New SIM Swap Hacks Highlight Carriers' Wobbly Security
Several new studies have found that hackers can convince wireless carriers' customer service agents to port legitimate phone numbers to bogus accounts -- a practice that can then open that account up to fraud and theft.
Researchers at Princeton University called three of the four major carriers and tried to convince customer service representatives to move phone numbers to new SIM cards. Verizon, AT&T and T-Mobile each received ten calls from the researchers, who posed as customers.
Astoundingly, in all 30 cases the fake customers successfully convinced the carriers to move the numbers to new SIM cards.
When the carriers tried to authenticate the customers by texting personal identification numbers (PINs), the "customers" acted confused and said the wrong PIN numbers, because of course they had not received the texts. Then the carriers asked for other forms of authentication, like most recently called numbers and most recent payments. The researchers had done their homework and in most cases were able to answer these questions correctly.
How can researchers (and hackers) get access to a victim's call history and payment history? By manipulating it. They can text multiple people fake offers that seem too good to refuse, until one person calls back. Now they have a recently called number. If the call happens to be from a prepaid account, the hacker has hit the jackpot because they can go to a convenience store, buy a refill card for a few dollars and then use it to refill that victim's account. Now the hacker has payment history. The next step is to call the carrier and request a SIM swap.
Perhaps more worrisome, not all fraudulent SIM swaps are one-off cases of identity theft. For example, Vice reported about hackers who convinced carrier employees to install software that then gives the hackers access to multiple customer accounts.
The entire situation shines a spotlight on the security problems surrounding "SIM swapping." Unlike physically replacing SIM cards in cellphones, SIM swapping is done remotely by using software to assign an existing phone number to a new SIM card. The new SIM is held by the hacker, who can then use it to access the rightful owner's account, change passwords and steal what can be stolen. After all, consumers' phone numbers are often used for two-factor authentication for access to online services.
In the highest-profile example of SIM hacking, 22-year-old Nicholas Truglia hijacked the phone number of a cryptocurrency investor and was able to steal $23 million from him.
Such developments have sparked responses from the wireless industry and regulators.
Last year the CTIA -- the US wireless industry's main trade group -- issued guidance for consumers on how to avoid becoming the victim of a SIM swap. The association said the number one recommendation is to establish a secure PIN that cannot easily be guessed. This does not do much good though if carrier customer service reps are willing to authenticate people who do not know the PIN for their account. In the Princeton study, even failure to repeat a temporary PIN that had just been texted did not keep people from getting their SIMs swapped.
Separately, Congress is pressuring the FCC to nudge the carriers into action. A handful of legislators sent FCC Chairman Ajit Pai a letter last week highlighting the problem and noting that American consumers are routinely encouraged to use two-factor authentication to protect all manner of accounts.
"SIM swap fraud may also endanger national security," the letter states. "For example, if a cyber criminal or foreign government uses a SIM swap to hack into the email account of a local public safety official, they could then leverage that access to issue emergency alerts using the federal alert and warning system operated by the Federal Emergency Management Agency."
For wireless carriers, addressing the SIM swap problem is likely to be a balancing act. Customer service agents will need to be stricter about authenticating callers without alienating the hundreds of customers who are legitimately confused and need help accessing their accounts.
— Martha DeGrasse, special to Light Reading. Follow her @mardegrasse