One of the key pieces of our digital identities, whether we like it or not, is our mobile phone number. You are likely to use it one way or another at a two-factor authentication login (it shouldn’t). The thing is that, as has been demonstrated several times, they can easily be kidnapped in a few steps by malicious actors who call the customer service representatives of the operators, many of whom are very understanding to help users get out. of what is supposedly a stressful situation. . So how easy is stealing someone’s phone number on a prepaid network? Princeton University researchers say it extremely in a recently published draft.
Kevin Lee, Ben Kaiser, Jonathan Mayer and Arvind Narayanan of the School’s Information Technology Center made a series of simulated attacks last year using prepaid accounts at AT&T, T-Mobile, Verizon, Tracfone and US Mobile. Since prepaid networks do not require credit checks for customers to register, researchers could easily expand their experiment.
The threat model assumed that the attacker would only know the victim’s name and phone number and that they would kidnap the number by buying a SIM card and asking the operator to change the victim’s account to that SIM. This would require the attacker to authenticate his identity by providing correct information in response to security challenges. Therefore, for the purpose of the attack, the researchers considered some challenges to be safe: an account PIN or password or a unique code sent by email or SMS; If you can divert someone’s SMS traffic, why would you steal your number in the first place?
The methods in green mean secure authentication challenges in a theoretical SIM exchange attack. The methods in red can be omitted using the available data. Yellow methods can be avoided by manipulating the attacker.
Each operator used a variety of challenges to authenticate the attacker. Many of them, such as the street or email address, the date of birth, the last four digits of a credit card, IMEI or ICCID, were considered easy to overcome if one knows which public record file or data aggregator must search. Other challenges can be passed only with the knowledge of the victim’s number: by the date of the last payment, the attacker could easily recharge the account without going through any security challenge, or; For the last outgoing call, the attacker could dial the victim’s number and request a callback either by posing as a family entity or because of confusion.
The academics discovered that out of ten attempts with each operator they were able to successfully hijack numbers each time at AT&T, T-Mobile and Verizon. Worryingly, even though they were less successful with Tracfone (six times) and US Mobile (3 times), in each of those cases, the service representative helped the attacker remember answers to security questions such as “how Is your first pet called?? “e, even when the attacker could not respond to any of them correctly, authenticated the SIM exchange. In addition, the representatives gave other account information without authenticating the attacker.
Operators are recommended to rely more on single-use passwords, even as a way to initiate a service call. The document also recommends that companies follow up with customers in failed authentication attempts and discourage any service using multifactor authentication from accepting methods based on phone numbers such as SMS. Oh, and you should probably verify your security settings on all your online accounts and make sure you put SMS authentication where you can.
The commercial group of the cellular industry, CTIA, was notified of the group’s findings in July. In January, T-Mobile told investigators that it had stopped asking for the last outgoing calls after reviewing the report.