SIM Hijacking

SIM hijacking -- or SIM swapping -- is an attack where a fraudster contacts your cell phone provider and convinces them to switch your account to a phone that they control. Since your smartphone often serves as a security measure or backup verification system, this allows the fraudster to take over other accounts of yours. Sometimes this involves people inside the phone companies.

Phone companies have added security measures since this attack became popular and public, but a new study (news article) shows that the measures aren't helping:

We examined the authentication procedures used by five pre-paid wireless carriers when a customer attempted to change their SIM card. These procedures are an important line of defense against attackers who seek to hijack victims' phone numbers by posing as the victim and calling the carrier to request that service be transferred to a SIM card the attacker possesses. We found that all five carriers used insecure authentication challenges that could be easily subverted by attackers.We also found that attackers generally only needed to target the most vulnerable authentication challenges, because the rest could be bypassed.

It's a classic security vs. usability trade-off. The phone companies want to provide easy customer service for their legitimate customers, and that system is what's being exploited by the SIM hijackers. Companies could make the fraud harder, but it would necessarily also make it harder for legitimate customers to modify their accounts.

Posted on January 21, 2020 at 6:30 AM • 29 Comments

Comments

CuriousJanuary 21, 2020 7:18 AM

Seems to me that ones mobile phone infrastructure and services ought to be as safe as banking services online. I wonder if using bank services online, is as safe in US as in Europe (assuming ofc, one might be allowed to generalize there for a moment).

I will admit, despite all the terrible things in computer security over the years, I guess I feel fairly safe using my bank online. Less when buying stuff online using your credit card.

Ofc, I do remember that moment, when that one guy in an online multiplayer game, a stranger even, asking me how much money I had in my bank. Sure, it might have been a poorly worded question, but it seemed clear enough. I told him, my bank savings were none of his business.

Sok PuppetteJanuary 21, 2020 8:14 AM

The really interesting thing about this is how it got to be a Thing(TM).

It's always been easy to do this, but for a long time it flew below the radar. People didn't think it was an issue because it didn't happen. It didn't happen because it was only infrequently valuable.

Then some idiots started trying to use phones for Two Factor Authentication(TM), and some even bigger idiots started pushing that cheesy hack as a Universal Best Practice(TM). That directed massive pressure onto this weak point. Getting control of phone numbers became a "top of mind" issue for criminals. They started developing expertise and making it routine.

... and now people are freaking out. The same people who put enormous strain on a weak system, and tried to use it to protect value vastly beyond what it was prepared for, are Oh So Surprised when it breaks.

Feh.

K.S.January 21, 2020 8:50 AM

If I design a system where reading tea leaves is used as a second factor authentication, I should be held accountable when such system fails to deliver reliable authentication. It would be entirely unreasonable to fault tea and cup suppliers for shortcomings in my design.

So could someone explain why we expect telecoms, that never been good at security, to offer us a robust foundation for 2FA all while not charging us extra for such service?

I think this failure is entirely on InfoSec architects that never paused to consider how reliable of an authentication would a cell phone number be. It is NOT security vs. usability, as you are evaluating security of one process against usability of an entirely different and unrelated process when the obvious solution is to decouple these.

Impossibly StupidJanuary 21, 2020 10:37 AM

@Curious

Seems to me that ones mobile phone infrastructure and services ought to be as safe as banking services online.

Rubbish. The only reason banking services can be safely offered online is because they layer protections on top of a public Internet that is itself inherently insecure. The fact that smart phones have replaced personal computers for a lot of people in the last decade changes nothing in that respect. Prior to that, phones were not deeply tied to individual people, making the entire infrastructure built to be as safe and clean as a needle shared by junkies.

I'm in the camp that says this push towards "One Device to Rule Them All" is inherently flawed. Convenient though it may be, from a security perspective it makes zero sense to be managing all your finances with something you carry everywhere in your pocket. The fact that it is also treated as its own 2FA is just ludicrous, whether or not SIMs can be hijacked.

NoahJanuary 21, 2020 12:02 PM

I have a dedicated Google voice number just for 2FA (when there is no better option than text). The account has advanced protection turned on and requires a physical U2F key. Not perfect but a lot better than trusting my phone company.

WinterJanuary 21, 2020 1:03 PM

"It's a classic security vs. usability trade-off."

More like the phone companies could not be bothered to do anythong that might hurt this quarter's sales. The customer can be left to reassemble the pieces.

This is not thing in Europe because the phone companies there are held responsible, it seems.

Clay_TJanuary 21, 2020 1:15 PM

"I think it's more important to protect your data in internet in 21st century. Nowadays all companies use our data as they wish so we need to do smth. Check this out hxxps://procollegeessays.com/examples/importance-of-data-security-and-data-safety/. I found here a lot of interesting. Hope you will also."

Article appears to be a little behind the times.

"...the most used browsers are Internet Explorer and Netscape Navigator."

Clive RobinsonJanuary 21, 2020 1:38 PM

@ Sok Puppet,

Then some idiots started trying to use phones for Two Factor Authentication(TM), and some even bigger idiots started pushing that cheesy hack as a Universal Best Practice(TM).

I was one of the people who pushed for the use of mobile phones as a seperate side channel for authentication via SMS --unreliable at the time-- or by auto-call[1], back last century.

Now you can shout and scream at me if you wish, but please remember you are judging me and others by a current world view not that of nearly a quater of a century ago.

Since then we have had atleast 14 generations of technology updating, one of which is Smart Devices. Most attacks on modern Smart devices won't work against old dumb phones...

Thus you need to view the decisions made twenty years or so ago in not just the technology of the time, but also the realistic projections of where technology was going at the time. I can assure you that back then neither the Internet or the modern smart devices to connect to it were much above the noise floor in their crystal balls. You will find some place on this blog the fact that when I realised where things were going I tried to come up with a fix for SMS as a side channel for transaction authentication. I realised that the average human was not capable of doing the work required so looked for something that was easy for humans but difficult for computers. Those god-awful "capatchers" came to mind, but what I did not know at the time was that you could rent people at a couple of cents each to read them... so not a good idea :-(

The simple fact is with the advances in smart phones security becomes harder and harder because of the increasing levels of integration...

[1] Auto call realy was a very bad idea, however at the time I was working for an organisation that worked with what was at the time a major player in the "voice-recognition" market. So against my better judgment it got put into presentations etc by those on a higher pay grade, and they put my name against it as the technical representative... Which made me hunt out a solution to the unreliability of SMS's dur to the fact they were a secondary service which is to send a no-ring call to the phone (ie a primary service). The network will let you know if the phone is both on, in range and connected which means that the information needed to send an SMS gets updated in the phone companies location database with valid information before you send out the SMS. Since then the mobile phone operators have improved the reliability of their location databases so less SMS's get delayed or dropped, but it still happens so you need to build in fault tolerance. The problem with certain types of fault tolerance in security is that under some circumstances it can be used as a partial or full attack vector[] thus you need to know how to do things in certain way.

[] To see why Fault tolerance can weaken security think about "password retry". In effect it's a fault tolerance mechanism against "line noise" but because it alows retrys with different passwords it weakens password security, it's a "Catch-22". Though not all fault tolerance systems weaken security, for instance some types of Forward Error Correction significantly help with line noise, but do not realy weaken security if you do it correctly. The trick is knowing what "do it correctly" realy means, and that is by no means common knowledge.

K.S.January 21, 2020 2:08 PM

@Clive Robinson

I think you doing a bunch of revisionism here. I worked for a small VOIP telecom during late 90s, and at the time the procedure for porting was "fax in a form" to transfer any number with hardly any verification. Occasionally honest mistakes would happen and we would fill another form to reverse the change. The only limitation at the time is that you couldn't transfer landline to cell and vice versa. I maintain that it was always easy to steal someone's phone number. This was true before cellphones were a thing and this is still true after smartphones became standard equipment.

Clive RobinsonJanuary 21, 2020 2:33 PM

@ Bruce,

[Service Provider] Companies could make the fraud harder, but it would necessarily also make it harder for legitimate customers to modify their accounts.

You've not mentioned other reasons why the service providers do not want to make it harder.

Firstly the cost of increasing the security especially to stop "insider attacks" would be immense, and gain the service providers no benifit what so ever. Their profit margins are not what they once were, so unless regulation is passed making all service providers put in the required measures it is not going to happen (hence it's another fail for those claiming "the free market and deregulation" is a good thing etc).

But as you note it would make life "harder for legitimate customers", this has a knock on effect of "customer dissatisfaction" which is unfair on the service providers. That is whilst this appears to be a major security issue, it actually effects very few of the service providers customers. And lets face it, it is the customers, fraudsters and financial organisations that are realy at fault not the service providers.

Even if regulators and legislators put a requirment on the service providers and they followed it scrupulously, the financial fraud aspects would just continue by moving to another attack vector.

Because it's not the technology that is failing, it's a failing of the financial organisations and the customers. And the financial organisations have absolutely no intention of stopping the way they have externalised the risk, they have profited greatly by shutting down bank branches and laying off very large numbers of staff. Worse the customers don't want security what they want is two fold,

1, Convenience.
2, Some one to blaim for their failings.

And as long as those two hold prevalence with sufficient of the financial organisations customers the fraudsters will keep up the attacks irespective of the underlying method used to make the attacks.

Simplistically when the strength of the links in a security chain are decided by two or more unrelated parties each of the parties will seek to spend the least they can on the links they have responsability for and externalise as much of the risk as possible onto the other parties involved.

How you would even think to solve this problem would be a topic for a whole different thread.

SpaceLifeFormJanuary 21, 2020 3:32 PM

@ Clive

"The network will let you know if the phone is both on, in range and connected which means that the information needed to send an SMS gets updated in the phone companies location database with valid information before you send out the SMS."

Related.

Try sending a text (SMS) to a POTS number.

Watch how fast SS7 will respond that it is not deliverable.

Lightning.

Therefore, it is easy to enumerate POTS numbers.

SpaceLifeFormJanuary 21, 2020 3:39 PM

@ Clive

Actually, it does not have to be POTS.

It could be VOIP.

Still, Lightning.

The key is that it is NOT CELL.

SteveJanuary 21, 2020 5:34 PM

Bruce sez:

Since your smartphone often serves as a security measure or backup verification system, this allows the fraudster to take over other accounts of yours.
An argument to eschew using your phone as a "security measure or backup verification system" if I ever heard one.

lurkerJanuary 21, 2020 6:20 PM

@Steve, Bruce, All
"It's a classic security vs. usability trade-off. The phone companies want to provide easy customer service for their legitimate customers..."

The heist is a transaction I would never expect to do over the phone, smart or POTS, and I wouldn't expect my phone Co. to do it over the phone either. Even tho' they're a phone Co. I've hung up on callers pretending to be my bank. Just more evidence justifying P.T.Barnum's oft mis-quoted line about under-estimating the intelligence of the American public.

Clive RobinsonJanuary 21, 2020 6:40 PM

@ K.S.,

I think you doing a bunch of revisionism here.

Sorry no I'm not the one doing "revisionism" here, go back and read what I wrote.

You will find I did not in the slightest talk about how easy or not it was to change somebodies number at any point in time. Which is essentially what the bulk of your posting was about.

What I was explaining was how SMS started to be used on dumb mobiles as an independent side channel.

Whilst it has been possible for any one of tens of thousands of Telco insiders to change a phone network number to a different physical device as @Sok Puppet noted,

    It's always been easy to do this, but for a long time it flew below the radar. People didn't think it was an issue because it didn't happen. It didn't happen because it was only infrequently valuable.

What started to make it "valuable" was Smart devices such as Smart Phones.

Prior to Smart Phones discovering the mobile phone number of a bank account holder was actually quite dificult and needed either the bank or account holder to be in someway complicit. Such as sending or receiving an Email with all the details of the account and mobile phone number.

Smart Phones enabled an Internet only attacker get into the users bank application etc and also discover the phone number because early Smart Phones were easy to get the Subscriber Number details etc easy to interrogate.

As @Bruce has noted,

    Since your smartphone often serves as a security measure or backup verification system, this allows the fraudster to take over other accounts of yours.

It's the fact that,

1, SMS etc is nolonger an independent side channel on a smartphone.

2, Smartphones are insecure by design. Thus most applications that run on them, no matter how carefully they are designed, are not secure because an attacker can use an "IO Shim" to see the plaintext User Interface or any data stored on the smartphone, including the phones own number.

So I'm finding it difficult at best to see what it is you think I've put in the thread befor your comment that gives you cause to say,

I think you doing a bunch of revisionism here.

RachelJanuary 21, 2020 7:43 PM

Space Life Form

love your posts here. You are a really welcome presence
And your occasionally under ther radar references to who you are, who you know, or who may know you (!)

2FA is required for some online services. My suggestion, posted here but one I've not seen anywhere else. Which should be bleedin' obvious, as Clive would say:

use an non-public, non distributed number for the 2FA. This should really become a mainstream recommendation, seeing as the animals bolted out of the barn long ago and 2FA is part of the narrative

Get a SIM specifically for this purpose. If it's legal to do so, better yet get your significant other to sign up for the SIM for you.

And sign up for services over the phone, so that number never needs to be communicated over the internets.


Get a dumb phone especially for this purpose, switched off all the time, which becomes your personal 'authenticator' with handy calculator and alarm built in.

there's multiple aspects of the attack surface removed.

RachelJanuary 21, 2020 7:47 PM

Passwords or tokens are one thing. But, remember the advice from the unix mainframe days. Don't let anyone know your username.

Who?January 22, 2020 3:30 AM

@ Rachel

Passwords or tokens are one thing. But, remember the advice from the unix mainframe days. Don't let anyone know your username.

In fact, this one is the reason sometimes email servers allowing local access to them map email aliases to real usernames instead of using the last ones as the public-facing email addresses.

On a more serious side, I know for sure a lot of users on our network have usernames that are clearly stronger than their passwords. No joking. I have identified at least four of them.

Clive RobinsonJanuary 22, 2020 7:06 AM

@ Fazal Majid,

As for Telcos, many have outsourced so many core operations they wouldn’t be able to get a grip even if they wanted to, as with this excellent article by my former colleague Bert Hubert:

I've been warning about the dangers of out-sourcing on this blog for so long now, it's kind of like being a "One man bad, playing 60's favourits on the street corner".

I first saw the effects of out-sourcing on a UK industry with the demise of UK consumer goods manufacturing companies, back in the 60's and through the 70's. Followed by the demise of the UK companies who had been their supploers during the 70's and 80's. The easiest to see was the use of first cheap then very expensive CRT's from Japan, which destroyed the UK Television manufacturing industry.

For my sins I was also involved with the "out-sourcing of technology" in both the petro-chem and telecommunications markets, where all but one of the companies I worked for are now gone by take-over or competition that could not be fought. Again from the Far East with significant backing from their governments. Now we have China "doing the same" whilst most western nations get little or no support from their governments, in fact in the UK and US active hostility via lobbying from both out-sourcing recommending accounting firms and other parts of the Finance Industry causes active hostility.

The real harm out-sourcing does, is supprisingly to many not the immediate movment of economic churn, which is very devistating in it's own right, but is in the longer term as bad as civil conflict. That is the brightest and best effectively are forced to "up-sticks" and become refugees in another country, often one that has benifited from the economic churn, and they don't come back except maybe to die. Sadly it's not just their expertiese that goes with them never to return, but also the mentoring and training that support the often dry academic teaching, because all engineers unlike some scientists can not work on theory alone, engineers are if you like, similar to thoroughbreds / athletes they have to be bred, nurtured, raised, and excercised untill honed, teaching just helps the process of making an engineer. Teaching is not as politicians and others seem to think, the way to make engineers, or for that matter anyone covered by "STEM" as a domain of expertise, they need to have "oppertunity" and "reward" along with other socio-economic benifits, not for a few years but a lifetime so that they can see it is worth investing their life in.

As I think Bert Hubert's article should be read by all the readers of this blog I've posted the link on the latest Friday Squid page,

https://www.schneier.com/blog/archives/2020/01/friday_squid_bl_712.html#c6804614

lurkerJanuary 22, 2020 3:16 PM

@Fazal Majid:
the berthub link is interesting, but his comments are blindingly obvious to one who has been on the tech side most of his life. It begs the question: have they also outsourced their commonsense?

I'm currently re-reading "Revolution in the Valley", Andy Hertzfeld's account of the birth of the Macintosh computer, with fascinating observations of the tension between techs, thinking of the product and the customer; and management thinking of Wall St. and the shareholder. This dichotomy may have come from the rush of neo-liberal economics in the '80s. There was a stampede in this part of the world for companies to rebrand as corporations, amending their Articles of Association to assume the "rights and privileges" of a natural person, but ignoring the corollary "duties and obligations." Like obeying the law, and paying tax. The trading in shell companies meanss a so-called telco doesn't even need to consider the users of the remnant service it hides behind.

I must be very lucky that my telco, a large well-known international shop, keeps real humans who know what they're doing in my local High St. I did a SIM swap once, over the counter. I now doubt their records will show that personal detail.

Jiri StaryJanuary 22, 2020 3:29 PM

In my country somewhere in EU, simswapping is not so common, because you have to prove your identity with government issued ID card to get a sim replacement. So the bad guys either have to bribe some employees, fake an ID or hack the ISP to get to that.

Still i hope that webauthn will be ubiqutous soon

SpaceLifeFormJanuary 22, 2020 3:47 PM

@ Rachel

2FA is required for some online services.

[Avoid online services. Shop locally. Support your local economy. Do not bring phone inside store]

use an non-public, non distributed number for the 2FA.

[You just lost. The first time the 2FA occurs, you are correlated because you had to give up PII to get the number. If you try the burner phone route, then what happens if that phone is gone, but you forgot your online account password? You will be stuck resetting via email, right?]

[I would not trust the app called Burner]

SpaceLifeFormJanuary 22, 2020 4:05 PM

@ Rachel, Who?

My username is 'root'

No email allowed.

Probably best to have at least 3 domains. Public servers, internal email, external email.

Yeah, they may cross-leak, esp. if user does not follow best practices.

But that can be caught or detected.

Petre Peter January 22, 2020 7:35 PM

I am still wondering why some famous company won't let me change my password without knowing the answers to my security questions even though I know my current password.

SpaceLifeFormJanuary 23, 2020 2:19 PM

@ Petre Peter

Because, it is for your protection.

With all of the dumps discovered, and that many users reuse passwords, an attacker can disover a username/password combo that works.

If the attacker can get into your account, yes, sure, that is a problem.

But, if the attacker can change your password and lock you out of your account, that is a bigger problem.

The security questions usually prevent social engineering attacks directed at the tech support of the service.

Free services usually require security questions.

Non-free services usually have a security code and/or security questions.

Free services that require no security questions, well, may imply you are the product.

SpaceLifeFormJanuary 23, 2020 2:38 PM

@ Petre Peter

Changing passwords every X days is security theatre.

No reason to do so unless you know the hashes were dumped somewhere.

I have some that have not ever been changed in now nearly 2 decades.

I keep them on postit notes by my computer, but not on the monitors. I hide them under the keyboard or mousepad. ;-)

SpaceLifeFormJanuary 24, 2020 1:46 PM

@ Petre Peter

Here is a timely example of social engineering to take over a domain. I'm not saying than an email account was compromised in this case, but if an email account associated with a domain (as an admin of the domain) can be controlled, then it certainly can make stealing a domain name easier.

In this case, a tech was fooled by a video, instead of following procedure.

But, the domain owner (well known) has contacts, and was able to get his domain name back relatively fast. Most domain owners would not recover quickly, if ever.


hxxps://krebsonsecurity.com/2020/01/does-your-domain-have-a-registry-lock/

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Sidebar photo of Bruce Schneier by Joe MacInnis.