SIM Swapping Poses New Problems for Phone Security

Typically, the text message comes in late at night. Many people might ignore it.

"You're on the phone with your carrier and just authenticated with an alternative method. Not you? Please call us."

This is what happened to Cody Brown, a software developer and entrepreneur, late one night. He called the number, but his carrier was closed. Eleven minutes later, the attackers had changed his Gmail password. Then his Coinbase password got reset.

Within minutes, the attacker had transferred more than $8,000 out of Brown's Coinbase account, he said in a detailed post-mortem published on Medium.

Brown shoulders the blame for not using two-factor authentication on his Gmail account, but also noted that the attacker was able to fool his service provider.

"After talking at length with customer service reps, I learned that the hacker did not need to give them my pin number or my social security number and was able to get approval to takeover my cell phone number with simple billing information," he said.

Welcome to the world of SIM card fraud.

With two-factor authentication increasingly used to secure important accounts, attackers and fraudsters are actively pursuing ways to compromise mobile devices. One of the least technical methods is to collect billing information on a victim, call up customer service representatives at the victim's carrier, and ask that their SIM card be ported over to a new phone.

Subscriber identity module, or SIM, cards are external processors that perform the cryptographic security for mobile phones. Essentially a smart card, the SIM chips have two important numbers stored on them at their time of manufacture: The International Mobile Subscriber Identity (IMSI) which acts as a username, and the 128-bit Key Identification, or KI, which is essentially a password.

If attackers can convince a customer service representative to port those numbers to a new SIM card, all calls and text messages will go to the attacker's phone, while the victim's phone will be disconnected from the network. Because many people only have a single mobile phone and no land line, getting disconnected can make recovering from an attack nearly impossible.

TechCrunch writer John Biggs notice an attack on his phone last August, when his phone lost network services. The attacker apparently convinced his carrier’s customer service to port the SIM for his mobile phone to a new device. Within minutes, Biggs' e-mail password and Facebook password were changed. Luckily, the carrier was able to reverse the changes and he got his accounts back.

Others did not regain control until the attackers had transferred money out of a targeted account.

While not a new attack, taking over a mobile-phone account by gaining access to the SIM card is becoming an increasingly popular way to defeat two-factor authentication that relies on text messages sent to mobile devices.

"We definitely see a lot of attackers focusing on account recovery," said Brian Duckering, senior product marketing manager with Symantec's enterprise mobile security group. "I got your e-mail, and so I can get into all of your accounts. This is a variation on that, as more and more services are using your phone number as an account recovery tool."

While in 2013, a security researcher found a way to use text messages to steal sensitive SIM card information. However, attackers do not need to use any major vulnerability to take control of your phone via the SIM card. Instead, humans are the weak link—and this time, it's not the users.

Responding to Attack Techniques

Attackers focus on socially engineering technicians and customer support workers, convincing them to port the number over to another phone, often without proving identity or ignoring rules, such as, "Do not port SIM card unless ID is presented in person."

Preventing SIM card attacks involved training and anomaly detection. Most carriers already attempt to prevent SIM card registration from locations far from where a user's phone was last registered. In addition, carriers are increasingly instructing their customer support to never port a SIM card to a new phone without someone presenting ID in person.

Yet, adherence to these measures are spotty.

"The question is whether all of the carriers are interested in putting those measures in place," said Symantec's Duckering. "The fact that the bigger carriers have not done it already is mind boggling."

Users can take their own steps to secure their accounts.

Since 2016, the National Institute of Standards and Technology has warned that using text messages—more formally, the short message service (SMS)—as a second factor is asking for trouble. Officially, the group has "deprecated" the use of the authentication method.

Instead, users should adopt one or more authenticator apps to harden their account recovery. Google, Symantec and Duo Security are among the companies that offer authenticator applications.

In addition, users can also contact their provider and add a PIN code onto their account to prevent unauthorized changes. Depending on the provider, they may have other security options as well.