The SIM Hijackers

Lorenzo Franceschi-Bicchierai of Motherboard has a chilling story on how hackers flip seized Instagram handles and cryptocurrency in a shady, buzzing underground market for stolen accounts and usernames. Their victim's weakness? Phone numbers. He writes: First, criminals call a cell phone carrier's tech support number pretending to be their target. They explain to the company's employee that they "lost" their SIM card, requesting their phone number be transferred, or ported, to a new SIM card that the hackers themselves already own. With a bit of social engineering -- perhaps by providing the victim's Social Security Number or home address (which is often available from one of the many data breaches that have happened in the last few years) -- the criminals convince the employee that they really are who they claim to be, at which point the employee ports the phone number to the new SIM card. Game over.

Yubikey

[darkain]

I wonder how long until these "hackers" figure out how to call a company and steal my Yubikey authentication credentials...

Re:Yubikey

[golgotha007]

Not sure if you're trolling or what, but perhaps you have no idea how yubikey works.

https://www.yubico.com/solutio...

Re:Yubikey

[Luthair]

Hi customer service, I lost my 2 factor device can you remove it from my account. k thx bye.

Re: Yubikey

Everyone should call their carrier and put a security notice on their account that in order to change a SIM the user needs to appear in person at a retail store with photo ID. It's not foolproof but it's a big step forward.

2FA

[JaredOfEuropa]

Meanwhile, many banks here are dropping actual 2FA based on the chips in our bank cards, and replacing it with security codes sent by SMS. Great idea. What really surprises me in this story is that T-mobile sent a warning to their customers instead of changing their procedures, and no longer perform sim swaps for any Tom Dick & Harry identifying themselves with a (semi public) SS number.

Re:2FA

[dohzer]

When the owner calls to pay or update an account, they ask for your password and some personal details.
It's a shame that all you need to switch service providers is a few personal details.

Turn authentication up to 3

[AHuxley]

Are we going to need another step?
A call on a POTS? Use the mail and a mailbox to secure another way of communications?

Re:Turn authentication up to 3

We need a physical visit to the operator's store and a government provided ID card to do things like the submission describes. YOU WILL TOO!!!

Not new

[golgotha007]

I work in the crypto asset space and these types of attacks have been going on for years now. If your 2FA is based on SMS or a call-back, you're doing it very wrong.

For those interested in doing 2FA correctly, buy a yubikey (USB-C if your phone supports) and couple that with Yubico authenticator which is 100% compatible with Google Authenticator. The major difference is that none of your 2FA codes appear until you plug your yubikey into your phone and nothing sensitive is stored on the phone itself. This way, the attacker would physically need your yubikey to authenticate as you - problem solved.

Re:Not new

[houghi]

That is because you only look at the security. I look at the usability. I would have to buy a new phone and what I can buy would be limited. Obviously the majority of the people would go for one that will be fixed on the phone, so having it on the phone is less secure than having data on the phone.

And I am sure there will be different ones from bank to bank. I already have two RSA key generators. One that works as it is, the other I have to put my card in. So that means that when I travel I either take them with me, with the risk of losing them. That would require replacement when I get home and that will take time. At least a day of work anb go to the bank and ask for a new one.

Or I do not take them with me and if I want to do a transfer, I am unable to do so. Yes, I have been in a situation where I needed to transfer more than the minimal daily amount I can do with my phone (limited at 2500 EUR) and did not have the RSA generators with me in a foreign country. Luckily the company understood the reason and took the risk of getting payment after they performed their service.

To me what would be OK is if they all used Google Authenticator and send the specific codes via snail mail, like they send pin codes via snail mail. Not via email. Not even if it is an emergency. Not to the bank. Not to your neighbor, or your dad or your son.

And changing the address must be done with proof. But in Belgium we have it easy. Everybody older than 12 has to have an ID. On that ID is a chip. That chip can be read with open source software and even can be used for other things. Just yesterday I filled out my taxes.

A change of address means you need to go to the city hall. They will edit your address and put the new address on the chip. SO if I say my SIM card is broken, they will send a new one. I do not think they will just put it on another sim card.

The real issue is that they put it on another sim card without you being there. Either send a new one or let people go to a store where they need to identify themselves in a manner that is normal where you live.

Re:Not new

[datavirtue]

Remember when there was all that hubbub about the problem of social security numbers and congress was looking into solving the problem. Guess the banks crushed that shit.

Re:Chilling?

[hcs_$reboot]

"Game over" you mean like during the pinball era? Sounds more like it was written by a 60 years old.

Is this a joke?

[volodymyrbiryuk]

Or are there still companies out there using SSN for authentication.

Social Security Number or home address are public.

No need for any "hack" since the information is already available for free to anyone asking for it.

Solution

[Rik+Sweeney]

If the victim has an email address associated with the mobile phone account (almost everyone does), the phone service should send a code to the email address and ask the "customer" to read it out when they receive it.

No code, no phone redirect. We'll stick a new SIM card in the post to put in your new phone.

Technical checks

Why don't carriers check basic stuff like whether the SIM is still active on the network in the same mobile device it has always been before doing the swap?

Re:Technical checks

[tlhIngan]

Why don't carriers check basic stuff like whether the SIM is still active on the network in the same mobile device it has always been before doing the swap?

Because it wouldn't make much difference? There can be plenty of legitimate reasons why you want to transfer the SIM despite the SIM actually being active on the network already.

Like say, you losing your phone and thus wanting to transfer your service to a new phone (and new SIM card).

Given the hacker already can transfer the SIM which quires knowing things about the subscriber anyways, it wouldn't be much more effort to simply have them say "I lost my phone. I have a replacement and could you please transfer over my service?". "Yes, I tried calling it, but no one answered". "Yes, I looked at that location (using GPS location to find it)". etc. etc. etc.

Re: Chilling?

Bill Paxton strongly disagrees.

I mean, did you SEE those things out there?!?!

The drop ship is complete wreckage. This is just great.

And how can they cut the fucking power, the power, on a nuclear teraforming plant?!

Game over man, game over.

hackers flip seized instagram handles?

[ArchieBunker]

Talk about a word salad. Interior crocodile alligator, I drive a Chevrolet movie theater.