SIM-Swapping: Why SMS Authentication Is a Bad Idea

October 11th, 2018

SMS authentication has been around for a while now. Sure, it’s a bit of a hassle to get those codes sent from your bank or your other accounts–especially if your phone’s in the next room–but at least it makes you feel safe.

Unfortunately, it’s nowhere near as safe as you may think. The concept of two-factor authentication is an important aspect of beefing up your security, but SMS has some major vulnerabilities which can work around the primary factor, stripping away a layer of your security and potentially making you more vulnerable than you would have been without it.

What Is SIM-swapping?

SIM-swapping is your biggest concern when it comes to SMS authentication. It involves an attacker calling up the cell-phone provider of their target and impersonating them. They tell the operator that they’ve lost their SIM card or had their phone stolen, and ask them to switch the cell phone number over to a new SIM card which they have in their possession.

All they need is a bit of social engineering skill and some of the victim’s information, which they can find through social media, data leaks or through phishing. With this personal information, they breeze past any security questions that the operator might ask. Once everything seems to be in order, the operator will assume the request is legitimate and quickly switch over the phone number to the attacker’s SIM card.

Once it has been switched over, the number is disconnected from the victim’s SIM card and all of their calls and messages are diverted to the attacker. This gives the attacker an absurd amount of power to wreak havoc on the victim’s life.

Many people have their accounts linked to their phone numbers and when they make changes, significant transactions or reset their passwords, a security code gets sent by SMS. If someone is the victim of SIM-swapping and their account sends them codes via SMS to reset their password, they’re in serious trouble. An attacker can click the “forgot your password?” button, which appears on almost every login screen, and the code to reset the password will be delivered straight to them.

With this code, they can change the password to whatever they want, giving them full access and locking the victim out. Attackers commonly use this technique to take control of bank accounts, cryptocurrency wallets and social media profiles in order to steal and commit fraud. They don’t have to find out the victim’s password either, which completely undermines the extra layer of security that the SMS authentication is supposed to provide.

Hackers don’t always have it so easy–it depends on the account and how its set up. Despite this, SIM-swapping can still be a crucial part of their journey into someone’s accounts. They can send messages from the victim’s phone and see all of the incoming messages, which makes it easy for the attacker to find out even more information about their victim, which can be used to further the attack.

On top of this, if a hacker has already found out your password through phishing or by brute-forcing it, they don’t have to worry about your SMS second-factor halting their exploits. They simply enter your password, then the security code comes right to them, and into your account they go.

Sim-swapping can also buy an attacker time because the victim won’t be getting SMS notifications of the changes made to their accounts. Victims might not even notice that their phone number isn’t working. If they do, they may just think that their phone is broken. If they are aware that an attack is underway, it can be a challenge for them to get in contact with the relevant companies because their SIM card won’t work. The victim has to use a landline or someone else’s phone.

SIM-Swapping Attacks Are Booming

In the last few years, there have been numerous devastating SIM-swapping attacks. Michael Terpin, a US cryptocurrency investor had almost $24 million worth of tokens stolen in a SIM-swapping attack. Joel Ortiz was recently charged for leading a ring of scammers who used SIM-swapping to steal $5 million worth of Bitcoin. This is just a fraction of the recent string of SIM-swapping attacks targeting cryptocurrencies. There have also been countless sim-swapping attacks on bank accounts and people’s social media accounts.

It’s Not Hard to Spy on SMS

SIM-swapping isn’t the only vulnerability that comes from using SMS as a second factor for authentication. The protocols used for text messaging are themselves insecure. The Global Service for Mobile communications (GSM) only has optional encryption in place and the ciphers it uses are weak. This means that it’s relatively easy for attackers to read intercepted text messages.

There are also several types of malware that can be used to monitor someone’s text messages. A number of trojans, such as Zitmo, Zeus and Perkele are specifically used to access security codes sent via text. If a user is tricked into downloading any of these, attackers can easily circumvent their second authentication factor.

If SMS Is Vulnerable, What Should You Use?

Given the vulnerabilities of SMS authentication, you should remove it from every account that you can. Unfortunately, some of your accounts might not have any other options. For these, the best scenario may be to hope for the best and perhaps send a complaint in the hope that the organization will change their systems. For the accounts that you can change, there may be several different choices available:

Biometrics

Biometric technology has started to become more widespread, especially since smartphones have started to become equipped with face-scanning and fingerprint technologies. While these options provide convenient authentication methods, they’re not without their costs. Biometric technology still has both false positives and false negatives, there is a strong movement against it for privacy and ethical reasons, as well as a number of other issues.

Despite these drawbacks, the fact that there is nothing to lose or forget makes biometric technology an appealing way to improve security. There are a number of software and hardware solutions which can be used to add a second authentication factor such as fingerprints or voice. Despite the promise, at this stage, many of our commonly used accounts can’t be linked to our biometrics, although it is certainly possible for organizations to implement this technology for their employees.

Physical Tokens

Physical tokens can be a great way for organizations and individuals to implement a second authentication factor. These can be USB sticks or specifically made devices such as the YubiKey. When used as a second factor, attackers can’t gain account access unless they have been able to get their hands on the key, even if they have managed to find out the user’s password. Considering that a significant number of attacks are caused by remote or overseas threat actors, physical tokens can prevent a lot of breaches from occurring.

Despite the security advantages of physical tokens, they still have their weaknesses. They can be lost or stolen, which at best causes inconvenience when a user cannot access their account. At worst, a stolen key can provide a stepping stone for a hacker to make their way into the account.

Authentication Apps

Authentication apps such as Google Authenticator and Duo provide a second authentication factor by sending a one-off code to the user’s phone. They are generally the most convenient and widespread alternative to SMS authentication, although they come with their own risks.

These apps have several layers of protection. The first is that most people tend to have their phones on them constantly and quickly notice if they are stolen. The one-off codes tend to be time-limited as well, which decreases the time window that hackers have to launch their attacks.

The device password provides another stumbling block which helps to prevent attackers from accessing the authentication codes. These passwords aren’t foolproof, because many devices have easy-to-guess passwords and some users aren’t particularly secretive about their codes. Despite this, the immunity of authentication apps to sim-swapping makes them a much better option than SMS.

Securing Your Accounts

Now that you know just how vulnerable SMS authentication can be, you probably want to change all of your accounts as soon as possible. At LuxSci, we offer a range of second-factor authentication options for our customers. You can choose to have a token sent to an alternate email address, use Google Authenticator or take advantage of Duo’s integration. Each of these options will protect you from sim-swapping, although Google Authenticator and Duo may be better choices than email.