A recent story about a Canadian teen arrested for a $50m SIM-swapping scam is just the tip of the iceberg. SIM jacking, as it’s commonly known, is rife. Now, researchers have analyzed US mobile carriers’ security and checked up on website authentication techniques to find out why.
SIM jacking attackers work by convincing phone carriers to reassign a victim’s phone number to a new SIM card, fooling operators by answering authentication questions correctly or bypassing them altogether. It has become such a problem that the National Institute of Standards and Technology (NIST) deprecated SMS as a multi-factor authentication (MFA) method in 2016.
Researchers from the Department of Computer Science and Center for Information Technology Policy at Princeton University analyzed five prepaid wireless carriers’ authentication procedures to understand how they processed requests to change SIM cards.
They signed up for 50 prepaid accounts across AT&T, T-Mobile, TracFone, US Mobile, and Verizon Wireless and then called to request a SIM swap on each account.
“We found that all five carriers used insecure authentication challenges that could be easily subverted by attackers,” they said. “We also found that attackers generally only needed to target the most vulnerable authentication challenges, because the rest could be bypassed.”
The researchers intentionally answered operators’ requests for a PIN incorrectly, leading call center staff to ask for a second piece of authentication information. This could be two recently dialed numbers, which might be guessable.
An alternative piece of authentication data was the amount of the last payment made on the account. That’s insecure because in some cases, an attacker could purchase a payment card and credit the victim’s account without authorization, automatically giving them that information, the academics said.
Other kinds of information used to verify a caller included account or device information, or security questions. The latter are a known security weakness. Answering obvious security questions enabled a hacker to hijack Sarah Palin’s Yahoo account.
The researchers would correctly provide the second type of information requested, which would trigger the operator to perform the SIM swap. They succeeded in all attempts to hijack AT&T and T-Mobile accounts, along with Verizon. They compromised six of 10 TracFone SIMs, and three US Mobile numbers.
The problem doesn’t just lie with carriers. Insecure websites are the other piece of the puzzle. The researchers checked the authentication policies on 145 websites to see how insecure they were when authenticating users.
The results here were slightly better, but not great: 83 sites recommended or mandated insecure configurations, the researchers found. Of them, 14 had SMS as their sole MFA option, and 10 websites used MFA as a backup for users who couldn’t authenticate using their primary method.
It’s time for carriers to tighten up their customer authentication measures, the researchers concluded. Websites should eliminate or at least discourage SMS-based MFA, implementing at least one secure MFA option. As long as people keep using SMS to help verify a customer’s identity, accounts will keep getting hijacked.
