The premise is simple: even if a password is compromised, the attacker couldn’t take over the account without having access to the user’s text messages..
But those days are long over. Anyone that has paid attention to security might have heard of SIM swapping, which has been used in high-profile incidents to target high-net-worth individuals and crypto-currency investors.
Read: Dialed in - how attackers can gain access to your SMS
While SMS compromise isn’t new, research on the cyber underground shows how much its techniques have proliferated. The widespread availability of these tactics and techniques poses broadly increased risks for telecom companies, financial services firms, and consumers that use 2FA to secure accounts and information.
Broadly, threat actors can gain access to a victim’s SMS messages through two means: SIM swapping, which ports a target's SIM information to an attacker’s phone, and SIM interception, in which an attacker can read a target’s SMS messages without taking over the number.
People lose or replace their phones every single day. When they get a new phone, they want it to have the same number. Telecom companies are interested in making it convenient to switch phones in these situations. It’s just basic customer service.
And therein lies a huge weakness. While this process is fully legitimate when the owner requests it, it can be highly damaging when someone else changes the number.
This process is susceptible to social engineering techniques. While a certain level of reconnaissance is required, a scammer could impersonate a high-value target and get control of their phone with the unwitting help of the mobile phone company. On the dark web, threat actors sell ‘fullz’ - complete rosters of personal information that includes names, credit card numbers, expiration dates, ATM pins, phones, driver’s license info, date of birth, mother’s maiden name, IP address, and more.
Read: Know what's out there - monitor the dark web in real time
In the figure above, we see a threat actor offering information on customers from several major U.S. carriers.
In addition to social engineering, threat actors can recruit malicious insiders at telecom companies, possibly offering them a share in the proceeds.
However, while an inside accomplice may guarantee an attack’s success, too many actions by the insider may raise red flags within the telecom company. Thus, attackers likely use insiders in the highest-value operations only.
Aspiring attackers can also purchase access to the telecom provider’s internal network on the dark web. A sophisticated threat actor could use that access to find the internal tools necessary for a SIM swap, or they could impersonate an employee and ask a colleague to port a number.
Finally, actors with the intent, but not the capabilities, to perform a SIM swap can procure SIM swap services on the deep and dark web. These services are not cheap. Service providers can request 70% of the proceeds of an attack, with a minimum target account of $50,000. Indeed, considering that this type of attack is likely to be detected if performed too frequently in the same way, it is better to go after a few selected, high-value targets instead of random victims.
Meanwhile, in SMS interception attacks, actors read the victim’s messages without gaining control of their number. One straightforward way to do so is through mobile malware, which can allow attackers to view the screen.
Furthermore, if the telecom carrier allows users to read their text messages in their online portal, attackers can purchase compromised login credentials on the dark web and gain access this way.
But there are far more technically advanced ways to intercept messages out of thin air, including exploiting the Common Channel Signaling System No. 7 (SS7), the leading protocol for global mobile communications. It is vulnerable to eavesdropping and man-in-the-middle attacks. Such services are offered for premium prices in excess of $10,000, since they are technically complex, require physical proximity to the victim, and leave no apparent trace.
SMS authenticate at your own risk
The ease with which cybercriminals can access text messages reinforces the conventional understanding that the SMS protocol is inadequate for two-factor authentication. SMS takeover poses a huge financial risk to high-net-worth individuals, celebrities, and even the owners of high profile social media accounts. Even a typical consumer is not safe.
Fortunately, there are some solutions. The most straightforward one is to use an alternative for authentication over SMS. Authentication apps like Google Authenticator, FreeOTP, and Authy have long been on the market. Every account provider that offers MFA should offer users the option of using one of these apps, or a broader identity management or single sign-on (SSO) solution instead of receiving an OTP over SMS. Users should adopt them whenever possible.
Read: Prevent ransomware attacks with early warning solutions
Users must also ensure that their online accounts, including financial and telecom, are protected by unique, complex passwords. They must be wary of opening suspicious attachments or downloading unverified apps to avoid malware infection.
Furthermore, telecom providers should treat number porting as a highly sensitive procedure. They must require extremely high levels of verification from a user to port a number from one SIM to another. To thwart malicious insiders, they should minimize the number of employees privileged to port a number and consider implementing two-person control for the procedure to take place.
The bad guys have many options, and because the ways they attack are so varied and complex, there’s no silver bullet. But with a patchwork of awareness, procedural measures, and technical controls, everyone, including telecoms, account providers, and consumers, can play a role in mitigating these attacks.