Story out of Toronto. Couple had their cell phone hijacked by fraudsters getting a new SIM card, and then their bank accounts and crypto accounts emptied.
Questions:
1 How can someone hijack a phone by buying a new SIM card for it?
2 Once the phone is hijacked, how does that grant access to bank / crypto accounts, which need passwords?
3 Is this something I should worry about? what steps, if any, can I take to protect myself?
Thanks!
Easy: pretend to be the person, buy a new SIM and transfer the telephone number over to it, and reset the password of all the banking apps and so on which they will happily authenticate by sending an SMS to that number.
I suppose: don’t allow simple SMS or calls for two-factor authentcation.
The SIM card just says “this is who I am” when connecting to the network. If you have a web browser with passwords saved and no MFA, the thief can log into any affected accounts.
This is a directed attack, so I call up Rogers/Bell/Telus and I tell them I have lost my phone and need to switch SIM cards. I give them the typical verification answers which consist of name, address, cell number, maybe date of birth.
The agent replaces the SIM card in the system with the new SIM card.
The criminal then logs into the victims’s email, using the phone number to reset the password. They then log into the victim’s bank, using either the phone or email to receive the 2FA code. That’s it.
The solution to this is two parts
These attackers typically don’t go after the physical device
This I don’t get. I have the banking app on my phone, and I have to enter a password to even trigger 2FA. How does getting access to my phone defeat the password on my banking app?
If use the “forgot password” option and control the user’s email and phone, you can change the password. Sometimes you don’t need email accea, sometimes you can get access to the email using the simjacking. If resetting their email password requires knowing a different recovery email, that can stymy this attack.
This is the correct answer. I deal with 4 banks, only one requires a proper 2FA app, the others use SMS or email including BMO, CIBC, RBC, and TD.
Thanks for the comments, everyone.
I just checked: the “forgot password” option on my bank app requires that the individual input my client card number from the bank, which is not available from the bank app. My client card is in my wallet (hard, not virtual). The app does have part of the number, with the rest blanked out. I would think that the app would freeze up if there were too many guesses?
Can you explain the difference? What is proper 2FA?
Something like Authy or Microsoft Authenticator, an app that you’re logged into on your phone that a simjacker won’t have on theirs.
Your bank is using a two factor authentication method which is secure, you physically have to have control over the token. SMS is insecure because with SIM swapping - which is trivial - you can easily gain control.
Proper 2FA uses an app to generate a time-stamped code.
The app is locked to your phone (the codes it generates are different from all other codes that the app would generate on a different phone).
If someone SIM-swaps you, they will not be able to authenticate with their phone, since the codes their app (if they even had it) will generate will not work.
Just using a “text me” 2FA fails because texts follow the SIM, regardless of the phone being used.
“the token” meaning my bank card with the client number?
Apologies if I’m asking really simple questions here, but I really have very little knowledge of computer stuff.
The token is a cryptographic identifier so that the code your phone or the old RSA tags that had the LCD screens generate the 6 digit code that the server knows was only generated by you. It’s also know as a Timed One Time use Password (TOTP).
That’s a pretty jargon-filled answer for someone who has “very little knowledge of computer stuff”. In simpler terms, it’s a key that’s embedded in the authenticator app. The app is on your phone or sometimes in a separate standalone device, so either way it’s in your physical possession.
The most important thing about 2FA is that it has to actually have two factors, which these systems apparently didn’t. Having a specific physical object (such as a phone) is one factor. Knowing a password is another factor. But if you can reset the password just by having the phone, then the password isn’t actually a separate factor from the phone.
They say that really good security is based on three factors, one that’s something you have (like a phone, or a badge, or a key), one that’s something you know (like a password or PIN code), and one that’s something you are (some sort of biometric, like a face recognition or a thumbprint). Though from what I’ve heard, most biometrics used for things like phones aren’t all that reliable.
And then, when I’m logging on to my bank account on my desktop, it sends me a message that I have to click on my phone.
But that’s not a text. I have to have my banking app open on my phone, the message pops up on the app on my phone, I tap it, and then the banking app opens on my desktop.
Is that what you guys mean as a genuine 2FA?
Presumably, the app got authenticated when you first registered it, so that’s about as secure as one can expect.
If ANY copy of that app would pass authentication, that would be really bad security.