The SIM Hijackers

Lorenzo Franceschi-Bicchierai of Motherboard has a chilling story on how hackers flip seized Instagram handles and cryptocurrency in a shady, buzzing underground market for stolen accounts and usernames. Their victim's weakness? Phone numbers. He writes: First, criminals call a cell phone carrier's tech support number pretending to be their target. They explain to the company's employee that they "lost" their SIM card, requesting their phone number be transferred, or ported, to a new SIM card that the hackers themselves already own. With a bit of social engineering -- perhaps by providing the victim's Social Security Number or home address (which is often available from one of the many data breaches that have happened in the last few years) -- the criminals convince the employee that they really are who they claim to be, at which point the employee ports the phone number to the new SIM card. Game over.

2FA

[JaredOfEuropa]

Meanwhile, many banks here are dropping actual 2FA based on the chips in our bank cards, and replacing it with security codes sent by SMS. Great idea. What really surprises me in this story is that T-mobile sent a warning to their customers instead of changing their procedures, and no longer perform sim swaps for any Tom Dick & Harry identifying themselves with a (semi public) SS number.

Solution

[Rik+Sweeney]

If the victim has an email address associated with the mobile phone account (almost everyone does), the phone service should send a code to the email address and ask the "customer" to read it out when they receive it.

No code, no phone redirect. We'll stick a new SIM card in the post to put in your new phone.

Re:Not new

[houghi]

That is because you only look at the security. I look at the usability. I would have to buy a new phone and what I can buy would be limited. Obviously the majority of the people would go for one that will be fixed on the phone, so having it on the phone is less secure than having data on the phone.

And I am sure there will be different ones from bank to bank. I already have two RSA key generators. One that works as it is, the other I have to put my card in. So that means that when I travel I either take them with me, with the risk of losing them. That would require replacement when I get home and that will take time. At least a day of work anb go to the bank and ask for a new one.

Or I do not take them with me and if I want to do a transfer, I am unable to do so. Yes, I have been in a situation where I needed to transfer more than the minimal daily amount I can do with my phone (limited at 2500 EUR) and did not have the RSA generators with me in a foreign country. Luckily the company understood the reason and took the risk of getting payment after they performed their service.

To me what would be OK is if they all used Google Authenticator and send the specific codes via snail mail, like they send pin codes via snail mail. Not via email. Not even if it is an emergency. Not to the bank. Not to your neighbor, or your dad or your son.

And changing the address must be done with proof. But in Belgium we have it easy. Everybody older than 12 has to have an ID. On that ID is a chip. That chip can be read with open source software and even can be used for other things. Just yesterday I filled out my taxes.

A change of address means you need to go to the city hall. They will edit your address and put the new address on the chip. SO if I say my SIM card is broken, they will send a new one. I do not think they will just put it on another sim card.

The real issue is that they put it on another sim card without you being there. Either send a new one or let people go to a store where they need to identify themselves in a manner that is normal where you live.