Four Princeton University eggheads have published a report showing that the five major US mobile carriers implement weak authentication techniques, leaving customers vulnerable to SIM-swapping attacks that transfer victims' phone numbers to devices controlled by scammers.
Such attacks have been a problem for years, but have become particularly damaging as more websites have implemented two-factor authentication procedures that rely on control of a given phone number. In September last year, Twitter CEO Jack Dorsey temporarily lost control of his Twitter account following a SIM-swap attack.
In a paper [PDF] titled, "An Empirical Study of Wireless Carrier Authentication for SIM Swaps," Kevin Lee, Ben Kaiser, Jonathan Mayer, and Arvind Narayanan looked at how AT&T, T-Mobile US, Tracfone, US Mobile, and Verizon Wireless handle requests to change the SIM card associated with mobile phone numbers. They found the companies rely on insecure authentication challenges that attackers can easily exploit.
"SIM swap attacks are low-tech but devastating: the attacker calls your carrier, pretends to be you, and asks to transfer service to a new SIM—one that the attacker controls," explained Narayanan in a Twitter post. "That’s bad enough, but hundreds of websites use SMS for 2-factor auth, putting your accounts at risk."
Ten out of ten... attacks successful
The researchers made ten SIM-swap requests with each of the five carriers, targeting prepaid accounts. Between May and July last year, they managed to conduct a mostly successful series of attacks: AT&T (10 out of 10); T-Mobile US (10 out of 10); Tracfone (6 out of 10); US Mobile (3 out of 10), and Verizon Wireless (10 out of 10).
These companies, the researchers explain in their paper, use a variety of authentication methods to ensure that the person requesting the SIM change is authorized to do so.
The methods used include the attempted verification of: personal information (street address, email address, date of birth); account information (last 4 credit card digits, activation date, last payment), device information (IMEI, ICCID); usage information (recently called numbers); something known (PIN/password, security questions); and something in the caller's possession (one-time passcode sent via SMS or email).
And apart from passcodes that are known or transmitted to a device, the researchers argue that pretty much every other method of authentication is insecure. The required authentication data is either guessable or obtainable through attack techniques or insufficiently tight-lipped customer service reps.
Those conducting the attacks "used no social engineering tactics," according to the paper, though at least one of the techniques described – baiting phone users into calling back a number that called them to manipulate recent call logs – appears to represent a form of social engineering.
The researchers also looked at the authentication policies implemented at more than 140 websites that rely on phone-based authentication and found 17 where user accounts can be hijacked via SIM swap, without the attacker knowing the victim's password.
The paper notes that one of its authors, Arvind Narayanan, associate professor of computer science at Princeton, became a SIM-swapping victim while he and his colleagues were investigating the practice.
... it got personal for me
"While we were doing this research, it got personal for me," Narayanan explained on Twitter. "Around midnight on a Saturday, I got the dreaded text saying my service was being transferred to a new SIM. Smart move by the attacker – they counted on having the rest of the night to get into my online accounts."
He said that he was able to respond quickly enough to limit the damage because he was awake that night looking after a newborn baby. Despite the fact that his mobile carrier could not authenticate him – its system for emailing a one-time password failed – he and his colleagues had just completed an analysis showing the weakness of the carrier's authentication protocol and so he was able to use that information to convince the customer service rep to restore his account.
The paper's findings prompted US Senator Ron Wyden (D-OR) to urge the FCC to do more to address the issue. "Consumers are at the mercy of wireless carriers when it comes to being protected against SIM swaps," said Wyden via Twitter. "It’s time for the FCC to step up and protect consumers by holding carriers accountable when their systems fail to protect against SIM swapping."
T-Mobile US did not immediately respond to a request for comment, but has stopped relying on call logs for customer authentication, the researchers claim.
5G SIM-swap attacks could be even worse for industrial IoT than nowREAD MORE
In response to the boffins' findings, US Mobile published a blog post stating that the paper focused on SIM-swapping attacks conducted by phone, which represent only 1 per cent of SIM-swapping requests at the carrier. The mobile biz said in any event it no longer allows SIM swapping over the phone with a customer service rep – all such requests must now be initiated from an authenticated user of its app or web dashboard.
AT&T declined to comment because SIM-swapping attacks represent "an industry-wide issue and not specific to AT&T." The company's spokesperson recommended asking telecom trade group CTIA, which more or less said wireless companies are working on improving security and consumers should be more proactive too:
In an email, Nick Ludlum, SVP and chief communications officer for CTIA said, “Wireless operators are committed to protecting consumers and combatting SIM swap attacks. We continuously review and update our cybersecurity practices and develop new consumer protections. We all have a role to play in fighting fraud and we encourage consumers to use the many tools highlighted in this study to safeguard their personal information.”
Verizon Wireless did not immediately respond to a request for comment. ®