What's Up with SIM Swapping - ThreatWire Crosspost (Patreon)

By Shannon Morse, ThreatWire 

Lots has been happening on the SIM swapping front, so let’s get caught up. First, in a Princeton University academic study that was published January 10, five major US telcos were found to be vulnerable to SIM swapping attacks, in which an attacker can steal a mobile phone number by getting a wireless carrier to change the paired SIM to one that he or she is in possession of. Attackers can use sim swapping to steal 2FA codes, texts, reset passwords for online sites, steal crypto wallets, and steal identities.

The academics used social engineering techniques to learn how customer support centers are set up with procedures for changing SIMs in order to determine how SIM swapping happens and which carriers are vulnerable. In total, they found AT&T, T-Mobile, Tracfone, US Mobile, and Verizon Wireless were all susceptible to attacks due to faulty procedures for SIM changes.

In each case, the researchers created 50 prepaid accounts, so they’d have 10 SIMs for each carrier. They then made real calls to set up realistic data for each account. Eventually, they’d call to request a SIM swap. In each case, the researcher would give the customer service rep the wrong PIN and account owner details, but say they’d been a victim or some sort of theft. To explain the incorrect info, the researchers would say they’d been careless when signing up and didn’t remember the info. Telcos would need to authenticate the customer by asking about the last two calls made and if the PIN and account details were incorrect. An attacker would only need to trick a user into calling specific phone numbers so they could authenticate with the carrier that they had that number previously. 

The researchers had notified carriers but only T-Mobile had discontinued the call log authentication procedure. They then took the newly swapped SIMs with stolen phone numbers to 140 online sites to determine which ones only used SMS to authenticate an account and allow for access. From here they created a website called Is SMS 2FA Secure DOT com to share results, though the vulnerable sites are redacted.

Though this technique was based on social engineering, another technique is using the remote desktop protocol (RDP) and social engineering to get telco employees to download RDP clients and allow the attacker into the network, so they can do the SIM swaps themselves.

Due to the ongoing issues with SIM swapping, Oregon Senator Ron Wyden alongside five other lawmakers sent a letter to the US FCC and Ajit Pai to demand an answer to why the FCC is doing nothing to help consumers protect their accounts. According to the letter,  “Consumers have no choice but to rely on phone companies to protect  them against SIM swaps, and they need to be able to count on the FCC to  hold mobile carriers accountable when they fail to secure their systems  and thus harm consumers.” The letter explains that some overseas carriers will only do a SIM swap after authentication via email, while some others send SIM swap data to financial institutions. The lawmakers requested an answer in one month, February 14.

Links:
Support me on alternative platforms! https://snubsie.com/support

Shop ThreatWire Merch! - https://snubsie.com/shop

https://www.youtube.com/shannonmorse --  subscribe to my new channel!

ThreatWire is only possible because of our Patreon patrons! https://www.patreon.com/threatwire

Links:
SIM Swapping:
https://www.zdnet.com/article/academic-research-finds-five-us-telcos-vulnerable-to-sim-swapping-attacks/
https://www.issms2fasecure.com/assets/sim_swaps-01-10-2020.pdf
https://www.issms2fasecure.com/dataset
https://www.vice.com/en_us/article/5dmbjx/how-hackers-are-breaking-into-att-tmobile-sprint-to-sim-swap-yeh
https://www.vice.com/en_us/article/k7e8xx/sim-swapping-indictments-pile-up-as-congress-begs-the-fcc-to-do-more