By Tova Dvorin, Community Manager, Unbound Technology
SIM swap fraud has become one of the most common attacks on Internet of Things (IoT) devices over the past five years, with evidence showing anyone with a mobile phone is at risk. Princeton researchers have determined that 17 out of 140 online services and websites (12%), and five major US telecommunications firms, are vulnerable to SIM swapping attacks.
Enterprises looking to prevent SIM swapping attacks need to understand what they are, why they have become a growing threat and how to put measures in place to protect against them.
How this new threat has arisen
There are significant security concerns with the SMS-based one-time passwords (OTPs) that have grown in popularity in recent years. This is the authentication method where a service provider, such as a bank or email provider, sends a temporary code to a user’s mobile device that the user is required to submit within a specified time.
This provides a level of two-factor authentication that, in addition to a user password, is expected to deliver security. One of the primary reasons for SMS OTPs’ popularity is its user-friendliness. Users can authenticate applications or transactions without pre-installing additional applications. Beyond the challenges that occur when users are traveling and may not receive SMS messages, SMS OTPs are also vulnerable to SIM swapping, malware and SS7 (Signalling System 7) attacks.
To carry out SIM swapping attacks a criminal impersonates the victim to the mobile provider (typically using public information) and switches their phone number to a new mobile device (and SIM) belonging to the attacker. As soon as this happens, any SMS-based OTP will be sent to the attacker (since they now own the victim’s phone number), and they can then gain access to the victim’s accounts.
Preventing SIM Swap Attacks
One effective method for making SIM swap attacks much harder is for users to set up a PIN or password with their mobile carrier; most major US carriers provide this option and then require that PIN to be presented before operations like switching devices is allowed. The problem with this is that it puts the burden on the user and thus depends greatly on their security awareness.
In addition, users now have the headache of yet another password to protect. Another option is to always require a user password, rather than using SMS OTP as the sole authentication method. Although user passwords are typically weak, the combination of a user password with an SMS OTP makes SIM swapping attacks harder.
Here the problem is that SMS OTP is often used as the method for password recovery such as when a user forgets his or her password. This just creates a chicken and egg problem. In addition, given the effectiveness of SIM swapping, the security is reduced to just the password, which is not strong enough.
Protecting against SIM-based cyber attacks
For organizations looking for better ways to prevent SIM swapping attacks, it is possible to use a better authentication method that utilizes a secret on the device itself and not just the phone number. In this scenario, since the secret inside the mobile phone is needed as part of the authentication process, taking over the victim’s phone number will not help an attacker spoof an identity.
There are several solutions that use a locally stored secret, including software one-time password tokens and soft-token SDKs (Software Development Kits). However, these suffer from a different vector of attack: the secret can be stolen from the user’s mobile device by malware, and then be used by an attacker elsewhere in order to impersonate the user’s device.
A much better solution would, therefore, require a local secret (so that SIM swapping is of no use to the attacker) while providing strong protection to prevent that secret from being stolen by malware. Traditional solutions to this require dedicated hardware (like hardware one-time password tokens or smartcards) which suffer from very significant usability challenges. A better approach is available with security software that uses cryptographic authentication.
Based on a secure multi-party computation (MPC), cryptographic authentication protects cryptographic keys and secrets from being stolen by splitting them into multiple parts and sharing them between a mobile device and a server.
The cryptographic key parts are never combined in any place, at any time – preventing the opportunity for theft. In the event an attacker steals only a portion of the cryptographic key, called a key share, that key share is useless without the remaining shares. Furthermore, the key shares are frequently randomized so that an attacker has to steal both shares at essentially the same time in order to learn anything. Given the strong separation between users’ mobile devices and an organization’s server, this is very difficult. The result is a software-only solution that combines usability and high security.