The first time I encountered Sim-Jacking attacks, my mind immediately went to John Woo’s 1997’s masterpiece “Face/Off.” Sean Archer (Travolta) is an FBI agent hell-bent on bringing flamboyant terrorist Castor Troy (Cage) to justice. In a last-ditch effort to take Troy’s entire criminal enterprise to its knees, Archer undergoes an experimental medical procedure that will enable him to wear the face of Troy. Catastrophe strikes, and both Troy and Archer have switched bodies. Now wearing Archer’s face, Troy destroys all evidence of the procedure and Archer’s identity. Troy, as Archer, continues his terrorist activities while leveraging his newfound position within the FBI. The real Archer goes through hell and eventually returns to his former self.
So, what is Sim-jacking, and what does it have to do with the visual masterpiece Face/Off?
Sim-jacking is a form of identity theft where an attacker, armed with Personally Identifiable Information (PII), can deceive your service provider into switching your phone number to a new SIM card that they own. Once complete, your number now belongs to them. All messages that are meant for you will instead go to their phone.
Since many online services use text messages sent to your phone for Two-factor Authentication (2FA), the implications of an attack of this type are dire. An unsophisticated threat actor with entry-level technical acumen can make fraudulent purchases, drain your bank account, and wreak general havoc. The damage can be catastrophic in the hands of an experienced cybercriminal or nation-state actor.
But how do they do this, where exactly do they find the information they need to take over your identity, and how is it so easy to pull off?
In this article, I’ll walk you through the steps in the process. We will cover topics such as target templating, information gathering, credential harvesting, and social engineering. I will show you examples of collected user data and details criminals seek. Finally, I’ll provide you with some steps you can take to mitigate these threats.
Researching the Target
During this process, a potential attacker gathers personally identifiable information (PII), in various ways that will be further explored later. Armed with your PII, the attacker will socially engineer your service provider into switching your phone number to their Sim. Now, all the messages meant for you will go to their device. The consequences of this can be severe.
The dark web and clear net both have forums and marketplaces where PII is either given away for free or is sold for profit.
One such website is "breached.to", and is a veritable treasure trove of information. Part marketplace, part data dump, in a matter of moments, you can find the username/password combinations of thousands of accounts from NordVPN, Twitter, Facebook, Disney+, and other major companies. A low-level attacker with nearly zero computer knowledge can download these files for just a small amount of cryptocurrency.
During an interview with a former Senior Executive at AT&T, I was informed that employees extracting and selling customer personal data ran rampant throughout the company. This behavior was grounds for immediate expulsion, and law enforcement was contacted. Social Engineering training is mandatory, and all employees must complete it annually. However, attackers will always find a way.
Breached data files with PII will typically be uploaded to an anonymous file server such as "anonfiles" or "Pastebin". There are also instances where the buyer will be given credentials to a remote SSH server to download their purchase. Data can be sold and re-sold many times, so brokers like these can make steady profits. The cost varies from seller to seller, but the ranges I’ve seen the most are between $100 to several thousand, depending on the data type.
Targeted Data Gathering
Targeted data can be acquired by duping unsuspecting victims on social media platforms. Popular methods include surveys and personality tests. Both ways will have the user answer questions that may seem innocuous but can be used to steal your identity.
Attackers can visit websites such as Quizopolis or Survey Monkey to copy or create a custom survey. Surveys are styled for fun and contain a mixture of questions to make them sound innocent. The survey is then posted to social media, and the attacker follows it (easily done through hashtags) as it spreads and collects the data for later use.
Some examples of questions that could be asked by bad actors are:
How old is your mother?
What was the name of your childhood pet?
What was the name of your high-school mascot?
Where was your father raised? (For a full list of security questions asked by different carriers, see the table at the end of the article)
Individually, the information provided in the surveys is not a significant cause for concern; however, when aggregated, a malicious actor will use it to socially engineer your service provider into thinking they are you.
The attacker will then have your phone number moved to a mobile device in their possession and will now have access to any messages meant for you.
Pretexting & Practice
Due to their size and scale, service providers typically follow a playbook when speaking with their customers. They follow standardized rules to provide each customer with the same experience.
Companies have implemented multiple security measures to combat social engineering practices, such as annual training, security questions, secret pins, and biometrics. Used correctly and in combination, these security practices can make it difficult for an attacker to access your account.
Notice I said difficult and not impossible. When it comes down to it, we are all human, and humans make mistakes. This is where pretexting becomes a valuable resource for the attacker. If you know the playbook, all you must do is play by it.
Biometrics refers to the following:
Both voiceprint and current location can be easily circumvented; however, typically, only by the owner’s secret pin. Beware of anyone prompting you for your secret pin unless you called your service provider directly.
Security measures are based on the inquiry type, so knowing a service provider’s procedure when a customer “loses a phone” is vital information.
Pretexting is a social engineering term for “getting into character”. The attacker needs to prepare with the proper PII to be believable to sell the grift. For example, when most people are asked for their date of birth, there is little to no hesitation when answering, so practice is paramount.
My Phone Won’t Work
You’ve been at work for a few hours, and it’s finally lunchtime. You were in a bit of a rush today, so you forgot your phone in your car and haven’t been able to get back down to get it until now. You decide this will be an excellent day to get away from your desk and eat lunch in your car - that way, you can catch up on all your social media messages and laugh at all the new cat memes you may have missed in the past few hours.
Unfortunately, when you pick up your phone, you notice you have no signal from your carrier. You decide to reset your phone, but when the prompt comes back up, you’re met with the same issue. Out of sheer reflex, you try to call your service provider but quickly realize that you have no service, so you’ll have to figure out another way forward.
What you don’t realize is that your phone number has been stolen, and an attacker is currently wreaking havoc on all your connected accounts.
An attacker now has access to your phone number.
Many of us swear by two-factor authentication (2FA) and most companies have implemented a policy regarding password reset, where a multi-digit code is sent to your mobile device to authenticate the reset. Most individuals also only have a single email account to which all their activity is tied, so all an attacker needs to do is gain access to that account. With access to your phone number, this process becomes simple.
The below example shows a standard password recovery process.
The attacker navigates to your email provider and clicks “Forgot Password.” They are then prompted to check their device and to confirm that it is indeed them. This method involves your MSISDN (phone number) and IMEI (device ID). The IMSI (SIM card) never has to enter the equation because it’s already been reassigned to their device.
If an attacker attempts another method, they can request a multi-digit pin sent to the phone number. Either way, the processes work the same, and the attacker now has access to your primary email account.
So I Hear You Like to Party
Backing up your phone is great. I’m not saying not to do it, but I am letting you know that just like many things in this world, it can be used against you.
Remote work is here to stay, and to provide added security, companies have implemented 2FA policies. One such application is Google Authenticator. If you’re unfamiliar, Google Authenticator links to an account you have set, and every 30 seconds will cycle through a new six-digit pin. This is a great security practice, requiring the user to input a randomized pin and password.
Typically, this is a very safe practice, however, through Sim-jacking, an attacker can exploit this as well.
Now that the attacker has access to your primary email account, they can install the applications from your backed-up device. With access to your primary email, they can now log into your chosen authentication app and use the 2FA pin to gain access to whatever it is you have linked. If your corporate VPN is linked, they now have the tools to compromise your company’s network with legitimate credentials.
Suffice to say that a well-thought-out attack can result in catastrophic consequences.
So with all that being said, mitigating risk can seem like a daunting task. There is no foolproof method for stopping a criminal from gaining access to your information, but the more roadblocks that you can throw up, the better off you'll be.
The former AT&T executive I spoke with indicated that their company was doing everything possible to make sim-jacking and identity theft more difficult for criminals. As previously mentioned, they have implemented yearly social engineering training, biometrics, voiceprint, security questions, and secret pins; and are continuing to evolve their practices to counter malicious actors.
How can I prevent myself from becoming a victim?
1. Answer your security questions incorrectly.
If the security question is “what is your mother’s maiden name?", there is no reason you can’t answer with “potato,” which I’ll assume isn’t your mother’s maiden name. Of course, you’ll want to remember your answers if you need to use them. I would suggest writing them down and putting them in a safe in your house. It’s probably the most secure method of keeping them safe.
2. When feasible, employ 2FA.
I know I illustrated how an attacker could bypass 2FA, but that doesn’t mean you shouldn’t use it. Just because someone can pick a lock doesn’t mean you take the lock off the door to your house. It’s also important to note that 2FA comes in many shapes and sizes. Larger companies should consider employing RSA tokens for 2FA instead of an application tied to someone’s device. This out-of-band 2FA may be more expensive than using a digital application, but they’re much more complicated to spoof than a phone.
3. Use hard passwords.
Passwords will always be a topic of debate amongst the masses, but we can all agree that neither “Password123” nor “PasswordsRDumb123456” are good passwords. For this article, I will not cover what makes a good password. There are thousands of those out there, so I suggest you check them out.
4. Limit password re-use if possible.
This is another tough one. Every site you go to now, has it’s own login prompt, and everyone keeps telling you to have a different password for each one. Having a password for each account just isn’t feasible, which is why keychain services like “lastpass” came into existence. The recent breach of lastpass is cause for concern; however, there is no reason that you can’t have multiple keychains with only a handful of accounts tied to each. There will always be a chance that one of your keychains gets breached, but if you have them compartmentalized, you can limit the damage.
5. Stop answering online personality quizzes and surveys.
Your personal information can be found online in myriad ways; however, that doesn’t mean you need to give it up freely. I’m not saying that you should be a shut-in but be deliberate with what type of information you share and with whom.
Security is an ever-moving target, and keeping your data safe can be exhausting. There is no way to be completely secure, but the more obstacles you throw up, the less likely an attacker will waste their time on you.
Carrier Security Questions: