IT professionals have been pushing for multifactor authentication for decades, and the advice is finally starting to catch on. More and more services are offering multifactor authentication, and one of the favorite techniques is to use the mobile phone as the second factor. The details can vary from system to system, but the basics are straightforward. When you try to use a service protected with multifactor authentication, first you put in your password. Then, an SMS message is sent to your mobile phone with a code that you have to enter to authenticate that it’s really you.
This counts as two factors: the password is one, and you having your smartphone to receive the verification code is the other. No matter how you look at it, this is far more secure than simply using a password. But using mobile phones for multifactor authentication can be a double-edged sword, and fraudsters have figured out that if they can take control of your mobile phone, they can get a big leg up in impersonating you and stealing your login credentials. Hence, the SIM port attack.
SIM Port Importance
Your carrier has the ability to move — “port” in telephony parlance — your mobile phone number from one physical SIM to another instantaneously. Carriers depend on your personal details to authenticate you: your last bill, your tax ID number, your address and so on.
If a fraudster can get (or buy) that information somewhere, they may be able to convince your mobile phone carrier to port your number to a new SIM. This means that all of those verification codes don’t go to your mobile phone, but to the one sitting on the desk next to the cybercriminal.
Sometimes the fraudster already has your password, and all they need are the SMS messages to take over. Other times, they can use password reset — often authenticated using SMS messages as the only factor — to take over your email account, and then start moving laterally, getting control of accounts until they hit the jackpot they’re looking for. The attacks are sophisticated, customized and not particularly simple. But if you’re a prominent businessperson, someone with a major social media presence or who has a lot of money or cryptocurrency, you’re a confirmed target.
Your SIM Was Attacked. Now What?
When your mobile service is ported to a new SIM, your old phone goes dead — no cellular service. That’s the first sign that something is up, and your signal to make an emergency call to your mobile phone carrier. Other signs will pop up in your email — if your password still works, which it might not — such as password recovery attempts for other accounts you have.
For IT managers running Corporate Owned, Personally Enabled (COPE) or Choose Your Own Device (CYOD) programs, there are three clear action items to take before an attack occurs.
Looking Forward
IT managers should also evaluate their existing incident management plans to make sure that SIM porting attacks are adequately covered. Generally, this attack results in credential loss, which means that sensitive data can be exposed — but this is something incident management plans should already cover. What may need to be added are tools and procedures to recover control of the user’s mobile phone number after it has been commandeered by a cybercriminal.
Is your business ready to handle a security incident? Learn the best practices for incident response with this free white paper, or learn about using Knox Platform for Enterprise to secure your company data in this short video.