This article by NuID’s Robert Paul was originally published in the Center For Internet Security’s Cybersecurity Quarterly.
We've all been familiar with the two-factor authentication codes that have been on the rise over the last few years. You know the form: "A text message with a 6-digit verification code was just sent to your number." It seems almost standard now these days for anyone who cares about the security of their accounts. It's even becoming mandatory on many websites today. The problem is, hackers are still one step ahead of leading industry security practices.
The hack is called ‘SIM Swapping.’ It’s the act of remotely hijacking your phone, allowing the hacker to receive any calls or SMS messages that you receive—including that 6-digit multi-factor authentication code so many websites rely upon today. Most people might assume that this is a sophisticated attack that requires a very specific set of circumstances for the vulnerability to be exploited. Unfortunately, that isn’t the case. Your phone provider is the one willingly giving hackers access to your phone.
The hack isn’t complicated and isn’t new. Even NIST removed SMS-based multi-factor codes from their recommended guidelines back in 2016. Their reasoning was due to the increase in frequency of the attack, the ease of exploitation, and the inability for telecom companies to protect against the attack.
As a pentester, I would often have to leverage a SIM swap to grant myself access into a corporate VPN, or to pivot to a more protected network or to gain access to a company’s DNS records, thus giving me complete control over their entire network. The process is straightforward and takes only a few minutes. First, you conduct research on your target to find leaked information. There is a trove of leaked information on most people, including social security numbers, addresses, phone numbers – all the things you would need to verify your identity to the telecom support staff. This information isn't hard to find and isn't expensive either. Access to hoards of easily searchable records are available for sale online, or you can grab the raw data yourself from security research sites, such as databases.today or Public DB Host, or other more legitimate services, like Spokeo.
Once you have all the data you're looking for, it's just a matter of correlating data across leaked dumps to find the most current and relevant data. Then all you need to do is call their phone provider with a sob story about how you accidentally ran your phone through the washing machine and the world is ending because you're expecting a call today for a job interview. The phone provider will do everything they can to help you out and is willing to happily swap your number over to a new SIM card that you just bought – if you confirm your identity. You give the representative all the details you harvested on your victim and it's done. You can now receive all SMS messages and calls that were originally intended for your victim. Now all that's left is to login to their email, enter their two-factor authentication code, and proceed to reset every account they signed up for that email with: Their banking and credit card accounts, cryptocurrency exchange accounts, e-trade account, other email addresses for which they have that email as their recovery email, their social media accounts. Everything.
There are a lot of challenges in dealing with online identity. Arguably the biggest challenge is the users themselves. Password managers, like LastPass or Intel's True Key, can completely defeat password reuse attacks, like SIM swapping. But, for such an effective tool, password managers have not seen widespread adoption. LastPass, one of the most popular password managers, has only about 7 million users, but there are more than 3.2 billion people worldwide using the internet. These tools also have vulnerabilities of their own.
Since no solution is perfect, the security industry has shifted their focus to building "Zero Trust" security models. A Zero Trust model is one that assumes the user's machines and environment is already compromised, and that the service they are communicating with can be or will be compromised. The Distributed Identity Foundation (DIF) boasts some of the latest technology for dealing with the issues surrounding online identity authentication. Industry giants like Microsoft, IBM, RSA, MasterCard, and various startups have pooled their resources into tackling this problem. The DIF focuses on using Zero Trust encryption technologies, like zero knowledge proofs of knowledge in order to verify users within untrusted environments. The DIF also has a heavy focus on blockchain technologies to achieve a more decentralized approach that is resistant to traditional attacks, which focus on attacking single point of failure services—like using your email as an online identity.