Stories
Slash Boxes
Comments

SoylentNews is people

SIM Hijacking as a Second Factor

posted by mrpg on Thursday July 19 2018, @01:11AM   Printer-friendly
from the sim-pin dept.

canopic jug writes:

A lot of companies, some quite big and prominent, fool people into thinking that a phone is a second authentication factor. Due to the transferability of the phone number associated with a random SIM card and the ease with which social engineering and even conspirators inside the carrier itself can be used to gain control of that number, it is not and can never be "something you have". That does not stop companies from pretending nor marks from playing along. Motherboard has an article about how the weaknesses around the SIM cards are becoming all the more frequently exploited to perpetrate massive fraud.

First, criminals call a cell phone carrier's tech support number pretending to be their target. They explain to the company's employee that they "lost" their SIM card, requesting their phone number be transferred, or ported, to a new SIM card that the hackers themselves already own. With a bit of social engineering—perhaps by providing the victim's Social Security Number or home address (which is often available from one of the many data breaches that have happened in the last few years)—the criminals convince the employee that they really are who they claim to be, at which point the employee ports the phone number to the new SIM card.

From Motherboard : The SIM Hijackers

Original Submission

 
This discussion has been archived. No new comments can be posted.
SIM Hijacking as a Second Factor | Log In/Create an Account | Top | 14 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 3, Interesting) by edIII on Thursday July 19 2018, @04:55AM (2 children)

    by edIII (791) on Thursday July 19 2018, @04:55AM (#709218)

    Laughingly, prominent security sites, and basically every crypto exchange views landlines and VoIP lines as easily compromised versus a smart phone with a wireless carrier. Which is, complete and utter backasswards bullshit.

    The reason why my "landline" is damn secure from a porting attack is that the policies regarding a port mandate an email to the losing carrier asking them for permission. Smaller outfits can afford a deny-by-default rule requiring that the user (me) consent to the port out. AT&T? They don't give a fuck. Any well formed port request (correct billing info and a signed LOA) gets you an instant port out. Well, except for 14-21 illegal days they take on landlines. Wireless is 24 hours though.

    I myself have a default-by-deny miltr rule that responds back instantly with a very firm and direct no, then emails me, txt messages me on my burner, and logs the request to file. The odds of anyone doing it without me knowing it is slim to none, let alone get around my instant denial with the insistence that the bill is not current, that money is owed, and therefore the port must be rejected out-of-hand.

    That's not the real vulnerability anyways. It's the SS7 protocol in use by the PSTN that was never very secure to begin with. I think AT&T just recently announced they had rolled out SS7 security protections on their entire network. Crickets from Verizon, T-Mobile, and Sprint AFAIK.

    But, yeah sure, a fucking txt message or phone call on a cellphone is a more secure two-factor.

    --
    Technically, lunchtime is at any moment. It's just a wave function.
    Starting Score:    1  point
    Moderation   +1  
       Interesting=1, Total=1
    Extra 'Interesting' Modifier   0  
    Karma-Bonus Modifier   +1  
    Total Score:   3  

  • (Score: 0) by Anonymous Coward on Thursday July 19 2018, @06:04AM (1 child)

    by Anonymous Coward on Thursday July 19 2018, @06:04AM (#709235)

    How do you obtain VoIP service? I would love to host my own number.

    • (Score: 4, Interesting) by edIII on Thursday July 19 2018, @08:02PM

      by edIII (791) on Thursday July 19 2018, @08:02PM (#709599)

      This is fun :)

      You become your own telephone company. I charge myself for the bill. That's why I can deny the port out, because I owe my own ass money for the phone all the time. Deadbeat motherfucker....

      1. Go to a major outfit like Twilio or Flowroute.
      2. Purchase a DID. It will cost you a few bucks each month for service, including e911 service. If you register your residence as a service address and configure it, you have 911 services just like any traditional landline telephone.
      3. As a bonus you get SMS service on it as well, but honestly that requires a little coding on your part and hosting your own server. Requires a bit of skill.
      4. If you want to port an existing number to them, you can do that as well. Make sure your bill is current, sign your own Letter-Of-Authority (you can get the form from Twilio or Flowroute), and wait a day or two.
      5. You will need to run your own Asterisk server. Kinda beyond the scope of this, but many distributions have web front ends and make it easy. I suggest something like FreePBX.
      6. Point your number to your Asterisk server, and set a backup route to your burner phone. For the love of God, heavily restrict that server with firewall rules to ONLY communicate with either Twilio, Flowroute, or your residence. You have no business trying to accept random SIP connections from Rwanda, and your asshole will have something in common with the center of the galaxy if you don't. You've been warned. If you have a "road warrior" configuration on your laptop, your SIP connections will be coming from the internal network anyways when connecting to your Asterisk server.
      7. If doing SMS, have your server relay those via email to your burner phone. I only use txt messages as a backup channel
      8. Keep paying the bills

      Now, if somebody attempted a porting attack, you will get an email as the account owner requesting acknowledgment within 24 hours. Twilio is kinda big, and so is Flowroute. Their policies are I think to allow it, if you say nothing. Hence the automatic reply rule you could construct in your email service I'm sure. Either that or Thunderbird can apply rules too. Actually running a miltr server for your email is a bit advanced and you would need to be a fairly good sysadmin with knowledge of different email platforms. Automatic responders are easier to manage in this case. Remember to ask the provider for an example of a port out request. They should email you with it, which helps configure the automatic responder.

      In your response to the carrier, you claim that you are white labeling their service and that the client (you) owes you money. Hence, the denial based in the law regarding number porting.

      This is why those people claiming cell phones are more secure are full of shit and should stop claiming they know anything about security in telecommunications. Twilio or Flowroute will not respond to social engineering to expedite or assist the port, and at the very least, nothing prevents you from getting the email. An attacker attempting a porting attack would necessarily need to compromise your VoIP account as well, rerouting the emails to them. Layered security FTW.

      --
      Technically, lunchtime is at any moment. It's just a wave function.