Some thoughts about SIM Hijacking

The SIM hijacking, also know as SIM swapping, is an attack where a criminal contacts the cell phone provider of a target user, and convinces it (sometimes involving employees of the phone company) to switch target’s account to a SIM that he control.
Since smartphones are often used as a security measure/verification system, this allows the fraudster to take over accounts of the target.


How SIM Swapping Attack works?

According a useful article [1] by PandaSecurity:

When you call your wireless carrier over the phone, the operator usually goes through a quick verification process with you. They often ask for your full name, address, phone number, DOB, and passcode or the last four digits of your social. All of this information has leaked at some point in the past so hackers might have purchased the data from the dark web, or might have used other social-engineering ways to get the needed details – as we’ve previously reported, finding someone’s address, cell, and DOB is not as hard as we all want it to be.

Gaining access to your account allows the hackers to pass the 2-step verification process on various places but also allows them to purchase whatever they want from your wireless carrier itself. Imagine if the devices for the five available upgrades on your account are sent to an unknown address on the other side of the country, and you are the one billed for them on your next month’s billing statement.

Also this video from NBC may be useful:


Is there a fix?

Despite phone companies have added security measures since this attack became popular and public, a recent study [2] shows that the measures aren’t helping:

We examined the authentication procedures used by five pre-paid wireless carriers when a customer attempted to change their SIM card. These procedures are an important line of defense against attackers who seek to hijack victims’ phone numbers by posing as the victim and calling the carrier to request that service be transferred to a SIM card the attacker possesses.
We found that all five carriers used insecure authentication challenges that could be easily subverted by attackers.
We also found that attackers generally only needed to target the most vulnerable authentication challenges, because therest could be bypassed.
In an anecdotal evaluation of postpaid accounts at three carriers we also found—very tentatively—that some carriers may have imple-mented stronger authentication for postpaid accounts than for prepaid accounts.
To quantify the downstream effects of these vulnerabilities,we reverse-engineered the authentication policies of over 140 websites that offer phone-based authentication. We rated the level of vulnerability of users of each website to a SIM swap attack, and we plan to publish our findings as an annotated dataset.


How to protect yourself?

For some mitigations, i refer again to the PandaSecurity paper:

Very often wireless carriers use the last four digits of your social for as your default passcode – as you know, your SSN might have already been exposed and be in possession of the hackers. So if you want to avoid becoming a victim of SIM hijacking, we strongly recommend you to call your carrier and set up a passcode that you haven’t used anywhere else before.

Cybercriminals might decide to attack your phone instead so having antivirus software is usually the layer of security hackers cannot, or don’t have the time, to deal with. Last but not least, keep an eye on your email.

When wireless carriers make a change on your account, they sent you an email confirmation with the changes. If you are unsure what is happening or you do not recognize the transaction, google their phone number and call them. The sooner you call, the easier will be for you to minimize the amount of damage inflicted by the fraudsters.


References

  1. SIM Hijacking Explained
  2. An Empirical Study of Wireless Carrier Authentication for SIM Swaps

Related posts

  1. TikTok fixed several vulnerabilities that could allow hijacking of any account
  2. A new Android vulnerability (CVE-2019-2234) allows attackers to hijack Camera App