“SIM Swap” and Its Effects on SMS Based Authentication

September 10, 2019 Rajesh Pakkath

Many of you might be aware of the latest, and most high-profile account takeover of Twitter chief executive Jack Dorsey, that led to a set of offensive tweets and retweets from his Twitter account. Security analysts have blamed this takeover on the so-called “SIM Swap” fraud where a hacker obtains the victim’s personal data through phishing techniques and uses this information to convince a mobile provider to switch the number associated with a SIM card to another unauthorized device. As a result, all calls and texts to the victim’s number are routed to the hacker’s phone, including SMS based one-time passwords, potentially causing people to lose control of not only their enterprise and social media accounts, but their bank accounts and other sensitive information.

SIM Swap attacks using SMS based one-time passcodes appear to be the primary reason behind many reports of fraudsters draining thousands of dollars out of victim’s checking accounts, a recent string of embarrassing Instagram takeovers, and loss of crypto currencies that have led to multi-million-dollar lawsuits. Fake tweets from prominent leaders’ accounts can have devastating consequences resulting in lasting reputation damage and loss of trust, resources, time and money. Such instances of fraud only augments why the U.S. National Institute of Standards and Technology (NIST) announced in July 2016 that organizations should no longer send one time passwords to mobile phones. Though NIST downgraded the use of SMS from “deprecated” to “restricted” in 2017, it still strongly recommends that organizations stop using SMS 2FA as this is an insecure method, relying only on the phone number and not the device itself.

As providers of centralized access to enterprise and consumer apps and resources, Identity and Access Management (IAM) vendors play a crucial role in providing controls to detect and remediate such account takeovers. To address security concerns, organizations have typically employed overly restrictive IAM controls (such as enforcing stronger password policies, knowledge-based responses, etc.) resulting in painful user experience. OTP based systems like SMS, smart phone-based codes, and FIDO based tokens were designed to improve overall user experience without compromising security but often were driven off of static rules that again impacted user experience.

While such factors offer better alternatives to SMS based authentication codes, a much better solution to address SIM Swap fraud would be an intelligent and dynamic authentication solution that can continuously analyze user and device context and require stronger factors only as needed. Such technology solutions can constantly capture the fingerprint of each enrolled device, including SIM card data, device type, geo-location information, obtain SIM porting history data (when a user activated their current SIM card or last ported their number) and carrier related data from 3rd party vendors. This rich set of data along with behavioral biometrics (passive factors such as typing speed, device orientation etc.) can then be fed into an artificial intelligence powered analytics engine that can use machine learning algorithms to assess risk based on constantly evolving user behavior patterns. Any authentication or forgotten password attempts from a SIM swapped device can flag the user as risky, prevent any subsequent authentication attempts, and alert users of fraudulent activity. For instance, when device context data mismatch highlights a low or moderate threat of SIM swap fraud, IAM systems can determine whether to deliver the one-time password via SMS or require a stronger form of verification factor like smart phone-based OTP, FIDO U2F token or altogether deny the reset password request.

Despite multiple reports of SIM Swap attacks and NIST recommendations, most organizations and users still rely on SMS authentication as their primary out-of-band authentication method for allowing secure transactions. With fraudsters continuing to exploit this weakness in SMS, employing better authentication processes with minimal impact to users is vital to improving the security posture of any organization.

Click here to learn about Idaptive’s Zero Trust approach IAM solution that verifies every user, validates their devices, and intelligently limits their access to apps and endpoints. Idaptive also utilizes machine learning to discover risky user behavior and apply conditional access — without impacting user experience.

Previous Article
NIST 800-63-C: Federated Assurance Level Guidelines
NIST 800-63-C: Federated Assurance Level Guidelines

This is part four of a blog series on NIST 800-63c guidelines on Digital Identity. This blog focuses on par...

Next Article
How to Prevent Office 365 Account Lockouts
How to Prevent Office 365 Account Lockouts

Office 365 lockouts are a major employee productivity issue – here are tips and tricks to stop account lock...