It may not come as news to readers of Commsrisk, but the United States’ Federal Bureau of Investigation (FBI) has issued a stark warning to businesses about the threat posed by SIM swapping.
In 2016 customers of a US banking institution were targeted by a cyber attacker who ported their phone numbers to a phone he owned — an attack called SIM swapping. The attacker called the phone companies’ customer service representatives, finding some who were more willing to provide him information to complete the SIM swap. Once the attacker had control over the customers’ phone numbers, he called the bank to request a wire transfer from the victims’ accounts to another account he owned. The bank, recognizing the phone number as belonging to the customer, did not ask for full security questions but requested a one-time code sent to the phone number from which he was calling. He also requested to change PINs and passwords and was able to attach victims’ credit card numbers to a mobile payment application.
Over the course of 2018 and 2019, the FBI’s Internet Crime Complaint Center and FBI victim complaints observed the above attack — SIM swapping — as a common tactic from cyber criminals seeking to circumvent two-factor authentication. Victims of these attacks have had their phone numbers stolen, their bank accounts drained, and their passwords and PINs changed. Many of these attacks rely on socially engineering customer service representatives for major phone companies, who give information to the attackers.
The risk of SIM swapping was highlighted as part of a more general warning that criminals have developed methods to circumvent multi-factor authentication (MFA). However, the FBI also observes that MFA still “continues to be a strong and effective security measure to protect online accounts, as long as users take precautions to ensure they do not fall victim to these attacks”.
It may seem obvious, but it is worth reiterating that using multiple methods is stronger than relying on a single method of authentication. Microsoft’s Director of Identity Security, Alex Weinert, wrote earlier this year that fewer than 0.1 percent of accounts that use any type of MFA are compromised. However, he also stated that “less than 10% of users use MFA per month in our enterprise accounts”.
Thoughtful followers of Commsrisk may have noticed some contradictions in the way law enforcement talks about SIM swaps. On the one hand, we have had prosecutors complaining that telcos make it too easy to replace SIMs. On the other hand, we have the FBI emphasizing that whilst MFA can be defeated, it is still a strong security measure. This begs a question of why telcos are being openly told to place a greater burden on genuine customers that need to change their SIM or port their account, whilst banks and other businesses are not being publicly pressured to do more to protect their customers from fraud. The FBI refers to multi-factor authentication because nothing stops a business from implementing a third or fourth factor, instead of just relying on the weakest pairing of using (1) a password for the first factor followed by (2) a code sent by SMS for the second factor.
The FBI suggests a couple of ways to mitigate the risks, beginning with the need to educate people about social engineering. This is always good advice, though criminals will always find ways to fool some. The FBI also suggested the adoption of more sophisticated methods for authentication.
Consider using additional or more complex forms of multi-factor authentication for users and administrators such as biometrics or behavioral authentication methods, though this may add inconvenience to these users.
This is a positive sign. Instead of blaming telcos for SIM swaps, banks should be investing in superior ways to verify the identity of their customers before allowing them to move money. There will always be times when the person who answers a telephone is not the same as the person who owns the account for that telephone, so it is weak to assume a person’s identity can be safely deduced from a telephone number.
It is unfair to expect telcos to be the only business that imposes stringent identity checks. Criminals know that the risks are associated with the rewards, and businesses should think the same way. There is no good justification for why a customer on a cheap SIM-only tariff should be burdened with a lot of identity checks after losing their phone, just so a cryptocurrency millionaire can enjoy the convenience of saving his account passwords on Google Drive. The FBI’s warning signals that businesses should do more to verify their own customers, instead of passing the buck to others.
The Cyber Division of the FBI issued their Private Industry Notification (PIN) about MFA on 17th September. The notification says it “should not be shared via publicly accessible channels” but has since been repeated widely by mainstream journalists. A copy of the PIN can be found here.