How Wireless Carriers Open the Door to SIM Swapping AttacksResearchers Identify Poor Authentication Techniques for Prepaid Accounts
Five major U.S. prepaid wireless carriers - AT&T, T-Mobile, Verizon, Tracfone and US Mobile - are using poor account authentication procedures and techniques that leave their customers open to SIM swapping attacks, according to researchers at Princeton University.
Attackers can sometimes easily subvert these authentication procedures by guessing information and then hijacking a victim's account and identity, according to the researchers' new study.
Their report, "An Empirical Study of Wireless Carrier Authentication for SIM Swaps," also examined 145 websites, including social media platforms, email providers and cryptocurrency exchanges, which use phone-based authentication to identify a user's identify. The researchers found that 17 of these sites could be compromised through a SIM swap attack, enabling the attacker to gain full access to compromised accounts, including personally identifiable information.
The Princeton researchers conclude that the five wireless carriers and their customer support staff have created poor authentication procedures that leave customers' identity and accounts open to hacking.
"We found that all five carriers used insecure authentication challenges that could be easily subverted by attackers," the researchers write. "We also found that attackers generally only needed to target the most vulnerable authentication challenges, because the rest could be bypassed."
The researchers offer several recommendations for changing their authentication methods, including greater use of multifactor authentication, eliminating the use of personal details to prove a customer's identity and better training for support staff.
The SIM Swapping Threat
Over the last several years, SIM swapping has become a growing concern. The FBI has highlighted the issue, and the U.S. National Institute of Standards and Technology lists SIM swapping as a major mobile security threat.
These types of attacks can be accomplished in several ways. One is to persuade a carrier's customer service representative to move a phone number to a different SIM card - a swap - or port it to another carrier. In other cases, criminal gangs may work with an employee of a mobile operator, who is then able to bypass security mechanisms and transfer a subscriber's number.
By hijacking the victim's phone, an attacker can then gain access to victims' online services and accounts, because many providers use mobile numbers as part of the authentication process, such as in two-factor authentication.
In November, the U.S. Justice Department charged two Massachusetts men with allegedly running a years-long scheme that used SIM swapping and other hacking techniques to target executives in order to steal more than $550,000 worth of cryptocurrency (see: DOJ: Pair Used SIM Swapping Scam to Steal Cryptocurrency).
In August, Twitter CEO Jack Dorsey's, personal account was compromised and used to send out racist messages. Security analysts believe that the attackers may have used a SIM swapping technique to compromise the account.
Poor Authentication Procedures
For nearly a year, the Princeton researchers examined the authentication procedures of the five wireless carriers. The team signed up for 50 prepaid accounts - 10 for each carrier - and then attempted a SIM swap for each account.
In all 50 cases, the research team used the phones for a period of time to create a history of phone calls and text messages before attempting the SIM swap. The team members would then pose as fraudsters and call the different carriers' support desks to get the SIM card swapped.
In most cases, the carriers' support center would ask for a PIN to start the process, but the research team members were told to provide the wrong one, which then led to a series of questions designed to attempt to verify the caller's identity, according to the study.
Once customer support began asking questions, the team members would either feign ignorance, offer misleading information or claim that they were sloppy or careless inputting details when creating the original account.
"When providing incorrect answers to personal questions such as date of birth or billing ZIP code, they would explain that they had been careless at signup, possibly having provided incorrect information, and could not recall the information they had used," the report notes.
If customer service then attempted to use other means to authenticate the account, such as asking about the last payment details or recently dialed or received phone numbers, the research team members were able to easily bypass those questions as well because the accounts were prepaid and that information was readily available, the report notes.
"To obtain payment information, an adversary can first purchase a refill card for the victim's mobile carrier at, for example, a convenience store," the research report notes. "After dialing into the payment system, he can enter the victim's phone number and redemption code on the refill card to add value to her account. Once the payment is accepted, the adversary - now with complete knowledge of the most recent payment - can call the carrier to request a SIM swap and successfully pass payment record verification."
Before publishing their paper in January, the Princeton researcher shared their research with all five carriers. Only T-Mobile responded and noted that it would no longer use call logs as part of its authentication process.
The research was also shared with CTIA, the trade association that represents the wireless industry. Nick Ludlum, senior vice president and chief communications officer for the association, told Information Security Media Group that these carriers are committed to fighting SIM swapping attacks.
"We continuously review and update our cybersecurity practices and develop new consumer protections," Ludlum says. "We all have a role to play in fighting fraud and we encourage consumers to use the many tools highlighted in this study to safeguard their personal information."
Shahrokh Shahidzadeh, the CEO of security firm Acceptto, believes that SIM swapping reflects a fundamental flaw in using two-factor authentication that relies on sending a pass code via an SMS message.
"While two-factor authentication is intended to give you a level of assurance that your accounts are only being accessed by yourself, note that they are insufficient," Shahidzadeh tells ISMG. "In this case, the SMS messages are being used to validate a fraudulent use of your accounts but are defeated simply because the threat actor now virtually holds your phone and identity, hence most likely your emails and then all associated credentials for various services tied to your emails are also compromisable."
The Princeton researchers describe several steps that wireless carriers could take to improve the authentication process and cut down on SIM swapping. These include:
- Discontinuing using personal information, account information, device information, usage information and security questions as part of the authentication process;
- Using a website or application login with a one-time password sent through a voice call, which can eliminate using customer data and personal information to access the account;
- Require all customers to use multifactor authentication;
- Notify customers when attackers attempt to access an account;
- Restrict the information to which customer service has access to prevent representatives from "leaking" personal data and information to attackers;
- Publish all the ways customers can access and authenticate their accounts in order to eliminate confusion over what information they need;
- Better train customer service representatives about SIM swapping and authentication techniques.