Stories
Slash Boxes
Comments

SoylentNews is people

posted by mrpg on Thursday July 19 2018, @01:11AM   Printer-friendly
from the sim-pin dept.

A lot of companies, some quite big and prominent, fool people into thinking that a phone is a second authentication factor. Due to the transferability of the phone number associated with a random SIM card and the ease with which social engineering and even conspirators inside the carrier itself can be used to gain control of that number, it is not and can never be "something you have". That does not stop companies from pretending nor marks from playing along. Motherboard has an article about how the weaknesses around the SIM cards are becoming all the more frequently exploited to perpetrate massive fraud.

First, criminals call a cell phone carrier's tech support number pretending to be their target. They explain to the company's employee that they "lost" their SIM card, requesting their phone number be transferred, or ported, to a new SIM card that the hackers themselves already own. With a bit of social engineering—perhaps by providing the victim's Social Security Number or home address (which is often available from one of the many data breaches that have happened in the last few years)—the criminals convince the employee that they really are who they claim to be, at which point the employee ports the phone number to the new SIM card.

From Motherboard : The SIM Hijackers


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 1, Informative) by Anonymous Coward on Thursday July 19 2018, @09:24AM

    by Anonymous Coward on Thursday July 19 2018, @09:24AM (#709295)

    It's called a secure element and it's been a thing for awhile. Back before ISIS was a synonym for terrorist group, it was the name of a payment company. They partnered with AMEX and issued SIMs with a secure domain that could be registered with any carrier. The phone would then double as a credit card at any NFC "tap n pay" terminal that accepted AMEX. There was no card cloning or storing of the card number on the phone. The SIM was the chip in a chip n pin transaction. You would pop open an app, enter your pin then tap your phone, hit accept and *poof* your purchase was paid for.

    The first time I used it successfully was at a small grocery store in podunk Colorado. I saw the logo on the payment terminal. It was amazing to watch the cashier's face, she had no idea that could even be done.
    Sadly, ISIS went away when the name got conflated with a terrorist group. The service is gone now and I've yet to find a similar replacement. There may be SIM payment systems, but this one offered a healthy cashback on each transaction that really made it worthwhile to use.

    That trace between NFC and SIM is there to power secure element. The NFC gets a request, passes it to the SIM, the SIM communicates with the app to get your approval and then signs the request with a private key that is embedded in the SIM. Nothing other than destination and amount transits outside the NFC/SIM pathway, and the embedded private key means no card numbers change hands it is end to end encrypted with perfect forward secrecy.
    https://www.gemalto.com/mobile/secure-elements [gemalto.com]

    Starting Score:    0  points
    Moderation   +1  
       Informative=1, Total=1
    Extra 'Informative' Modifier   0  

    Total Score:   1