Sim Swapping: It’s Not as Fun as It Sounds
Cybersecurity continues to dominate IT news, with one of the industry’s premier cybersecurity companies, FireEye, getting breached recently by nation-state hackers from a country with “top-tier offensive capabilities.” How can organizations protect themselves from bad actors when security companies struggle to? Having implemented some of the most stringent cybersecurity protocols for the Department of Defense, our experience has proven that a wide range of authentication solutions from short message service (SMS) and two-factor authentication (2FA) to true multifactor authentication (MFA) using hardware tokens can protect your enterprise from cyber criminals. That said, it is important to understand that all authentication, using SMS or not, is ultimately “hackable.” The level of effort required to execute a successful attack, and whether a capable adversary is motivated to execute it, is what determines if your data will be safe.
Despite appearing like simple fixes, 2FA and MFA have proven to be effective methods to prevent breaches while complying with industry and government standards such as CMMC and HIPAA. When choosing an MFA option, there are multiple factors to consider and, as with all cybersecurity options, decisions are based on a risk/benefit analysis. Authentication “factors” are broken down into three types of information the user provides: something they know (username and password), something they are (biometrics) or something they have (a hardware token). If two of these types of factors (2FA) are used, it makes for a strong protocol. If all three factors (MFA) are used, the greatest protection is achieved.
When implementing MFA, SMS based options are very attractive based on their ease of use, simple implementation, and low cost because SMS is standardized across the telecom industry and used by anyone with a smartphone. SMS 2FA sends a one-time password (OTP) to a user’s cellphone, which serves as the “something you have.” The problem with SMS 2FA is that an adversary can easily pretend to have your cell phone using a technique called Subscriber Identity Module (SIM) swapping. In the past, SIM cards were physical hardware that served as the identity of a phone. Today, SIM cards are represented digitally and can be transferred from phone to phone with little more than a phone call to the cellular provider. Using a combination of social engineering and phishing attacks, an adversary can impersonate a target’s SIM card and authenticate using the texted OTP.
It is helpful to look at the types of attacks used to beat SMS 2FA. The most common technical attacks involve session hijacking. An adversary will attempt to steal a session token by intercepting communications from the victim. This is known as a Man-in-the-Middle (MITM) attack. Also, if an attacker has access to an endpoint, known as Man-in-the-Endpoint (MITE), stealing session cookies is insignificant because the attacker has full control to execute any attack at his disposal. Understanding how adversaries will often use the path of least resistance is critical to businesses. In this regard, phishing and social engineering are the greatest risk to SMS 2FA. Simply by learning the target’s cellphone number, email, and some other identifying information, an attacker can call the victim’s service provider and transfer the target’s SIM information to their device.
The key to enterprise security is working with a partner who has the experience necessary to navigate risk-based decisions such as the use of SMS for 2FA. Nolij helps organizations prevent these attacks by explaining how these tactics are used, the precautions needed to mitigate the attacks, and by providing consistent phishing training to staff. For example, the best practice to decreasing any SMS swapping attacks is not to include a cell phone used for authentication messages in the email signature block. If attackers do not know your number, they cannot impersonate you. Additionally, using an authenticator app is a good solution because it requires an attacker to have physical access to a device. In cybersecurity, the goal is not to find a perfect solution, but to make hacking a system more trouble than it is worth. If a high degree of technical knowledge is necessary to conduct an attack, it may deter bad actors from trying at all. As the saying goes, “An ounce of prevention is worth a pound of cure.”