In August 2019, hackers managed to breach Twitter CEO Jack Dorsey's Twitter account and broadcast profanity to his 4 million followers. Although Twitter restored access to @jack's account within 18 minutes of the hack, the episode served as a grim reminder to the cybersecurity community: Even the tech-savvy can fall victim to simple hacks if they're not careful.
In Dorsey's case, the hacker group that calls themselves "Chuckling Squad" targeted him using a technique known as SIM swapping. In SIM swapping, attackers take control of a phone number associated with an online account and use it to seize ownership of the account. In recent months, Chuckling Squad has allegedly used the same technique to target several celebrities and online influencers, including actress Chloë Grace Moretz and YouTube star James Charles. Additional hackers have used the scheme to hijack other high-value accounts and even steal digital currencies.
SIM swapping exploits a fundamental flaw in the way mobile numbers are used to secure online accounts - both personal and corporate, if they're not protected with the right authentication technologies.
Unless individuals and businesses take the necessary measures and opt for more secure authentication methods, they will remain vulnerable to SIM swapping.
How does SIM swapping work?
Many online services allow users to link their accounts to a mobile phone number; some make it a mandatory requirement. Phone numbers are then used for two-factor authentication (2FA) to verify user identity for new device logins. Some services also allow users to reset their passwords after verifying their identity through an SMS sent to their associated mobile number.
Unfortunately, this method of online account security has proven ineffective. SIM swappers have clever ways of hijacking a victim's phone number and using it to access their accounts or reset their password. In most cases, attackers contact the victim's mobile carrier, posing as the phone number's owner and claiming to have lost their SIM card. They then request to transfer the number to another SIM card, after which the attacker can easily overtake a targeted account.
Needless to say that when it comes to SIM swap fraud, even the most complex password in the world won't protect your account.
In many cases, SIM swap scams succeed because of lax security practices by employees at mobile phone carriers. Alternatively, hackers may have accomplices at mobile retailers who help them circumvent authentication procedures meant to verify the identity of the original SIM card owner.
Twitter CEO Jack Dorsey became the victim of a "SIM swap" hack that allowed an attacker to post offensive tweets that appeared to come from himTwitter CEO Jack Dorsey became the victim of a "SIM swap" hack that allowed an attacker to post offensive tweets that appeared to come from him Photo: AFP / Prakash SINGH
The classic way to protect yourself against SIM swapping
Security experts suggest two main tips to protect against SIM swaps:
Assigning PIN numbers to SIM cards: Most major mobile phone companies allow customers to assign personal identification numbers (PIN) on their accounts to prevent SIM swap attacks. After assigning a PIN to your mobile number, anyone who wants to transfer your number to a new SIM card must provide the passcode.
While PIN codes make it harder to stage SIM swapping, it's not a perfect solution. If attackers have an accomplice working at a mobile carrier, they can override PIN approval and perform a SIM swap.
In 2018, Florida police arrested a man for using SIM swapping to compromise bitcoin wallets and steal hundreds of thousands of dollars worth of cryptocurrencies from his victims. The man was part of a ring of nine hackers, including an employee at a mobile retailer. In another case, hackers aided by a rogue mobile carrier employee staged a SIM swap attack against a Boston man with a coveted three-letter Instagram account, the likes of which are considered the crème de la crème of the platform's handles for their simplicity to remember.
Even with threats aside, users tend to forget PIN codes because they don't use them often. And when they truly lose their SIM card, they get locked out of their account because they can't transfer their mobile number to a new SIM card.
Virtual and dummy phone numbers: Another popular method to prevent SIM swaps is registering accounts using a virtual phone number - a number that cannot be transferred to a SIM card. There are several services that provide these online numbers that can receive SMS codes. However, these services have their own security flaws and are not always easy to use, nor supported by all online services.
Alternatively, separate SIM cards can be used exclusively for managing online business accounts. These numbers should never be shared with anyone else. The point is that if attackers can't discover the phone number associated with an account, they won't be able to stage a SIM swap attack. But that is a method of "security by obscurity," where you hide your head in the sand, hoping that hackers don't find your information. Experience shows that security by obscurity is no security at all, and it's only a matter of time before crafty, adamant hackers find vulnerabilities.
The real way to protect your accounts against SIM swapping
Unfortunately, all the above methods are Band-Aid approaches to solving the simple-yet-dangerous problem of SIM swapping. Organizations that want to protect their employees' corporate accounts against such attacks must seek methods that eliminate SMS codes altogether, while still providing security and ease of use.
We've seen a step in this direction as several German banks in particular have moved, or plan to move, away from SMS-based one-time passcodes (OTP) for clients to comply with recently-enacted EU legislation that regulates online payment.
Experience shows that employees and average users often choose convenience over security. Memorizing PIN codes along with handling virtual phone numbers and separate SIM cards introduce too much friction for most users, which is why they remain unpopular.
And let's not forget that none of these measures eliminates one of the main threats to online accounts: passwords. Even without SIM swaps, online accounts still face hacking threats if the user chooses a poor password or reuses a hacked password. In fact, compromised passwords constituted a leading factor in data breaches over the past year, according to a 2019 analysis by Verizon.
The ultimate solution to prevent SIM swapping is to replace SMS-based 2FA with a secure multi-factor authentication solution. This is especially important for organizations and companies that would face much larger repercussions than personal account holders in the case of a hijacking.
As corporate enterprises continue to eye passwordless MFA technologies as their preferred method of authentication, push notifications have emerged as increasingly popular both from a security and user experience perspective. Rendered more difficult to intercept or redirect than SMS-based methods, push authentication validates login attempts by sending access requests to an associated mobile device. According to Gartner estimates, 50% of enterprises using mobile authentication will adopt mobile push as a linchpin of authentication by 2020.
Fortunately, with standards such as FIDO2 it is now easier than ever to develop and deploy secure and easy-to-use authentication solutions that can protect online accounts against most major account hijacking techniques, including SIM swapping. These standards, which are supported by all major browsers and mobile platforms, enable users to employ secure authentication methods such as mobile authenticators and physical authentication keys.
Hackers will always seek new ways to lay their hands on sensitive and valuable data. We shouldn't make their job easier by choosing bad authentication mechanisms.
(Shimrit Tzur-David is Co-Founder and CTO at Secret Double Octopus.)
This article first appeared in IBTimes.com.