SIM Swapping and why SMS is not the perfect 2FA
The ‘SIM swapping’ technique strikes back in Spain and other eurozone countries. Learn how you can prevent this attack with some simple steps.
The Short Message System (SMS) has been around for decades — basically, every operating phone supports this text communication through the Global System for Mobile communications, GSM. Starting in 1992, when the first SMS sent through GSM said “Merry Christmas” to the current 4G-to-5G era, old-fashion text messages have stood the test of time. After all, when everything else fails, you just text, right?
SMS are a useful resource whenever there is no connection to the internet. You’d be amazed how handy a short text message can be in some situations. But, what happens when this means of communication becomes the vulnerability hackers need to access your personal information?
SMS as 2FA
Years ago, when companies became aware of how important it was to verify the ID of a user remotely, the idea of a two-factor authentication method (2FA) kicked in. However, there are many ways to implement 2FA:
- Knowledge factor. The case of passwords and other data only the user knows. It is vulnerable to leaks from databases, though.
- Physical factor. Something the user has, such as the mobile phone.
- Other. Inherence (biometric) factor, location, a combination of factors, etc.
Thus, a simple way to check someone’s identity is to verify that this person has access to the registered phone number. The service provider can check ID through a call, but this takes up plenty of time and human/technical resources. There is a simpler alternative: to send a one-time code to the phone number in an SMS.
Then, the user introduces this temporary password in addition to the credentials to log in. The main reason why online companies have relied on SMS as a 2FA method for a long time is competitive development and implementation. But, this option may come to an end soon due to the associated vulnerabilities.
SIM Swapping Technique
Believe or not, it is not that hard to get a duplicate of someone else’s SIM card. Some telecom companies, or rather some employees working at those companies, may skip a few checkpoints whenever a client requests a duplicate. This flaw in the duplication process, from request to delivery, is of common knowledge for scammers since the client volume is high in the mobile service operators.
What’s more, using social engineering methods, wrongdoers can target vulnerable people. It concerns that companies have plenty of sensitive data from users in their databases — which can leak information to hackers. Every year, those companies suffer attacks or security exploits. So, how is it possible to make a duplicate of someone else’s SIM card in a nutshell?
You need to have the necessary information about the user, such as full name, phone number, e-mail, and a copy of the ID card. If you think of it, this information is usually shared by the user when hiring the service. Therefore, employees working at telecom companies and mobile operators are the main suspects.
Nowadays, we can hire services online very quickly. You can also request a SIM duplicate and receive it at home, but the preferred way for hackers is to pick the card in a store to accelerate the process. The victim loses connection to the network when the new SIM card is activated. In the next few hours, the hacker has access to the associated accounts protected with SMS as 2FA.
Signs of this Hack
Of course, whenever you lose network coverage, you will not run to the closest phone operator store to ask for a solution. Most likely, you will try to reboot the device, move to another location, call support from another phone, etc. The usual reaction takes time, precisely what the criminal needs.
To make it worse, you may even be unlucky contacting support. They could tell you everything is fine provided that they would not suspect something fishy is going on. Asking for a SIM duplicate is no reason to set all the alarms on the company’s eyes.
The best course of action for the potential victim is to verify if something is out of place. First, open the e-mail inboxes accessible from your device. If you see password recovery emails arriving, you are breached! Otherwise, you may be suffering a random disruption of service by the operator.
Granted, you need access to the internet to do this check. You may also need another device if there is no Wi-Fi available. You could be sleeping when this happens. Thus, this is not the perfect solution to prevent hacks.
Better Security: 3FA
The next step in user authentication relies on checking three factors at the same time: knowledge, possession, and inherence. BidiPass offers this level of security with its application without disturbing the UX. You log in with a password on a service to receive a notification on our app, then you approve the login checking biometric factors (fingerprint or Face ID). Easy!
We believe that 3FA is the improvement in ID authentication the global companies need. For instance, SIM swapping is utterly ineffective against services protected by BidiPass provided that the hacker would have to validate with YOUR fingerprints or face to access such services. Unless you have an evil twin — and even so according to the Twin Tests — you are safe!
Some Good Habits
Sadly, you cannot change the 2FA security of the services you may be using. Providers should update to better security eventually. In the meantime, you can make an effort to reduce risks:
- Do not use the same password. Arguably the simplest mistake to avoid.
- Do not use the same e-mail/username. Another frequent mistake users can avoid.
- Use built-in apps to access services. Whenever available, using official apps with 2FA is better, such as your bank’s application.
- Know how to deactivate services. In case of a breach, time is ticking against you. Learn how to request the deactivation of your SIM card.
Wrapping It Up
SMS has proved to be an effective means of communication, sort of a Twitter of the ’90s in your mobile without emotes or pics. However, exploits in SIM card duplication processes by operators have rendered the SMS-based 2FA method unreliable.
Although companies need time to implement better security, there is interest to push for it — like the PSD2 by the EC is doing. BidiPass provides the infrastructure to protect with 3FA any online service with the plus of the Ethereum blockchain underneath.
