35

SIM swap occurs where the scammer uses phished information about you to request a SIM card replacement from your cell phone carrier, by tricking them into believing that it is you who is making the request for a SIM card replacement by passing their security questions on the phone based on the biometric data they phished about you.

Once they have that duplicate of your SIM card, they can receive access codes to your banking and cryptocurrency accounts, because all of this is linked to your phone number (the SIM card).

How can anyone possibly protect themselves against this sort of attack? Rarely does anyone have a second phone number, so whatever account you based on your sole number, means they instantly have backdoor access (by fooling your service providers using phished information about you, orally over the phone and by online forms)

user610620
  • 536
  • 3
  • 10
  • 14
    Google Authenticator codes require access to a shared secret, so a sim swap will not compromise it – nobody Feb 11 '21 at 14:27
  • 4
    one good way is to call your cell-phone service provider and ask them to require a PIN# to change your SIM. (After you get your PIN, try to social engineer them... be sure they require you to give them the PIN... so insist that you lost the PIN and see where it goes from there.) – pcalkins Feb 11 '21 at 18:39
  • Another thing you might do is use Google Voice not tied to a cell phone for all your 2Factor SMSing. (A little less secure in some ways... ) – pcalkins Feb 11 '21 at 18:45
  • 2
    @pcalkins is what you typed a thought experiment or an actual procedure that you think will work? Imagine the carrier helpdesk not being equipped for what you illustrate, and going "You have to type your pin into your phone, we don't know it". – CodeCaster Feb 12 '21 at 12:47
  • @OP maybe you meant "biographical" data than "biometric". I'm already scared that my Government may own my biometrics, I would never have business with a private company messing with my biometrics – usr-local-ΕΨΗΕΛΩΝ Feb 12 '21 at 16:41
  • @CodeCaster, yeah I don't think I would do that... so more of a thought experiment I guess. However, when I was doing some research on this I found that some of the crooks actually had the PIN#.. and some workers at the providers sell customer info. – pcalkins Feb 12 '21 at 17:39

6 Answers6

50

You don't use SMS for a second factor.

SMS is not secure by any means. The text is on clear, the traffic is on clear, and it's trivially easy to get a new SIM by pretending to be the victim. I once got my phone stolen and got myself a new SIM just by walking to the telco booth and telling my name and the phone number.

Google Authenticator is offline. It does not depend on the SIM in any way. You can even calculate the OTP token using PHP/Python/Perl/Javascript, all offline. You would even be able to do it with a calculator that lets you run programs on it.

ThoriumBR
  • 50,648
  • 13
  • 127
  • 142
  • 4
    You could probably even do it with a dumb calculator if you can type fast enough – Hobbamok Feb 12 '21 at 08:54
  • 15
    It’s worth pointing out that _if_ you as a user manage things correctly, SMS-based 2FA is still technically better than no 2FA at all. as It still raises the bar a little for targeted attacks, and also provides some measure of protection against bulk untargeted attacks. Yes, you should almost always prefer TOTP or U2F, but it’s still better than nothing. – Austin Hemmelgarn Feb 12 '21 at 13:01
  • 11
    @AustinHemmelgarn The problem is, that most sites start to allow SMS as account recovery option once they got your number. – allo Feb 12 '21 at 14:59
  • can you provide links to a linux authenticator app? i often do not have my phone with me but do have a linux computer at my desk. so having an offline linux authenticator app might be a great solution. – Trevor Boyd Smith Feb 12 '21 at 15:31
  • 2
    @TrevorBoydSmith 1password, Keepass, Enpass, LastPass, search for *PHP OTP example*, or *Python OTP example*, there are a lot of alternatives out there. There are even google-authenticator-libpam to harden your SSH, for example... – ThoriumBR Feb 12 '21 at 16:29
  • `it's trivially easy to get a new SIM by pretending to be the victim`. That's the whole point. Supply chain is too weak – usr-local-ΕΨΗΕΛΩΝ Feb 12 '21 at 16:45
  • 5
    I was unable to convince my _bank_ that neither my phone number nor SMS nor email were acceptable two-factor methods. And I'm convinced that they didn't do it right and would accept a password reset using one of those so it's really only one factor. – Joshua Feb 12 '21 at 16:45
  • @TrevorBoydSmith https://flathub.org/apps/details/com.belmoussaoui.Authenticator – James Westman Feb 12 '21 at 16:59
  • @Hobbamok That would be huge amount of work to calculate SHA hashes in dumb calculator ... not sure if your dumb calculator knows xor and bitwise shifts and rotations. Mine certainly not. – Jakuje Feb 12 '21 at 17:38
  • 12
    *You don't use SMS for a second factor* You may want to have a chat with my banks. All of them use SMS and are really proud of their security. But this is in France, the country of Middle Age Banking. – WoJ Feb 12 '21 at 17:53
  • 3
    @allo But that’s not really an issue with SMS, that’s an issue with those sites using 2FA wrong. Such an approach is just as bad with TOTP or U2F, because at the point at which you can use your second factor as primary authentication for account recovery, it ceases to be a second factor. – Austin Hemmelgarn Feb 12 '21 at 18:25
  • 3
    I had to explain to my bank as to why I did not want to use my phone number as an authentication method, they were like "WHY?". They didn't even consider that a SIM card could be a security risk. – Voltage Spike Feb 12 '21 at 18:30
  • Even more fun: "we need to send you a SMS for security purposes, please enter the # you want it sent to". **\*Headdesk\***. Runner up are the Asian banks who have a "second password" and want "random characters" from it. I have to write them down to not lose access as the _legitimate_ owner. Next, from them also, "we only require "2FA" for special transactions, not for read access. oh, and the "2FA" is a *primary* login on its own" – obscurans Feb 12 '21 at 19:27
  • 3
    The answer says to not use SMS verification to protect against SIM swap scams. However, almost every brick-and-mortar service provider, like banks and online banking accounts, *only* have SMS verification as an option, and have not migrated to 2FA authentication. without SMS verification, they won't even let you log in past your password. What then – user610620 Feb 13 '21 at 07:00
  • 1
    @WoJ SMS 2FA is better than nothing. The problem is not the bank allowing/requiring SMS for 2FA, but rather it's not allowing other 2FA methods as valid substitutes such as OTP. – MCCCS Feb 13 '21 at 13:56
  • 2
    @MCCCS: yes; of course SMS is better than nothing. It is just that there are even better solutions that will be taken into account when they will be themselves obsolete. My bank requires a PIN as a password, of a set length. There is no way to tell them that I would prefer to use my generated 128 chars password, kept in my password manager. It is not even that the people working there in security are dumb (they are not, I know many of them). It is just they have to follow regulations made by, this time, really poor "professionals". – WoJ Feb 13 '21 at 14:48
  • 2
    @WoJ banking is a little different of course, because they have to implement 2FA not for the technically savvy who enable it, but for everyone. Finding a common system that any customer can use is difficult. In the U.K. some banks send out an electronic device which accepts a physical card + website generated code, and spits out a verification number. That’s better, but expensive and not amazing UX. – Tim Feb 13 '21 at 16:09
  • 2
    -1 This answer provides no value, as it does not even attempt at proposing any _mitigation_ strategy against SIM swap attacks. We can't deal in absolutes, because they are incompatible with a world where grandstanding "you don't use SMS for a second factor [grabs coat, exits the room]" doesn't cut it: the choice of SMS 2FA is forced upon us. – gd1 Feb 14 '21 at 11:52
  • 3
    You cannot protect yourself, that's the point. It's outside of your power. Itś like asking how to avoid your password being stored in plaintext by a service. – ThoriumBR Feb 14 '21 at 13:28
  • You cannot fully protect yourself, sure, but if they force you to use SMS 2FA you can't just throw your toys out of the pram. You have to _try_ to do something to at least _mitigate_ the huge risk that comes from SMS 2FA, and there is only one answer here that _attempts_ at coming up with such a strategy. It's not yours. – gd1 Feb 14 '21 at 16:08
15

One of the main vulnerabilities that leads to SIM-swapping is from social engineering attacks. If you must use SMS 2FA, one approach is to use a Google Voice number. Since Google Voice has minimal customer support, there's little opportunity to perform a social engineering attack.

It's not a good solution, and, as other answers said, skipping SMS 2FA is best. However, this may be better than nothing if you must use SMS 2FA.

Peter Mortensen
  • 877
  • 5
  • 10
Ryan Amos
  • 253
  • 1
  • 7
12

For serious 2FA authentication systems, the phone is only the second factor. That means that to impersonate its victim, the attacker should also guess the primary factor (the password).

What is really bad is that some authentication systems, including some banks ones, accept the phone holding the second factor of authentication as the primary password recuperation tool. And this clearly breaks into pieces the 2FA security. In the event that this happens, I think that the responsability of the bank should be involved: they force their client to use a broken weak authentication system. But IANAL and have no idea if any legal action about this has ever occured in any country...

Serge Ballesta
  • 25,636
  • 4
  • 42
  • 84
  • -1, doesn't answer the question which was "How to protect against SIM swap scammers?". As a side note, the fact that there is a 1st factor has no relevance to methods of protecting the *2nd* factor. If your plan is "I don't need to worry about the 2nd factor being insecure because I have a 1st factor", then you're missing the whole point of 2FA. – Jon Bentley Feb 12 '21 at 13:34
  • -1 Not an answer to the question. – gd1 Feb 14 '21 at 16:03
10

Buy a cheap old Nokia phone with a few different SIM cards. Only use one number for each online account. Never share these numbers with anyone. Keep the phone off in a draw.

Why? If people do not know the number, they cannot do a SIM swap. If they can get into the database belonging to insert company name here they likely already have everything they need to drain your account.

Also, this might sound weird, but it is often easier to SIM swap when the user has verified the SIM with an ID document, because then it can be done over the phone as opposed to the scammer going into the carrier's phone shop.

questioner
  • 171
  • 2
  • 11
  • 3
    +1 Rather than taking the floor and grandstanding by repeating ad nauseam that SMS is insecure and we have no bulletproof defense against SIM swap attacks, this answer provides a viable mitigation strategy. How refreshing. – gd1 Feb 14 '21 at 03:10
  • SIM Swapping's primary weakness is it is so easy to attack it, so assume your public facing number is already compromised and never 2FA with it. If nobody knows your number, they can't SIM Swap it. – Nelson Feb 14 '21 at 14:55
  • @Nelson Furthermore, if you do not verify the number with identity documents it is much harder, as the scammer often has to visit a shop to do the SIM swap. Most scammers will not risk being seen on camera, or having a suspicious shop keeper stop them. – questioner Feb 15 '21 at 02:17
  • Do you have to have an active account with some carrier for this "old Nokia phone" method to work? I have a number of older, working phones, whose SIMs were previously associated with my phone number. Can you link to a site that describes how to use a set-up like this to get SMS texts? – jrw32982 Feb 15 '21 at 19:50
  • @jrw32982 Unless things are different where you live - you simply just go to a shop, get an unregistered SIM card for £1, and buy an old Nokia phone for £10. Put the SIM into the Nokia phone, and you now have a working number. – questioner Feb 16 '21 at 22:00
  • I'm the the US. With your old Nokia + unregistered SIM card, can you make phone calls? Can you send SMS or just receive them? By "number" I presume you mean what's called the ICCID on my current phone (your 20-digit SIM number), since your old Nokia will not have a phone number associated with it, right? I thought you had to register a SIM with a carrier to use it. Any URL that describes what you can do with this old phone + unregistered SIM? – jrw32982 Feb 17 '21 at 02:23
  • @jrw32982 Buy a new and cheap Nokia you have never used before. Go into a shop and buy a new SIM, without a contract, which in the UK we call "pay as you go". You will need to put perhaps $10 onto the SIM as credit if you wish to make calls and send SMS which I think is not necessary to just verify an account. I am never able to explain this to Americans, yet I have read books for Americans that wish to stay anonymous on pay as you go plans. With all the respect in the world - what is so difficult? o.O It has nothing to do with your ICCID. – questioner Feb 17 '21 at 20:48
  • @jrw32982 By unregistered I meant you buy a new SIM gaining you a new cell phone number, which is not registered with an identification document like a passport. – questioner Feb 17 '21 at 20:50
4

First, the symptom of a SIM swap is that you lose signal on your phone. Using a primary number rather than a secondary, i.e., one your mum will usually call you on instead of a SIM card you put in the drawer, is the best way to detect it earlier and act earlier. You'll detect something's wrong and try to get in contact with your provider to discover evil. And do your best to gain ownership back.

You don't protect yourself: providers do

It's not up to you, but all about the education of your service provider not to use SMS as the only recovery factor.

If your service provider using SMS recovery holds information or assets (e.g. cryptocurrency, information that may permanently damage your personal reputation like very personal media) that are totally unrecoverable after incident, then you should just change provider; you can't protect yourself. Even if you write to customer service, they may bounce you on excuse of paranoia (reason is budget).

Also depending on your jurisdiction, and the environment your service is operating in, you have a few more chances to protect not from SIM swap, but from consequences.

Bank example: if your bank operates under PSD2 (e.g., Europe) and they use SMS as the only recovery factor, by the time you report the incident to your provider and/or police, you are protecting yourself from fraudulent trades until you can call the bank and shout "stop everything! somebody stole my number!". The laws, your mileage may vary, according to jurisdiction, can add a layer of protection so that you could get your money back.

As a final note, many (four+) large banks of my knowledge are aware of SMS weakness and use it as first and not only recovery factor. The second factor are.... security questions!

SIM swap is matter of mobile operators, not customers

Also remember that the SIM swap is a matter of people who work at the mobile operator, so you can't really make the difference. In order for someone to obtain a SIM card fast, one should go to a physical retailer, with either counterfeit ID or they must really really really really look like you for identification.

If I call your mobile operator and say "Hello, this is J. Doe, I was born on 01/01/1990 in Dallas, could you mail a replacement SIM to Evergreen Terrace?" without any additional form of recognition, then that's your carrier's fault!

Peter Mortensen
  • 877
  • 5
  • 10
usr-local-ΕΨΗΕΛΩΝ
  • 5,310
  • 2
  • 17
  • 35
  • "then that's your carrier's fault!" -- Right, I didn't expect there might be carriers that would do that, except perhaps as an accommodation against COVID-19. If one wishes to protect themselves against that, I guess they could check if their carrier is vulnerable by requesting such a SIM replacement for themselves, with the idea of switching carriers if they are. – JoL Feb 12 '21 at 17:32
  • 2
    Switching carriers to _what_? They _all_ are vulnerable for that. – Aganju Feb 12 '21 at 18:34
  • 4
    My carrier let me get a new SIM by walking by, telling that my phone was stolen, and giving my full name and number. No ID necessary, absolutely no questions asked. They got a new SIM from the drawer, entered its ID on the computer, and in 3 minutes I had my number back, and was worried on how easy it would be to me to steal the SIM of anyone from the same operator. – ThoriumBR Feb 12 '21 at 19:07
1

Modern landline phones can receive SMS messages. Or as a fallback, the provider is turning it into a text-to-speech phone call, at least here in Germany. It worked so far with every service I tried.

hft
  • 4,910
  • 17
  • 32
Bob
  • 19
  • 1
  • This works really well because most carriers require you to call from the number that you want to transfer, and the only way that someone could do that is by breaking into your house, which makes it massively more difficult – B-K Feb 13 '21 at 12:10
  • @BobKerman "only […] by breaking into your house" … this is less true for SIP (VoIP telephony), where I only need credentials and internet access to make outgoing calls, and caller ID can be forged, too. – Ulrich Schwarz Feb 14 '21 at 14:19
  • This may work during a lockdown, but in general most people have to receive SMS OTPs (for those services which, unfortunately, don't offer anything better - usually banks) outside of their dwellings as well. – gd1 Feb 15 '21 at 22:47
  • I used my work phone number, which nowadays gets redirected to my home office. – Bob Feb 15 '21 at 23:29
  • I'd say this solution presents serious logistical challenges, given that you _barely_ managed to make it work in two physical locations at once, and only by relying on your employer's infrastructure. Let's hope their IT department don't screw with your call redirection setup the next time they update their SIP server over the weekend. – gd1 Feb 16 '21 at 08:56
  • the "phone at home" is a software on my work computer. all accounts were work related, so if they don't work it would not be my problem. for personal accounts i would use my personal landline, usually don't use online banking while at work. ;p – Bob Feb 17 '21 at 23:44
  • and to answer the next complaint: nobody can guess the sip credentials because the company uses real landlines and a sip server that is only accessible through a vpn tunnel. – Bob Feb 17 '21 at 23:50
  • I am not discussing security here, but basic notions of usability and reliability that I hope are self-evident. Most people would be dearly uncomfortable knowing that their ability to access their banking while at home depends on a software running anywhere in their workplace IT infrastructure, let alone a flimsy desktop computer that can be killed by a janitor pulling a plug. Furthermore, most people need to access their personal online banking outside of their homes and offices. That's non-negotiable. Tying online banking to any landline _may_ work for some time only _during a pandemic_. – gd1 Feb 18 '21 at 10:23