Why the wireless industry should be worried about SIM hacking

Blame is in ready supply amid the latest wave of SIM-swap attacks targeting bank, social media and in some cases cryptocurrency accounts, leaving victims traumatized and angry.

For Michael Terpin, it is clear where the fault lies.

"AT&T is doing nothing to protect its almost 140 million customers from SIM card fraud. AT&T is therefore directly culpable for these attacks because it is well aware that its customers are subject to SIM swap fraud and that its security measures are ineffective," reads a $223.8 million lawsuit filed on behalf of Terpin against the carrier earlier this month. The entrepreneur sued AT&T having had nearly $24 million worth of bitcoin stolen from him in a SIM swap scam last year.

"We dispute these allegations and look forward to presenting our case in court," said AT&T, in response.

While Terpin and AT&T prepare for battle, the industry at large is still trying to figure how to stop these attacks from happening in the first place. And what has become patently obvious in all this is that phone numbers are a deeply flawed means of authentication.

"This issue goes to the core of identity: How do I identify you as another person, over the internet?" asked Allison Nixon, director of security research at threat intelligence specialist Flashpoint. "There are only so many pieces of information I can use to actually do that. I can have you prove possession of your email, I can have you prove possession of your phone number, but there's not really any equivalent to you walking up to a bank teller and showing them your government-issued photo ID, with all the anti-counterfeiting security measures that are on that ID."

And mobile operators also face challenges in the issue. 

"When we use possession of another account, such as an email address or a phone number, as a second factor, we create a security dependency. The thing we protect, such as your bank account, is now only as secure as the account it depends on. Many mobile operators have failed to put in safeguards commensurate with the security requirements of the services that depend on their security," said Jesper Johansson, chief information security officer at Yubico, which makes hardware security keys for two-factor authentication (2FA). "Their (mobile operators') controls against SIM swapping…are not sufficient. They are designed under the assumption that the only thing at stake is your phone number, which could be easily swapped back. However, we use possession of that phone number to control access to bank accounts and/or cryptocurrency vaults, and their controls are not up to that task."

Authenticating a person's identity using a phone number or email address is also predicated upon the false assumption that people keep the same phone number or email address for a long time, Nixon said. "They were never designed to serve this sort of purpose. There is no way for a website owner or bank to know if a number has been recycled."

SIMs and IDs

SIM-swapping is when a criminal fraudulently obtains a victim's phone number by having that number transferred to a SIM card in their possession.

The criminal achieves this by using social engineering to convince the carrier that they are the legitimate owner of the targeted number. Tactics typically include supplying morsels of stolen personal data such as address, date of birth and so on. Another tactic sees criminals bribe a carrier's employee to carry out the nefarious SIM swap.

Once the SIM swap has been completed, the criminal can potentially gain access to any online service linked to the phone number, including email, social media, bank and in Terpin's case, cryptocurrency accounts.

Some carriers text customers informing them a SIM swap has been initiated, advising them to contact support if they did not authorize it. Often this warning signal arrives too late for the victim to do anything about it. Meanwhile, some customers only find out they have become a victim when they unexpectedly lose cellular service. By the time they realize what's happened, the attacker has changed the passwords on every account they can get their hands on.

It is worth remembering that the SIM swap is not a new scam; it is more than 10 years old.

As such, "there is no excuse for social media companies, or crypto service providers, to point the finger at telecoms operators, because these online guys have all designed their security since the SIM-swap attack has been known about," argued Dave Morrow, a former group fraud manager for Vodafone Group.

The first victims of such scams were users with desirable mobile numbers. Criminals fraudulently gained possession of the number, and then sold the related SIM card.

Indeed, Morrow said some numbers can sell for thousands of dollars. Morrow in 2016 founded FraudFit, a consultancy that helps businesses adopt best practices to mitigate the risk of fraud.

In the United Kingdom, a new attack vector emerged in around 2010, when some banks began sending one-time passwords (OTPs) to customers via SMS for the purpose of authorizing large transactions. Attackers would first use a malware program known as Zeus to gain access to a victim's online bank account. This would be followed by a SIM swap. Thanks to the OTP system, attackers in possession of the victim's phone number were able to authorize the transfer of large sums of money out of that victim's bank account.

At the time, Morrow wasin addition to his role at Vodafonea member of the management team at the GSMA's Fraud and Security Group. He claims banks in the U.K. did not consult carriers before rolling out SMS OTP as a means of authentication.

"Had the banks consulted the mobile industry about their plans…we would have told them that one-time password by SMS was not a secure means of authentication," he said. "When it started to go wrong, they started to blame the mobile industry."

The SIM-swap attacks making headlines in the United States recently have been targeted more at people with valuable usernames for services like Instagram, as well as cryptocurrency accounts.

"I'm not going to defend the phone carriers because every company involved has messed up," said Flashpoint's Nixon. "But, I'm also going to say that all those websites that are using phone numbers to verify identity are making a big mistake. It's inappropriate; they shouldn't be doing it."

Some possible solutions

A long-term solution to SIM swapping remains elusive too, since it requires close collaboration between carriers and online service providers, and any potential remedies risk violating privacy protections.

Current solutions such as authentication apps and productssuch as key fobs that generate one-time passwordsprovide an additional layer of authentication for online accounts, and, crucially, take that responsibility away from the phone number.

However, Nixon said that while these are an improvement on OTP SMS, "the average person is not going to keep a massive key chain full of fobs with them, and when they download their authenticator app to their phone, they're going to eventually lose that phone and get locked out of their online accounts."

Legislative measures, such as the equivalent of a government-issued ID for the internet, might close off some attack vectors, but would likely prove deeply unpopular with privacy advocates, she added.

Meanwhile, Morrow cautioned that the migration to eSIMs won't solve SIM-swapping and could in some instances exacerbate the problem.

"Theoretically, with an insider, eSIM makes it worse, because they could reverse the SIM swap again and the victim might never know that anything has happened," he warned.

One possible solution would be for the carrier, or user's device, to alert online service providers to any recent hardware changes in the event that a request is supposedly made by that user to change a password or recover an account.

"If my phone number has only been on the same hardware for two days, then maybe that's a little bit suspicious and maybe my bank should not accept a password-reset attempt," Nixon said.

"Mobile operators need to put in proper safeguards against SIM swapping. A simple measure would be a cool-off period before the change takes effect, which could be cancelled by the legitimate customer simply by calling them. This would be effective against social engineering attacks of the mobile operators' customer service facilities and could be implemented very quickly," agreed Yubico's Johansson.

At Mobile World Congress in Barcelona in March, the big four U.S. carriers updated the industry on what they call the next-generation mobile authentication platform. The platform aggregates identifying information from the user's SIM card, IP address, phone account type and more. This information is shared with authorized developers for the purposes of verifying someone's identity.

While this has come too late for people like Terpin, it may be a sign that the industry is working together to stamp out SIM swapping.

"If there's anything the telcos can do to solve this, it has to be done collaboratively," said Morrow.

Because the situation is critical. "Not addressing issues such as this result in customers losing trust in the ecosystem as a whole," said Johansson. Customers ought to understand some basics about protecting themselves, but we cannot expect them to take responsibility for this, and if they perceive the authentication system as unsafe, they will avoid using it. Whether the perception is true or not does not matter as much as whether people think it is true. All the parties involved need to step up and help address this issue."