Weak security measures in place at several major wireless carriers in the United States make it easy for attackers to perform SIM swap attacks on prepaid mobile accounts, a recent study found.
In a SIM swapping attack, social engineering is used to convince a wireless services provider to hand over control of the victim’s phone number by modifying the SIM card attached to the phone and mobile account. After hijacking a phone number, attackers can bypass two-factor authentication (2FA), intercept calls and messages or impersonate the victim.
While wireless carriers have some authentication procedures in place to prevent unauthorized access and the successful takeover of a victim’s phone number by calling the carrier to request a SIM card transfer, these seem inefficient, researchers from Princeton University have discovered.
An analysis of the procedures implemented by five carriers in the U.S. has revealed that attackers only need to target the most vulnerable of these authentication challenges, as the rest could be bypassed.
Analysis of postpaid accounts at three carriers showed that stronger authentication might have been implemented for these types of accounts compared to prepaid ones. With that said, severals attacks have shown that regular postpaid accounts are far from secure and still vulnerable.
“To quantify the downstream effects of these vulnerabilities, we reverse-engineered the authentication policies of over 140 websites that offer phone-based authentication. […] Notably, we found 17 websites on which user accounts can be compromised based on a SIM swap alone, i.e., without a password compromise,” researchers from the Department of Computer Science and Center for Information Technology Policy at Princeton explain in their whitepaper (PDF).
SIM swap procedures are useful when a device has been misplaced or when a different size SIM is needed in a new mobile device. SIM swap attacks, on the other hand, have been widely used to hack into accounts, steal virtual currencies, or access victims’ bank accounts, and the vulnerability is considered severe.
This type of attack was highlighted in late 2019 when the Twitter account of Twitter’s own CEO Jack Dorsey was hijacked through a SIM swap attack.
Users who call a wireless carrier for a SIM swap are presented with a series of challenges meant for authentication purposes and only after these have been passed a Customer Service Representative (CSR) proceeds to update the SIM card on the account.
Authentication challenges used by wireless carriers often include basic personal information (e.g. street address, email address, and date of birth), account information (e.g. last 4 digits of payment card number, activation date, last payment date and amount), device data (e.g. IMEI, SIM serial number), usage information (e.g. recent numbers called), knowledge (PIN or password, security questions) and possession (e.g. SMS one-time passcode, email one-time passcode).
To evaluate the authentication mechanisms employed by five U.S. prepaid carriers, namely AT&T, T-Mobile, Tracfone, US Mobile, and Verizon Wireless, the researchers signed up for 50 prepaid accounts (10 with each carrier) and then called the provider to request a SIM swap on each account.
“Our key finding is that, at the time of our data collection, all 5 carriers used insecure authentication challenges that could easily be subverted by attackers. We also found that in general, callers only needed to successfully respond to one challenge in order to authenticate, even if they had failed numerous prior challenges,” the researchers say.
The researchers say that the use of recent payment information or details about recent calls, the use of personal or account information (likely already available to real attackers), the use of device information, or that of security questions represent insecure methods for authenticating SIM swaps.
The procedures employed by these carriers were largely similar, but on 9 occasions across 2 carriers, “the CSRs either did not authenticate the caller or leaked account information prior to authentication,” the whitepaper reveals.
Tracfone and US Mobile, the researchers discovered, did not offer challenges that an attacker could answer correctly, but SIM swapping was allowed even without authentication: 6 times at Tracfone and 3 times at US Mobile.
Moreover, in some cases, the carrier representative disclosed personal information without authentication, such as activation month or the service’s activation and deactivation dates. In other cases, the employee disclosed the billing address, parts of the email address, or parts of both.
The end result of the experiment was that all of the SIM swap attempts were successful at the three major wireless carriers: AT&T, T-Mobile, and Verizon Wireless. However, the attacks failed 4 times at Tracfone and 7 times at US Mobile.
“Tracfone and US Mobile—the MVNOs—did not use any manipulable information for authentication and thus had fewer successful swaps. However, nearly all of their authentication challenges came from public records. A dedicated adversary would plausibly be able to obtain a victim’s DOB, ad-dress, email address, or answers to security questions through online profiles, and thus be able to successfully authenticate at the carriers,” the whitepaper reads.
The researchers also discovered that they could not add more protections to their accounts aside from what was available for them upon initial setup. This means that millions of users are potentially at risk: there were 77 million prepaid wireless connections in the U.S. in the third quarter of 2019 (21% of all wireless connections).
In July 2019, the researchers notified the wireless carriers, the CTIA, and the U.S. trade association representing the wireless communications industry of their findings. In January 2020, T-Mobile responded, saying it has discontinued the use of call logs for customer authentication.
Looking at popular websites that rely on SMS-based multi-factor authentication (MFA), the researchers discovered that most of the analyzed domains (83 out of 145) have recommended or mandated configurations that are insecure. Seven sites offer 1-step logins via an SMS OTP.
Seventeen websites allow doubly insecure configurations, 10 recommend secure authentication schemes but suggest insecure methods at the same time, while others enroll the user in email- or SMS-based MFA without user input or notice: they rely on the email or phone number they have on file.
In their whitepaper, the researchers also make recommendations for carriers and for websites that rely on phone-based authentication to improve protection for their users.
Related: Twitter CEO Hack Highlights Dangers of ‘SIM Swap’ Fraud