One of the key pieces to our digital identities, whether we like it or not, is our mobile phone number. You likely use it one way or another in a two-factor authentication login (you shouldn't). Thing is, as it's been demonstrated quite a few times, they can be easily hijacked in a few easy steps by malicious actors ringing up carriers' customer service representatives — many of whom are all too understanding in helping users out of what's supposedly a stressful situation. So, just how easy is it to steal someone's phone number on a prepaid network? Researchers at Princeton University say extremely so in a recently published whitepaper draft.
Kevin Lee, Ben Kaiser, Jonathan Mayer, and Arvind Narayanan with the school's Center for Information Technology conducted a series of simulated attacks last year using prepaid accounts on AT&T, T-Mobile, Verizon, Tracfone, and US Mobile. As prepaid networks don't require credit checks for customers to sign up, the researchers could easily scale up their experiment.
The threat model assumed that the attacker would only know the victim's name and phone number and that they would hijack the number by purchasing a SIM card and requesting the carrier to swap the victim's account to that SIM. This would require the attacker to authenticate their identity by providing correct information in response to security challenges. Thus, for the purposes of the attack, the researchers deemed a few challenges to be secure: an account PIN or password or a one-time code sent via email or SMS — if you can siphon SMS traffic from someone, why would you steal their number in the first place?
The methods in green signify secure authentication challenges in a theoretical SIM swap attack. Methods in red can be bypassed using available data. Methods in yellow can be bypassed through attacker manipulation.
Each carrier used a variety of challenges to authenticate the attacker. Many of them, such as street or email address, date of birth, last four digits of a credit card, IMEI, or ICCID, were considered easy to overcome if one knows which public records file or data aggregator to look. Other challenges can be passed just with the knowledge of the victim's number: for the date of last payment, the attacker could easily top-up the account without going through any security challenges, or; for the last outgoing call, the attacker could dial the victim's number and prompt a callback either through posing as a familiar entity or through confusion.
The scholars found out of ten attempts on each carrier that they were able to successfully hijack numbers every single time on AT&T, T-Mobile, and Verizon. Worryingly, even though they were less successful with Tracfone (six times) and US Mobile (3 times), in each of those instances, the service representative assisted the attacker in recalling answers to security questions such as "what's the name of your first pet?" and, even as the attacker couldn't answer any of them correctly, authenticated the SIM swap. Furthermore, representatives gave out other pieces of account information without authenticating the attacker.
Carriers are advised to rely more on one-time passwords, including as a way to initiate a service call. The paper also recommends companies follow up with customers on failed authentication attempts and discourages any service that uses multi-factor authentication from accepting phone number-based methods such as SMS. Oh, and you should probably check up on your security settings across all your online accounts and make sure to drop SMS authentication where you can.
The cellular industry's trade group, CTIA, was notified of the group's findings in July. In January, T-Mobile told the researchers that it had stopped asking for last outgoing calls after reviewing the report.