Study Shows The Internet Is Hugely Vulnerable To SIM Hijacking Attacks

from the ill-communication dept

U.S. Wireless carriers are coming under heavy fire for failing to protect their users from the practice of SIM hijacking. The practice usually involves conning or bribing a wireless employee to port a victim's cell phone number right out from underneath them, letting the attacker then pose as the customer to potentially devastating effect. Carriers are facing numerous lawsuits from victims who say attackers used the trick to first steal their identity, then millions in cryptocurrency, or even popular social media accounts.

Last week, six lawmakers, including Ron Wyden, wrote to the FCC to complain the agency isn't doing enough (read: anything) to pressure carriers into shoring up their flimsy security. This week, a group of Princeton researchers released a study showcasing how both traditional and prepaid wireless carriers remain incredibly vulnerable to such attacks despite several years worth of headlines. In the full study (pdf, hat tip ZDNet), the researchers showed how it was relatively easy to trick wireless company support employees into turning over far more private data than they should, helping to facilitate the illicit SIM swap:

"When providing incorrect answers to personal questions such as date of birth or billing ZIP code, [research assistants] would explain that they had been careless at signup, possibly having provided incorrect information, and could not recall the information they had used," researchers said, explaining the motives they provided to call center staff."

After failing the first two steps in confirming a caller's identity, wireless carriers then move on to a third confirmation option -- verifying the last two numbers called from the account. But researchers note that was easy to game as well:

"The research team says that an attacker could trick a victim into placing calls to specific numbers. For example, a scenario of "you won a prize; call here; sorry, wrong number; call here instead." After the attacker has tricked the SIM card owner into placing those two calls, they can use these details to call the telco's call center and carry out a SIM swap. Princeton researchers said they were able to trick all five US prepaid wireless carriers using this scenario."

Despite warning all five of the carriers they tested this trick on, four of the five still hadn't fixed their security gaps as of the study's publication. After showcasing how vulnerable mobile carriers are, the researchers took a closer look at what could be done once they had taken over a user's wireless accounts. As such they tested the multi-factor-authentication practices of 140 of the most popular services and sites, and found that 17 of those services had no systems in place to protect users from SIM hijacking (such as emailing users a one time password to confirm identity and verify the changes were actually requested).

Here's where, in a functional market with a functioning government, regulators would step in to pressure carriers to do more to actually protect consumers. Instead, the Trump FCC has spent the last three years rubber stamping every fleeting whim of the sector, including gutting most meaningful oversight of the sector, and rubber stamping massive mergers the majority of objective experts say will harm the market.

Filed Under: ajit pai, fcc, ron wyden, scams, sim hijacking, sim swap, social engineering, wireless carriers


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Anonymous Coward, 16 Jan 2020 @ 6:31am

    SMS 2FA has never been secure and never will be

    Implement TOTP instead of this shit. I'd rather legitimately forget my password and be locked out of my account forever than some random person getting access to it because they called customer service with a sob story.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 17 Jan 2020 @ 2:39am

      Re: SMS 2FA has never been secure and never will be

      I scream every time a service tries to get me to sign up for SMS 2FA. How did anyone ever convince technologically illiterate rubes in charge at these businesses that this could ever be a good, oh, right.... yeah.....

      reply to this | link to this | view in chronology ]

  • icon
    Norahc (profile), 16 Jan 2020 @ 7:00am

    As soon as the US wireless carriers figure out a way ti charge a monthly fee for this, they will fix it.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 16 Jan 2020 @ 7:44am

    More reasons to not conduct financial transactions via a cell phone, certainly not anything related to a saving acct or 401k.
    Or it that 409k these days?

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 16 Jan 2020 @ 10:28am

      Re:

      The article title is probably wrong. This attack has nothing to do with SIM cards, and there's no reason to think a non-wireless phone would be secure against customer service attacks.

      reply to this | link to this | view in chronology ]

      • icon
        urza9814 (profile), 17 Jan 2020 @ 10:59am

        Re: Re:

        The title is fairly accurate IMO, as the attack relies on number portability. The FCC requires providers to allow wireless numbers to be portable, but they are not required to allow you to transfer a landline number, and many carriers just won't do it. Since you're far less likely to be able to port a landline number, it's far less likely that this kind of attack would succeed.

        reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 16 Jan 2020 @ 8:28am

    17 of 140 services, eh? 12%

    Of that 12%, how popular are they? Where do they rank?

    Of the 156 sms - enabled websites listed, the only ones I saw without account recovery provisions were hushmail, signal, and whatsapp. Of course, those are kinda severe...

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 16 Jan 2020 @ 8:34am

    You know you can get your account locked with a code. If I call them up, even with all my normal info and want to do anything, I have to tell them my code number. I keep that number stored in LastPass in the Notes area for my normal T-Mobile Online account, that way I can look it up easily enough on whatever device is handy. You don't want to lose the number.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 16 Jan 2020 @ 8:42am

      Re:

      You have found a single point of account lockout because if anything happens to your last pass setup you lose both the password and the recovery code.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 16 Jan 2020 @ 9:06am

        Re: Re:

        Plus if someone else gets control of your T-Moble-online account you loose everything you was attempting to save.

        reply to this | link to this | view in chronology ]

    • icon
      James Burkhardt (profile), 16 Jan 2020 @ 9:18am

      Re:

      Pin code security to stop porting scams have been bypassed by the same social engineering techniques explored in the article.

      A Journalist went through the 3 times he was hit by port out scams, and he did the whole "require a pin code to do anything" bit, and the scammers just engineered their way around it.

      reply to this | link to this | view in chronology ]

  • icon
    Berenerd (profile), 16 Jan 2020 @ 9:30am

    I would also like phone number spoofing to be a little more difficult. You would think that phone companies could tell when a number is spoofed, but alas...

    Someone from 111-111-1111 wants me to save on my credit card payments.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 16 Jan 2020 @ 9:38am

      Re:

      If that could be used to game a thing that actually cost the provider, they'd do something.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 16 Jan 2020 @ 10:16am

      Re:

      Remember, the phone companies know when the displayed number is being spoofed. Rather, they know the actual data about the actual numbers/connections for both ends of the system if they care to check.

      They just don't care.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 16 Jan 2020 @ 10:38am

        Re: Re:

        Rather, they know the actual data about the actual numbers/connections for both ends of the system if they care to check.

        It's not so simple to decide what to do with that data. Some spoofing is legitimate; e.g., you call a toll-free customer service number, and they later call you back with caller ID showing the number you had dialed—even though the real originating number is some probably-foreign call center with a different phone number.

        reply to this | link to this | view in chronology ]

  • icon
    Uriel-238 (profile), 16 Jan 2020 @ 11:42am

    Would law enforcement have cause to hijack suspects' phones?

    If so, expect to see pressure to leave it alone in 3... 2... 1...

    reply to this | link to this | view in chronology ]

  • icon
    Ninja (profile), 17 Jan 2020 @ 4:32am

    It seems to me that it's a rather simple problem to solve by implementing some sort of lock (password) the SIM owner has to input before any swap. Something not easily obtainable such as personal information.

    The question is: what are the carriers getting in benefits that keeps them from implementing such security measures?

    reply to this | link to this | view in chronology ]

    • icon
      urza9814 (profile), 17 Jan 2020 @ 11:03am

      Re:

      As mentioned above, some carriers at least DO already offer such protection...but it doesn't work. The attack already relies on social engineering the call center employees to disregard policy. If you can't get them to obey the existing security policies, what are the odds that they'll obey that one?

      reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Techdirt Gear
Shop Now: I Invented Email
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.