SIM-Swapping: Why SMS Authentication Is a Bad Idea
Thursday, October 11th, 2018SMS authentication has been around for a while now. Sure, it’s a bit of a hassle to get those codes sent from your bank or your other accounts–especially if your phone’s in the next room–but at least it makes you feel safe.
Unfortunately, it’s nowhere near as safe as you may think. The concept of two-factor authentication is an important aspect of beefing up your security, but SMS has some major vulnerabilities which can work around the primary factor, stripping away a layer of your security and potentially making you more vulnerable than you would have been without it.
What Is SIM-swapping?
SIM-swapping is your biggest concern when it comes to SMS authentication. It involves an attacker calling up the cell-phone provider of their target and impersonating them. They tell the operator that they’ve lost their SIM card or had their phone stolen, and ask them to switch the cell phone number over to a new SIM card which they have in their possession.
All they need is a bit of social engineering skill and some of the victim’s information, which they can find through social media, data leaks or through phishing. With this personal information, they breeze past any security questions that the operator might ask. Once everything seems to be in order, the operator will assume the request is legitimate and quickly switch over the phone number to the attacker’s SIM card.
Once it has been switched over, the number is disconnected from the victim’s SIM card and all of their calls and messages are diverted to the attacker. This gives the attacker an absurd amount of power to wreak havoc on the victim’s life.
Read the rest of this post »