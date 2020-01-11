Loading...

Image: Brett Jordan

An academic study by Princeton University, published yesterday, found that five major US prepaid wireless providers are vulnerable to SIM swapping attacks.

A SIM swap is when an attacker calls a mobile provider and misleads the telco staff to change the telephone number of a victim into a SIM-managed SIM card.

This allows the attacker to reset passwords and gain access to sensitive online accounts, such as e-mail inboxes, e-banking portals or cryptocurrency trading systems.

In the past year, Princeton academics have spent their time testing five major US telecom providers to see if they could mislead call center staff to change a user’s phone number to another SIM without providing the correct information.

According to the research team, AT&T, T-Mobile, Tracfone, US Mobile and Verizon Wireless were found to use vulnerable procedures at their customer support centers, procedures that attackers could use to perform SIM swapping attacks.

In addition, the research team also viewed 140 online services and websites and analyzed which of these attackers could use a SIM swap to hijack a user account. According to the research team, 17 of the 140 websites were found to be vulnerable.

American telco research

For the part of their research that focused on US telcos, the research team said it had created 50 prepaid accounts, 10 at each courier. For each account, the research team used the 50 SIM cards on a unique phone and for real calls to create a realistic call history.

When the time came, the research team called the customer service center of each telco and applied a similar procedure.

Image: Lee et al.

The idea was that the attacker calls a telco support center to request a SIM card change, but deliberately enters the wrong PIN code and information from the account owner.

“When providing incorrect answers to personal questions, such as date of birth or invoice zip code, (research assistants) would explain that they had been negligent when registering, may have provided incorrect information, and could not recall the information they had used” , researchers said, explaining the motives they gave to call center staff.

Currently, after the failure of the first two authentication mechanisms (PIN and account owner data), telco call center operators are obliged to switch to a third mechanism based on their procedures in which they ask the account owner for details about the last two recent calls made.

The investigation team says that an attacker could mislead a victim into calling specific numbers. For example a scenario of ‘you have won a prize; call here; sorry, wrong number; call here instead ‘.

After the attacker has misled the owner of the SIM card to place those two calls, they can use this data to call the telco call center and perform a SIM swap.

Princeton researchers said they could mislead all five American prepaid wireless providers with this scenario.

When they published their investigation yesterday, four providers were still using the vulnerable procedure, despite the investigation team informing all parties involved. Of the five, T-Mobile told the research team that they had stopped using call logs for customer authentication after reviewing their research.

Online service survey

But the Princeton researchers also went one step further. For the next phase of their investigation, they wanted to see what they could do after they had carried out a SIM swapping attack.

To do this, they analyzed the login and multi-factor authentication (MFA) procedures used by 140 of the most popular online sites and services, ranging from social media networks to e-mail providers, and from cryptocurrency trading sites to business solutions.

They found that on 17 sites, if you managed to hijack a user’s phone number through a SIM swap, you could reset the account password and get full access to the victim’s online profile without anyone else security system existed to authenticate the user.

In other words, the account recovery process for these 17 sites was based solely on an SMS-based mechanism. After an attacker compromised a victim’s telephone number, the password could be reset without having to manage the user’s email or provide another user secret (questions about resetting the password, date of birth, etc.) .

The full results for the analysis of the 140 websites are available here. The research team has taken the names of the 17 vulnerable services from their research to prevent SIM swappers from targeting future sites for those attacks.

Additional details can be found in a white paper called “An empirical study into wireless carrier verification for SIM swaps”.