can result in a memory ...
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.49.0, String::retain() function has a panic safety problem. It allows creation of a non-UTF-8 Rust string when the provided closure panics. This bug could result in a memory safety violation when other string APIs assume that UTF-8 encoding is used on the sam...
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.49.0, VecDeque::make_contiguous has a bug that pops the same element more than once under certain condition. This bug could result in a use-after-free or double free.
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.50.0, read_to_end() does not validate the return value from Read in an unsafe context. This bug could lead to a buffer overflow.
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.52.0, the Zip implementation has a panic safety issue. It calls __iterator_get_unchecked() more than once for the same index when the underlying iterator panics (in certain conditions). This bug could lead to a memory safety violation due to an unmet safety r...