Categories
Security Updates

SIM Swap Attack

Weekly Tech News from Helpful Dave!

For this week I wanted to talk about the latest way criminals can steal your information.

It has something to do with your cellphone, but guess what? It’s not your fault! You didn’t download a bad app, or go to a bad website, or get phished via an e-mail. As a matter of fact if you have Two Factor Authentication setup via text message this attack actually allows criminals to bypass that too! Here’s where the kicker is, the person(s) responsible for giving away your personal information is actually your Carrier!

This article is going to have Tech Terms which are SIM Cards and Two Factor Authentication. If you don’t know what those are here is a primer:

—Tech Terms—

SIM card: The SIM card is how your mobile phone carrier (Verizon, T-Mobile, etc) knows where to direct all of your phone calls and text messages. Its normally a small physical card that is placed into your phone.

Two Factor Authentication: When you receive a text message or e-mail with a code to verify who you are when you try to login to certain websites or apps.

—Back to the News—

Recently a study was done by researchers at Princeton University and they used Verizon Wireless, T-Mobile, AT&T, Trafcone US, and US Mobile to learn how easy it would be to get them to send someone else’s SIM card to a would be criminal.

The attack works by tricking your cell phone carrier into sending the criminal a “replacement” SIM card that you never lost! Once a criminal gets your SIM card they can make and receive phone calls and texts with your number!

So here’s one way that it works:

The criminal first calls your cell phone carrier

Criminal: Yes, I need another SIM card.
Carrier: Okay I need your PIN number please.
Criminal: (Provides the wrong PIN number).
Carrier: That’s not correct.
Criminal: I’m so sorry I must’ve forgotten.
Carrier: No problem we can authenticate another way, can I please have….

Here’s where it gets tricky. Here’s a small list of what some providers ask for.

1. Full Name and Address: This information is easy to get. Someone can either find a nice house, walk up and grab a bill from the mailbox and now they have the full information. If they are in luck they can even grab your cell phone bill from the box as well. If they don’t know your carrier right away, they can just call all of them one at a time to see which one of them is correct.

2. Recent Numbers Dialed: Your carrier will ask the criminal for the last two numbers dialed or received in your phone log. This one people think is a bit trickier because how would the criminal know the last two numbers in my phone? Well its simple! They can call you and leave a message and if you call them back now they have the last two numbers!

How about this one as well, you are at large social gathering at a bar, restaurant, or maybe someone’s house that you know. Someone walks up to you and says “I lost my phone, can you do me a favor and call it?” All they need to do is have you do that twice and they have the last two numbers as well!

The most important thing to remember is your carrier doesn’t have a way of denying service to these criminals who continue to call. They might not have all the right information the first time they call up, but sometimes your provider actually gives up some of that information on the call! The criminal simply has to be persistent enough to continue calling and they can unfortunately sometimes find a way in!

How can you keep yourself safe? Here are Helpful Dave’s Tips!

DON’T: Use Two Factor TEXT based Authentication. Once a criminal has your SIM card they will be be able to receive text messages intended for you!

INSTEAD: Use an App Based Mobile Authenticator like Last Pass (http://www.lastpass.com), Google Authenticator, or Authy. An App Based Mobile Authenticator as the name suggests is actually an App installed on your phone. So even if a Criminal gets your SIM card they still can’t get access to your Two Factor codes because they are installed on your phone!

Our personal recommendation is Last Pass as it offers many more tools that include secure password storage, and an automatic password generator so you never have to think of a password again.

Here is a link to the study from Princeton: https://www.issms2fasecure.com/assets/sim_swaps-01-10-2020.pdf

I hope this article proved informative and helpful to everyone! If anyone has any questions or has a news tip and want me to do a dive into it feel free to suggest in the comments below! If you want to stay up to date on Helpful Tech News please stay tuned for more!

If you liked the article and want to support us please use our affiliate link for Last Pass as we earn a commission if you sign up: https://lastpass.wo8g.net/mmnzX