Four Steps Businesses Should Take to Combat Online Account Hijacking due to SIM Swapping
I recently fell victim to unauthorized SIM swapping, a type of mobile phone fraud in which a cybercriminal hijacks a victim’s cell phone number in order to attack a weakness in SMS-based two-factor authentication (2FA). A fraudster often goes after a victim’s bank accounts or cryptocurrency accounts to steal money or cryptocurrencies. While there are no definitive statistics about the extent of SIM swapping, SIM swappers have allegedly stolen hundreds of millions of dollars in recent years. Michael Terpin, an American crypto investor, claims that he lost $24 million in cryptocurrency due to two SIM swapping events over the course of 7 months in 2017 and 2018. According to a UK article, in the three years leading up to August 2018, 549 cases of SIM swapping scams in the UK alone were reported to Action Fraud, the cybercrime reporting service, with an average loss of around £4,000.
In a typical SIM swapping case, the perpetrator calls the target’s cell phone company and uses social engineering techniques to convince the customer service representative that he is his victim. He pretends that he has lost his phone and requests that the phone number be ported to a SIM card in his possession. (Sometimes, a fraudster simply bribes a wireless carrier’s employee to achieve the same goal.) Once the hacker has the activated SIM card, the victim loses cell phone access, and the perpetrator receives all SMS messages and phone calls placed to the victim’s cell phone number. He then requests verification codes from the victim’s bank accounts or email service providers to bypass 2FA or reset the passwords to access the victim’s online accounts.
My Personal Experience
One Friday afternoon in March 2019, as I was driving back to my office from a meeting, I lost my cell phone reception. I initially thought that I was driving through an area with bad reception, but after not recovering service for some time, I grew suspicious. I drove to an AT&T store soon afterwards, and I was able to get a new SIM card and reclaim my cell phone number. The store clerk told me not to worry and that my SIM card had probably gone bad. After getting back online and seeing that someone had logged into my Microsoft Outlook account and changed my password, I realized that I had become a victim of SIM swapping. I walked back into the store, and another clerk checked my account records. He told me that someone in a different state had gone into an AT&T store and walked away with a SIM card activated with my phone number. After consulting with his store manager, he suggested that I contact AT&T’s fraud department on Monday. (The fraud department’s office was closed over the weekend.)
The next 72 hours, I chaotically changed passwords and updated 2FA settings on nearly 100 accounts. Even though the SIM swapper only took over my Outlook account, it was my primary email address that I had used for all online accounts, from shopping to banking. I prioritized my accounts and went through as many of them as possible.
Fortuitously, I had an Outlook session active on my MacBook Pro, which gave me access to my Outlook email for another 4–5 hours after my account was hijacked. (Talk about the security of Microsoft Outlook email accounts!) I was able to see what happened after the SIM swapper took over my Outlook account.
1. He immediately attacked my Coinbase account by requesting a password reset. According to a recent article on CoinTelegraph, SIM swappers like to target cryptocurrency accounts due to the ease of stealing funds and the irreversibility of the transfers. Although I used my cell phone number as 2FA for most of my financial and other online accounts, I had enabled Google Authenticator on my Coinbase account. Thus, he was not successful.
2. Next, he aggressively attacked all my Gmail accounts by requesting password resets. I could see codes being sent to my cell phone according to the usage report on My AT&T Online. Some of my Gmail accounts were part of the G-Suite, so they had no permission to request password resets. Two other Gmail accounts were personal accounts, but they both had an additional security question that was very personal and whose answer was not in any public records or the dark web. He failed to get into my Gmail accounts.
3. He also attacked my Yahoo email account. This was an email account I had had since the 1990s, but I had not used it for over a decade. Yahoo is known to have very weak protection of account access, according to Brian Krebs. The SIM swapper was able to log into my Yahoo account, but he didn’t bother to take it over. I was able to log in with my existing password and kicked out his active session.
4. He then attacked one of my domain registrar accounts. He successfully got in and changed the password because I didn’t have 2FA enabled on that account. However, I only had one domain that I was not currently using in that account. Again, no real damage was done there.
Since I discovered the hacking quick enough (within one hour), the financial damage was minimal, but I cannot overstate the agony and wasted time. What does it mean to online businesses? I believe the onus is on them to design more secure, yet user-friendly authentication and identification systems to better protect their users’ accounts.
There are plenty of articles on SIM swapping. If you Google “SIM swapping” or “SIM hijacking,” you will see lots of links. Most of those articles focus on techniques that consumers can adopt to protect themselves from SIM swapping frauds. For example, Wired published an article titled How to Protect Yourself Against a SIM Swap in August 2018. Instead, I am going to focus on my recommendations to businesses in this article.
Four Steps Businesses Should Take to Combat Online Account Hijacking due to SIM Swapping
Step 1. Improve the Weak Password Recovery Process
In the past, hackers relied on hacking techniques like man-in-the-middle, phishing, or keylogging to get a victim’s actual login credentials. A recent trend has been that hackers are targeting weak password recovery processes to take over online accounts, as it is a much faster way.
A typical password recovery process requires the user to have access to an email address or a phone number (sometimes both) that has been registered with her online account. The server sends a password recovery link, a temporary password, a verification code, or a combination of those. As long as the hacker hijacks the email account and the phone number (which, in my case, took the fraudster less than 30 minutes to get access to both), he can quickly take over a victim’s account.
For example, I recently tried to change the password of my account at one of the largest brokerage firms in the U.S., but I got locked out. It prompted me to go through its password recovery process. It first asked for my name, date of birth, and the last 4 digits of my social security number, all of which are likely available in the dark web, thanks to several massive data breaches in recent years. Next, it displayed a list of my phone numbers and email addresses and asked me to select one of the listed options to receive a verification code. I was able to reset my password in no time, and I suppose a SIM swapper would have been able to do the same.
More sophisticated password recovery processes should be designed and deployed. Even adding one additional security question that cannot easily be answered by looking up the public records can thwart SIM swappers, as in the case of my Google accounts. When in doubt, companies should not hesitate to use the old-fashioned way, i.e., snail mail. There is nothing wrong in mailing a temporary password to a customer’s physical address on file during the password recovery process. In particular, financial institutions should take note. If a hacker has access to my cell phone and my email account, there is nothing that prevents him from gaining access to my bank accounts using the common weak password recovery mechanism, as described above.
Step 2. Add More Secure 2FA Alternatives
Online businesses should provide software-based 2FA, hardware-based 2FA, or both while creating a plan to phase out SMS-based 2FA.
In the draft NIST Special Publication 800–63–3: Digital Authentication Guideline published in 2016, National Institute of Standards and Technology (NIST) called for the deprecation of SMS as a form of 2FA. NIST pointed out that it was too easy to redirect or intercept SMS messages at scale and, therefore, SMS-based 2FA did not have the same strength as device authentication.
However, three years later, many organizations still use SMS-based 2FA as their primary 2FA. According to twofactorauth.org, the four largest banks in the U.S. (JPMorgan Chase, Bank of America, Wells Fargo, and Citibank) still offer SMS as 2FA, none offers a software token, and only Wells Fargo offers a hardware token.
A hardware token based on Universal 2nd Factor keys (U2F) is likely the most secure form of 2FA at the time of this writing. A U2F security key typically supports both NFC and USB connections. The two leading options are Yubikey and Google Titan. According to KrebsOnSecurity, Google eliminated phishing of employees’ work-related accounts by requiring, since early 2017, their more than 85,000 employees to use physical security keys in place of passwords and one-time codes.
A software token solution like Google Authenticator is more secure than SMS but still has security vulnerabilities. According to an article on makeuseof.com, most of the software 2FA apps use a method called Time-Based One-Time Password (TOTP). The key that displays on your device is also available on the server, which is susceptible to hacking. Nevertheless, to gain access to the key on the server is a lot harder than SMS swapping. It is also worth noting that software-based 2FA is subject to sophisticated attacks such as Evilginx, an advanced phishing scheme with a man-in-the-middle mechanism to bypass 2FA.
Nonetheless, it is clear that (1) 2FA is more secure than no 2FA; and (2) every organization should deprecate SMS-based 2FA, as called for by NIST.
Step 3. Use AI and Other Fraud Detection Technologies during Account Login and Password Recovery
For years, banks have been using anti-fraud technologies to detect credit card fraud. For example, if someone attempts to charge a large sum at a Costco store hundreds of miles away from my home, the credit card authorization system would decline the charge and contact me immediately for verification.
Why can’t online businesses do the same with password recovery and login attempts? Microsoft could have prevented the hacker from taking over my Outlook account. The hacker first reset my password by requesting a recovery code via SMS. After logging into my account, he immediately removed my recovery email addresses and recovery phone number and added his own email address as the recovery email address. According to email records, the SIM swapper first logged into my Outlook email account from a Denver-based IP address. Soon afterwards, he switched to a VPN that showed a New York-based IP address while, at the same time, my iPhone had been continuously connected to Outlook from a California IP address. Microsoft should have flagged this suspicious activity and put a 30-day hold on the change of recovery email address and phone number. I would have been able to recover my Outlook account had Microsoft done so. Instead, Microsoft allowed the hacker to replace the recovery email address with his. Then, after I successfully recovered my account via Microsoft Account Recovery, Microsoft sent an email to the hacker’s email address for “verification” while putting my recovery email address change on a 30-day hold. Of course, the hacker reversed my account recovery process. Finally, I escalated the issue with Microsoft Online Chatting Support. After 3 days, all Microsoft could do was to “suspend the Outlook account indefinitely” rather than giving me back control of the account.
Organizations should deploy solutions that can effectively detect suspicious activities and stop them in real time.
Step 4. Collaborate with Wireless Carriers to Flag Suspected SIM Swapping in Real Time
The best way to combat SIM swapping is to stop using SMS-based 2FA. Unfortunately, due to its popularity, I do not expect all businesses to deprecate it overnight. As long as firms still use SMS-based 2FA for their online businesses, they should try to collaborate with wireless carriers to receive instant alerts when a phone number is suspected of unauthorized SIM swapping. This requires phone companies to cooperate, which is not easy. Especially in the U.S., there is no indication that wireless carriers are doing nearly enough to combat SIM swapping. However, carriers have an obligation to their customers to safeguard their wireless accounts.
In Mozambique, banks can query recent SIM swapping activities with all major wireless carriers in real time. A bank could block a fund transfer if it suspects any fraud based on the information it receives from a wireless carrier. According to Ars Technica, companies in other countries, including the UK, Australia, Nigeria, South Africa, and Kenya, have put carrier-checking remedies in place.
In my case, AT&T could have prevented the perpetrator from swapping my SIM in March had it flagged the obvious. My phone had been used in the Bay Area continuously for more than a month, and it had just been connected to the AT&T network in my local area moments before the SIM swapper walked into an AT&T store 1,500 miles away. The system should have flagged the attempt, locked the account, and called me immediately for verification. It should not be difficult to implement such a mechanism. Instead, AT&T allowed its store clerk to swap SIM with little checks. Also, Microsoft could have queried AT&T (if AT&T had provided such capability) and determined that my SIM had been swapped and notified me for confirmation.
Companies should pressure U.S. wireless carriers to follow the footsteps of carriers in other parts of the world to do more to combat SIM swapping crimes.
Combating SIM swapping and stopping online account takeovers should be a high priority for all businesses with an online presence. The fact that most businesses are still stuck with SMS-based 2FA is concerning. In a recent panel discussion on zero-trust cybersecurity at Stanford University, several panelists commented that businesses tend to be reactive to cybersecurity. They often react to regulatory requirements and major breaches but are seldom proactive in implementing platform security. According to twofactorauth.org, dozens of consumer-facing financial institutions don’t even offer 2FA today, not to mention software- or hardware-based security tokens. A few lawsuits and complaints filed against wireless carriers can act as catalysts to push the industry to heighten awareness and do more to protect customers from falling victims of SIM swapping. Protecting customers’ online accounts are not just the responsibilities of CISOs, but all senior executives, including CEOs, should be on top it. Finally, wireless carriers in the U.S. should do a lot more in this arena.
Special thanks to Dr. Ephraim Feig, who reviewed this article and provided valuable feedback.