The
Big Boys & Girls and Us Little Guys Are All In the Crosshairs
Sim Swapping: A High Tech Crime by Low
Tech Means
Bread gained by deceit is sweet to a man,
but afterward his mouth will be full of gravel.
— Proverbs 20:17
The latest corporate entity to suffer fallout from a Sim Swap Attack is international security consulting firm, Kroll. As Kroll's Press Release on the matter explained what had happened:
We were recently informed that on Saturday, August 19, 2023, a cyber threat actor targeted a T-Mobile US., Inc. account belonging to a Kroll employee in a highly sophisticated “SIM swapping” attack. Specifically, T-Mobile, without any authority from or contact with Kroll or its employee, transferred that employee’s phone number to the threat actor's phone at their request.
This is not the first time T-Mobile had been victimized in Sim Swapping. January 22, 2023, a class action lawsuit was filed in United States District Court, Central District Of California, [pdf will open] against T-Mobile for a mass data breach that was precipitated by a Sim Swap Attack. As EIN Presswire reported, Jan 24, 2023, "hackers first accessed T-Mobile's systems on November 25, 2022," and thus "exposing millions of its customers to SIM swap attacks."
In the most recent Sim Swapping Attack, an attacker had acquired enough personal information about a Kroll employee to convince a T-Mobile employee to transfer the victim's cellphone number to the crook. From there, the attacker "gained access to certain files containing personal information of bankruptcy claimants in the matters of BlockFi, FTX and Genesis." Indeed, as HelpNet Security, reported on the matter, August 28, 2023, several customers of the cryptocurrency exchanges noted above received phishing emails trying to coax potential victims to make unauthorized withdrawals. FTX placed a copy of one of these emails on its X-Twitter page, August 24, 2023. Also on August 24, 2023, BlockFi placed a warning of the breach on its X-Twitter page.
A Sim Swapping incident led to a major breach of Microsoft Azure Cloud programming environment in 2022. Here, the attackers used Sim Swapping techniques and email phishing to gain access to Microsoft administrator accounts. A very complete analysis of this attack was made by security vendor, Mandiant, May 16, 2023. Their report reveals that a technology Leviathan like Microsoft can also become a Sim Swap victim.
A common tactic employed by this attacker involves SMS phishing privileged users, SIM swapping, and then impersonating the users to trick help desk agents into sending a multi-factor reset code via SMS.
Mandiant admits, however, that it has yet to discover how a Sim Swapping Attack afflicted Microsoft.
In 2022, Verizon Prepaid fell victim to a Sim Swap Attack. In a letter to its Prepaid customers, [pdf will open] Verizon explained what had happened.
Between October 6 and October 10, 2022, a third party actor accessed the last four digits of the credit card used to make automatic payments on your account. Using the last four digits of that credit card, the third party was able to gain access to your Verizon account and may have processed an unauthorized SIM card change on the prepaid line that received the SMS linking to this notice. If a SIM card change occurred,Verizon has reversed it.
Verizon's advice to its prepaid customers was not the usual pabulum about how they take customers' security seriously and here's some free credit monitoring. Verizon had advised customers to: "Set a new Verizon PIN code. Do not reuse a previous PIN, and be sure to pick a unique PIN that is not used to secure other non-Verizon accounts." Furthermore, clearly illustrating one factor that often occurs in Sim Swapping Attacks, Verizon further advised its prepaid customers to "Set a new password and new secret question and answer for users with access to your My Verizon online account." Emphasis is mine.
That hacking group that has been most successful at Sim Swap Attacks is the group known as "Lapsus$." Brian Krebs, obtained copies of private chat messages between members of Lapsus$. Krebs thorough reporting of April 22, 2023, detailed how "LAPSUS$ members continuously targeted T-Mobile employees, whose access to internal company tools could give them everything they needed to conduct hassle-free “SIM swaps” — reassigning a target’s mobile phone number to a device they controlled." Whether recent convictions of seven youthful Lapsus$ members in the U.K. will put the group out of business, or merely force the remaining member underground for a while, remains to be seen.
Clearly, if one's so-called "secret question" is no longer a secret, the account the secret question is meant to protect is vulnerable. Through email phishing and other reconnaissance techniques, Lapsus$ members collected much information from and about its targets. Moreover, what Lapsus$ members apparently excelled at is in the Social Engineering techniques necessary to convince employees of various entities that they are, in fact, the individual whose ID has been heisted.
CISA, along with the newly created
Cyber Safety Review Board (CSRB), released an in-depth report on
Lapsus$, July 24, 2023. Below are a few key points from the
2 page the Executive Summary.
Lapsus$ employed low-cost techniques, well-known and available
to other threat actors, revealing weak points in our cyber
infrastructure that could be vulnerable to future attacks.
Threat actors can easily gain initial access to targeted
organizations through Subscriber Identity Module (SIM) swapping attacks,
which are exacerbated by a lucrative SIM swap criminal market. Current
security protocols in the U.S. are not sufficient to prevent fraudulent
SIM swapping.
The complete 59 page document entitled, "REVIEW OF THE ATTACKS ASSOCIATED WITH LAPSUS$ AND RELATED THREAT GROUPS," uses the graphic above to illustrate the sequence of events that make up a Sim Swap Attack. The final point lies at the heart of the matter. Most entities that we have accounts with verify customers' identity by sending a code to customers' cellphones. So once all communication through a cell[hone is easily electronically intercepted, then any account associated with that cellphone number is vulnerable to compromise and theft.
Certainly, as the CSRB Executive Summary states, "Telecommunication providers should build resiliency against social engineering in SIM swapping to protect the consumer, including treating SIM swaps as highly privileged actions, letting consumers lock their accounts, and requiring strong identity verification by default." The CSRB report suggests that the FTC and the FCC should require "regular reporting of illicit SIM swaps, documenting and enforcing best practices, and incentivizing better security by penalizing illicit SIM swaps or lax controls." In other words, Uncle Sam should levy some serious monetary sanctions when Telcos fail to prevent a Sim Swap.
New technology exists to move beyond our current password and 2FA paradigm for online identity management. The Executive Summary makes clear recommendations regarding the migration away from our current technology.
Everyone must progress towards a passwordless world. Technology providers should design and deliver secure identity and access management solutions by default, including immediately beginning to transition away from voiceand SMS-based two-step MFA. Web and mobile application developers should leverage Fast IDentity Online (FIDO)2-compliant, hardware-backed solutions built into consumer devices by default.
Of course, this is an area we Consumers have no control over. Retooling decades of manufacturing standards takes years and much expense. Moreover, in takes even more time convincing Consumers that the new hoops through which one must jump to do what one wants to do are worthwhile. So, as I always say, Take Your Own Security Into Your Own Hands.
Part way through writing the draft of this article, I realized that this was a real and present danger to everyone, more so than most of the security topics I write about. So I called my Telco, T-Mobile. Told the CS Rep I wanted to create a PIN for my account, which I had never done. The T-Mobile CS person was a little skeptical. I told the CS rep that I write a web blog. I am writing a piece on the latest Sim Swapping Attack against T-Mobile. I realized that I had better secure my own T-Mobile account. Physician, Heal thy self, Indeed! The CS rep sent the 2FA to my phone, and I set my PIN.
I suggest everyone reset the credentials with their cellular provider. If you have not yet been swapped, and you are in possession of your phone, then changing your credentials will go far in thwarting any compromise of your phone in the future.
There is another action you can take with your Telco to ensure you will never become victim of Sim Swapping. Ask your Telco to place a SIM CARD CHANGE BLOCK on your phone. As above, if you haven't yet been swapped, and you are in possession of your phone, then this should prevent any future Sim Swap Attack. The Telco will know immediately the request to Swap the Sim is fraudulent. The only reason you would want to remove the Sim Card Change Block would be whenever:
1. You got a New Phone. Or,
2. You got a New Telephone
Number
Blocking your Sim Card from any change will also help protect those accounts secured by 2FA to your cellphone. If you set up a Sim Card Change Block, then you and only you, will ever answer your phone, as long as you are in possession of that phone. (And you are not so dumb as to loan your phone to anyone else.)
You can thank me later.
And thou shalt be secure, because there is hope;
yea, thou shalt
dig about thee,
and thou shalt take thy rest in safety.
—
Job, 11:18
¯\_(ツ)_/¯
Gerald Reiff