SIM swapping has grown in recent weeks into the tactic of choice for cybercriminals in the U.S. Just about everyone with a functioning mobile phone, and SIM card is vulnerable.
However, a new report has revealed just how deadly these attacks could be. Recently, a study at Princeton University revealed that five major U.S. mobile phone carriers are acutely vulnerable to SIM swapping attacks.
Academic research finds five US telcos vulnerable to SIM swapping attacks https://t.co/bj5oEk0Kqy
— ZDNet (@ZDNet) January 11, 2020
Easy Exploitation Criteria
In the research, participants signed up for ten prepaid accounts each on Verizon Wireless, T-Mobile, AT&T, U.S. Mobile, and Tracfone. Then, they began to conduct SIM swapping exercises on these numbers. Astonishingly, the study discovered that all they needed to manipulate these carriers was to get one authentication step correctly- regardless of whether or not they succeeded in doing the rest.
To test the efficacy of the companies’ security measures, the researchers called the carriers and asked for a SIM swap. Each time, they deliberately provided the wrong PIN so the customer support could provide a new verification method. When they were asked for their (that is, the victim’s) billing code and date of birth, they simply evaded that requirement by claiming they had filed wrong credentials when they registered on the carrier.
When all fails, the customer service reps would simply ask for their most recently-made calls. Given that attackers can easily trick victims into making bogus calls, this security protocol isn’t so effective- and it’s the one that attackers prefer to exploit.
SIM swapping is a complex criminal activity- a criminal contacts the victim’s mobile phone carrier with a new phone number and convinces the operator that the victim changed their number to the new one. Thus, the phone number is migrated to the new SIM, and as a welcome back procedure, all passwords and security keys owned by the victim are sent to the criminal.
Armed with that information, the criminal could gain easy access to anything- from Email addresses and social media passwords to cryptocurrency wallets and perhaps even online banking keys.
Congress Asks the FCC to Intervene
The SIM swapping monster is growing rapidly, forcing Congress to step in. Last week, 8 Democrats on Capitol Hill sent a letter to Ajit Pai, the Commissioner for the Federal Communications Commission (FCC), asking his agency you step up oversight of mobile phone carriers and their security measures for SIM swapping.
Lawmakers Prod FCC to Act on SIM Swapping https://t.co/ukX4VnhQLD
— Bruno J. Navarro (@Bruno_J_Navarro) January 10, 2020
In the letter, the Congress members explained that SIM swapping is growing by the year, as swapping complaints increased by 238.6 percent between 2016 and 2019.
They expressed their concern that the issue has become a problem for civilians while adding that a lot of government websites and platforms could also be at risk since they allow users to reset their passwords either by Email or two-factor authentication – both of which are now vulnerable to SIM swappers.
While they pointed out some progress that has been made, they also bemoaned the “spotty” implementation of security recommendations and the fact that a lot of users only find out about these features when it’s too late. As they believe, the FCC will need to step up and compel carriers to get things right.
Images are courtesy of Twitter, Shutterstock, Pixabay.