For years, two-factor authentication using SMS messages was the gold standard in security. The premise is simple: even if a password is compromised, the attacker couldn’t take over the account, without having access to the user’s text messages..
But those days are long over. Anyone that has paid attention to security might have heard of SIM swapping, which has been used in high-profile incidents to target high net worth individuals and crypto-currency investors.
While SMS compromise isn’t new, research on the cyber underground shows just how much its techniques have proliferated. The widespread availability of these tactics and techniques poses broad increased risks for telecom companies, financial services firms, and consumers that use 2FA to secure accounts and information.
Broadly, threat actors can gain access to a victim’s SMS messages through two means: SIM swapping, which ports a target's SIM information to an attacker’s phone, and SIM interception, in which an attacker can read a target’s SMS messages without taking over the number.
People lose or replace their phones every single day. When they get a new phone, they want it to have the same phone number. Telecom companies have an interest in making it convenient to switch phones in these situations. It’s just basic customer service.
And therein lies a huge weakness. While this process is fully legitimate when the number’s owner requests it, it can be highly damaging when someone else gets the number changed.
This process is susceptible to social engineering techniques. While a certain level of reconnaissance is required, a scammer could impersonate a high value target and get control of their phone with the unwitting help of the mobile phone company. On the dark web, threat actors sell ‘fullz’ - complete rosters of personal information that includes names, credit card numbers, expiration dates, ATM pins, phones, driver’s license info, date of birth, mother’s maiden name, IP address, and more.
An actor selling identity packages for Verizon, AT&T, T-Mobile and Sprint
In the figure above, we see a threat actor offering information on customers from several major U.S. carriers.
In addition to social engineering, threat actors can recruit malicious insiders at telecom companies, possibly offering them a share in the proceeds.
An actor offers a SIM swapping service, noting that he has insiders at Verizon and AT&T
However, while an inside accomplice may guarantee an attack’s success, too many actions by the insider may raise red flags within the telecom company. Thus, it is likely that attackers use insiders in the highest-value operations only.
Aspiring attackers can also purchase access to the telecom provider’s internal network on the dark web. A sophisticated threat actor could use that access to find the internal tools necessary for a SIM swap, or they could impersonate an employee and ask a colleague to port a number.
An actor claims to have internal tools for US and UK telecoms
Finally, actors that have the intent, but not the capabilities, to perform a SIM swap can procure SIM swap services on the deep and dark web. These services are not cheap. Service providers can request 70% of the proceeds of an attack, with a minimum target account of $50,000. Indeed, considering that this type of attack is likely to be detected if performed too frequently in the same way, it is better to go after a few selected, high-value targets instead of random victims.
Meanwhile, in SMS interception attacks, actors read the victim’s SMS messages without gaining control of their number. One straightforward way to do so is through mobile malware, which can allow attackers to view the screen.
Furthermore, if the telecom carrier allows users to read their text messages in their online portal, attackers can purchase compromised login credentials on the dark web and gain access this way.
But there are some far more technically advanced ways to intercept messages out of thin air, including an exploitation of the Common Channel Signaling System No. 7 (SS7), the leading protocol for global mobile communications. It is vulnerable to eavesdropping and man-in-the-middle attacks. Such services are offered for premium prices in excess of $10,000, since they are technically complex, require physical proximity to the victim, and leave no apparent trace.
SMS authenticate at your own risk
The ease with which cybercriminals can access text messages reinforces the conventional understanding that the SMS protocol is not adequate for use in two-factor authentication. SMS takeover poses a huge financial risk to high net worth individuals, celebrities, and even the owners of high profile social media accounts. Even a typical consumer is not safe.
Fortunately, there are some solutions. The most straightforward one is to use an alternative for authentication over SMS. Authentication apps, such as Google Authenticator, FreeOTP, and Authy, have long been on the market. Every account provider that offers MFA should offer users the option of using one of these apps, or a broader identity management or single sign-on (SSO) solution instead of receiving an OTP over SMS. Users should adopt them whenever possible.
Users must also ensure that their online accounts, including financial and telecom, are protected by unique, complex passwords. They must be wary of opening suspicious attachments or downloading unverified apps to avoid malware infection.
Furthermore, telecom providers should treat number porting as a highly sensitive procedure. They must require extremely high levels of verification from a user to port a number from one SIM to another. To thwart malicious insiders, they should minimize the number of employees privileged to port a number, and they should consider implementing two-person control for the procedure to take place.
The bad guys have a tremendous amount of options, and because the ways they attack are so varied and complex, there’s no silver bullet. But with a patchwork of awareness, procedural measures, and technical controls, everyone including telecoms, account providers, and consumers can play a role in mitigating these attacks.