IT professionals have been pushing for multifactor authentication for decades, and the advice is finally starting to catch on. More and more services are offering multifactor authentication, and one of the favorite techniques is to use the mobile phone as the second factor. The details can vary from system to system, but the basics are straightforward. When you try to use a service protected with multifactor authentication, first you put in your password. Then, an SMS message is sent to your mobile phone with a code that you have to enter to authenticate that it’s really you.

This counts as two factors: the password is one, and you having your smartphone to receive the verification code is the other. No matter how you look at it, this is far more secure than simply using a password. But using mobile phones for multifactor authentication can be a double-edged sword, and fraudsters have figured out that if they can take control of your mobile phone, they can get a big leg up in impersonating you and stealing your login credentials. Hence, the SIM port attack.

SIM port importance

Your carrier has the ability to move — “port” in telephony parlance — your mobile phone number from one physical SIM to another instantaneously. Carriers depend on your personal details to authenticate you: your last bill, your tax ID number, your address and so on.

If a fraudster can get (or buy) that information somewhere, they may be able to convince your mobile phone carrier to port your number to a new SIM. This means that all of those verification codes don’t go to your mobile phone, but to the one sitting on the desk next to the cybercriminal.

Why You Need an Incident Response Playbook

White Paper

Get this free guide on how to respond to mobile security breaches — or thwart them altogether. Download Now

Sometimes the fraudster already has your password, and all they need are the SMS messages to take over. Other times, they can use password reset — often authenticated using SMS messages as the only factor — to take over your email account, and then start moving laterally, getting control of accounts until they hit the jackpot they’re looking for. The attacks are sophisticated, customized and not particularly simple. But if you’re a prominent businessperson, someone with a major social media presence or who has a lot of money or cryptocurrency, you’re a confirmed target.

Your SIM was attacked. Now what?

When your mobile service is ported to a new SIM, your old phone goes dead — no cellular service. That’s the first sign that something is up, and your signal to make an emergency call to your mobile phone carrier. Other signs will pop up in your email — if your password still works, which it might not — such as password recovery attempts for other accounts you have.

For IT managers running Corporate Owned, Personally Enabled (COPE) or Choose Your Own Device (CYOD) programs, there are three clear action items to take before an attack occurs.

  • Make sure end users know the warning signs of a SIM port attack. For many users, it’s an unlikely problem, but education aimed at the most likely targets — the best paid, highest profile and those with access to the most sensitive data — is worth the effort. If your company (or staff) has anything to do with cryptocurrencies, which can be stolen without any recourse, those users also need some quick education.
  • Work with your mobile service provider to eliminate the possibility of SIM port attacks by putting locks and blocks on all numbers you’re paying for that require someone in the organization to authorize any SIM swaps. This may be time-consuming whenever someone loses their smartphone, but adding more complication to the SIM swap process will beat back these attacks.
  • Zoom out and make sure you aren’t asking for trouble by trusting mobile phone carriers with your security. Yes, it’s true that multifactor authentication based on SMS messages is a huge step forward and will knock out almost every guessed and stolen password attack. There’s no reason to step back from those programs. But for your most sensitive users and most sensitive data, there are other ways to deploy multifactor that don’t depend on carriers not screwing up, such as biometrics, on-phone soft tokens (Google Authenticator and Authy are free and widely supported options) or even hard tokens.

Looking forward

IT managers should also evaluate their existing incident management plans to make sure that SIM porting attacks are adequately covered. Generally, this attack results in credential loss, which means that sensitive data can be exposed — but this is something incident management plans should already cover. What may need to be added are tools and procedures to recover control of the user’s mobile phone number after it has been commandeered by a cybercriminal.

Is your business ready to handle a security incident? Learn the best practices for incident response with this free white paper, or learn about using Knox Platform for Enterprise to secure your company data in this short video.

Posts By

Joel Snyder

Joel Snyder, Ph.D., is a senior IT consultant with 30 years of practice. An internationally recognized expert in the areas of security, messaging and networks, Snyder is a popular speaker and author and is known for his unbiased and comprehensive tests of security and networking products. His clients include major organizations on six continents.

View more posts by Joel Snyder