Stories
Slash Boxes
Comments

SoylentNews is people

SIM Hijacking as a Second Factor

posted by mrpg on Thursday July 19 2018, @01:11AM   Printer-friendly
from the sim-pin dept.

canopic jug writes:

A lot of companies, some quite big and prominent, fool people into thinking that a phone is a second authentication factor. Due to the transferability of the phone number associated with a random SIM card and the ease with which social engineering and even conspirators inside the carrier itself can be used to gain control of that number, it is not and can never be "something you have". That does not stop companies from pretending nor marks from playing along. Motherboard has an article about how the weaknesses around the SIM cards are becoming all the more frequently exploited to perpetrate massive fraud.

First, criminals call a cell phone carrier's tech support number pretending to be their target. They explain to the company's employee that they "lost" their SIM card, requesting their phone number be transferred, or ported, to a new SIM card that the hackers themselves already own. With a bit of social engineering—perhaps by providing the victim's Social Security Number or home address (which is often available from one of the many data breaches that have happened in the last few years)—the criminals convince the employee that they really are who they claim to be, at which point the employee ports the phone number to the new SIM card.

From Motherboard : The SIM Hijackers

Original Submission

 
This discussion has been archived. No new comments can be posted.
SIM Hijacking as a Second Factor | Log In/Create an Account | Top | 14 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 3, Informative) by EvilSS on Thursday July 19 2018, @01:28PM

    by EvilSS (1456) Subscriber Badge on Thursday July 19 2018, @01:28PM (#709365)
    It is but it's just not a safe way to do it because it's become too easy to hijack with a little info on your target. Even NIST is recommending against it in their latest publications. Remember that run of celebrity social media account hijacks a while back? Those were done by social engineering the phone company into changing the service to a new phone and then the perps had access to the SMS 2FA. Soft tokens (or better hard tokens) work just as well and don't fall prey to this kind of attach (most need to be reinitialized or manually transferred from the old device to the new, just swapping the telco account to a new phone won't bring them along.)
    Starting Score:    1  point
    Moderation   +1  
       Informative=1, Total=1
    Extra 'Informative' Modifier   0  
    Karma-Bonus Modifier   +1  
    Total Score:   3