It has been said that our smartphones are a mirror image of our lives. The average person’s smartphone probably contains email and text communications, personal photos and videos, and all sorts of other personal data. Given the degree to which our smartphones are a reflection of our personal lives, it is no wonder that so many services have adopted the practice of using smartphones as an identity provider for use in multifactor authentication. After all, most people probably never let their phones out of their site, so possession of a registered smartphone, coupled with another authentication mechanism such as a password, can be a reliable means of proving one’s identity. But if someone were to steal a smartphone, and that smartphone was not secured with a password or a biometric lock, then the thief could conceivably use the phone as a means of authenticating into the victim’s various accounts. However, a similar type of attack may be possible without the phone ever being lost or stolen thanks to a method called SIM swapping. More on that later, but let’s first look closer at multifactor authentication — its strengths and weaknesses.
Multifactor authentication: Not foolproof
The use of smartphones for multifactor authentication is not without its problems. I can’t help but think of a situation that happened a few years ago. I took a somewhat rare day off and decided to spend the day on my boat with my wife and my brother. As the afternoon temperatures began to climb, I decided to go for a swim. The problem was that I forgot that my phone was in my pocket. Needless to say, the water destroyed my phone. I was able to get a new phone in relatively short order, but I felt completely handicapped for a couple of days.
Thankfully, during the time that I was without a phone, I wasn’t required to use my phone as a means of authenticating into an online resource from my PC. Otherwise, my phone’s destruction would have prevented me from gaining access to that resource.
It doesn’t necessarily take anything quite as extreme as a waterlogged smartphone to cause someone to lose the ability to use their phone as an identity provider. I recently spent a few weeks training in a foreign country. During that time, my smartphone was almost completely unusable. I could send and receive email messages if I connected my phone to the hotel’s WiFi, but I was unable to send or receive text messages. Most multifactor authentication mechanisms that use smartphones as an identity provider are designed to send a code to your smartphone via text message. The recipient is then required to enter that code into a web interface to gain access to the resource.
My point is that while the case can certainly be made for using a smartphone as an identity provider for use in multifactor authentication, the concept is not perfect. There are any number of circumstances that can undermine a user’s ability to use their phone for authentication purposes.
Fortunately, the loss or destruction of a phone tends to be an isolated event. Likewise, working in a foreign country without cell service is also something that can be planned for. However, there is a bigger issue that has the potential to completely undermine the use of smartphones as identity providers — a security breach.
What about SIM cards?
Most but not all mobile providers use Subscriber Identity Module or SIM cards as a way of uniquely identifying their customers on the mobile network. Typically, a phone requires a SIM card to make or receive calls or to send and receive SMS text messages. Many providers also use SIM cards as a way of making it easy to upgrade to a new phone. The subscriber simply removes the SIM card from their old phone and inserts it into their new phone to transfer their phone number, and possibly even their contacts.
So, with that in mind, think back for a moment to my story about going for a swim while my smartphone was in my pocket. Being that the water destroyed my phone, it presumably also destroyed my phone’s SIM card (I didn’t test it to find out, I just assumed that it was ruined). This wasn’t a problem though, because my cell provider was able to get me a new SIM card when I purchased the replacement phone. Herein lies the problem.
The various mobile carriers have accepted the idea that they will occasionally have to replace a customer’s SIM card. A SIM card might be destroyed as mine presumably was, or it might be lost, stolen, or simply stop working. Whatever the reason, the mobile carriers have a procedure in place for issuing new SIM cards to customers.
The reason why this can be a problem is because cybercriminals also know that the mobile providers are willing to provide their customers with new SIM cards. Therefore, if a cybercriminal wants to hijack someone’s cell phone, then they don’t actually have to steal the phone. All they have to do is to call the mobile carrier’s tech support number, impersonate the victim, and request a new SIM card. Once the criminal receives the new SIM card, they simply insert it into a phone, which then takes on the identity of the victim’s phone.
From the victim’s standpoint, losing control of their phone number is bad enough, but there is actually a worse problem. As previously noted, numerous online services use smartphones as an identity provider for authentication. This means that the criminal can use the phone to gain access to the victim’s online accounts.
While it is true that simply having possession of someone’s phone number might not be enough to gain direct access to that person’s accounts, it isn’t very hard to gain access through a roundabout method. The criminal simply uses whatever resources are at their disposal to figure out the victim’s username for the various online services that they use. Once the criminal knows the username, they can connect to the various services and request a password reset. The password reset process typically uses a text message verification process like the one that I described earlier. Since the criminal can receive the victim’s text messages, they can easily complete the password reset process.
Upon doing so, the criminal logs into the victim’s online account using the newly reset password. At that point, they either remove or change the phone number that is associated with the account, thereby permanently locking the victim out of their account.
SIM swapping remains a huge problem
Most of the major mobile providers have begun taking additional steps aimed at positively validating a subscriber’s identity if the subscriber calls and requests a new SIM card or some other account change. Even so, SIM swapping remains a huge problem that seems to have become far more common in recent months.
The best thing that you can do to avoid being a SIM swapping victim is to ensure that the PINs and passwords associated with your mobile account are completely unique and are not used for any of your other accounts. It’s also important to make sure that those PINs and passwords are not stored anywhere on your phone (including in your email). Some people have also begun associating their online accounts with other types of phone numbers, such as VoIP numbers or landline numbers. These types of phone numbers cannot be stolen through SIM swapping, which may make them a bit more secure.
Featured image: Pexels