Why SMS 2FA is insecure & why you shouldn’t give out your mobile number
I saw a tweet today from Zooko (CEO of ZCash) that got me thinking about how SIM swapping (Also known as SIM-jacking) has become more prevalent lately. More and more people are relying on an inherently flawed system under the illusion of security.
I’m going to explain 3 things:
- Why you shouldn’t give out your mobile number freely, to anybody.
- How SIM swaps actually happen.
- What is a better way of securing yourself online
You see, I work in telecommunications for my day job, so I know a thing or two about how this works. That said, even before this job, I still knew better than what the quoted article says.
Tuttle said SIM swapping happens in one of three ways. The first is when the attacker bribes or blackmails a mobile store employee into assisting in the crime. The second involves current and/or former mobile store employees who knowingly abuse their access to customer data and the mobile company’s network. Finally, crooked store employees may trick unwitting associates at other stores into swapping a target’s existing SIM card with a new one.
This is complete nonsense. None of that happens.
Here’s how it really happens.
Let’s take Zooko, as an example.
Disclaimer: Don’t do this to Zooko, please, I’m just using his name as an example but presume the same could also happen to you.
Let’s pretend you’re an attacker, and you want to get in to Zooko’s Coinbase account. You presume he uses it based on some tweets you’ve seen mentioned, plus there’s Coinbase employees who are involved with Zcash too so it makes sense Zooko would do trading there. His account is likely protected through SMS 2FA (2-Factor authentication), but that’s not going to stop an attacker.
First thing first: You need to find his mobile number. This can be done through a number of ways, but the easiest way is to find a website that’s been previously hacked, that had the targets contact details. The easiest way to get details of the mobile number is through correlating info from someones email address, which is much more common /readily-available.
A quick search online shows he’s got several emails, most of which it seems are pretty public knowledge.
Take that email and pop it in to www.haveibeenpwned.com and see what leaks it’s been a part of.
You can see that there have been a number of breaches that link his mobile with email, along with some additional data that will make life easier for an attacker to SIM-swap.
Side-note: Have you ever received an email telling you “I know your email password, it’s XYZ. I’ve infected your computer with a trojan and seen you watching porn. Send me 1BTC or I send pictures of you pleasuring yourself to all your contacts”? Well, this is how they get your details, and they’re hoping you re-use your passwords, and that you won’t call their bluff.
Now the “haveibeenpwned” website doesn’t contain those specific details, but, just keeps an easily searchable list of email addresses to see if you *were* a victim to those data breaches.
So, we know that Zooko has been victim to multiple data breaches. It’s not surprising, it happens far more than it should in this day & age. Try putting your own email in to haveibeenpwned and see what comes up.
Next, an attacker would go and track down the details of that “dump” from the particular data breach. This one says his phone number is in there along with his date of birth (Though, you can also find his DOB easily enough through a Google search, with Wikipedia results). Having the DOB is also helpful because it’ll make an attacker seem more credible.
Often times the results from these breaches are available on “clipboard paste” websites that just keep text lists. They are also on torrent sites too. Alternatively you can do a quick search on Google just asking “What is this persons mobile number”, which comes up with a few results.
Next, we need to find out who his mobile phone is with. It looks like he lives in the USA, so we know it’s most likely to be one of a handful of providers:
AT&T, Verizon, T-Mobile or Sprint
That’s only 4x telcos to have to take a guess at, shouldn’t be too difficult.
So an attacker will go out and buy themselves a SIM card, for each of the aforementioned 4x mobile telcos. Presuming it’s a few bucks each, might cost an attacker $20 total?
In NZ you can buy them from your local corner dairy, or supermarket, and we really only have 3x main telcos here (Vodafone, Spark and 2degrees, though we also have Skinny mobile who resell Spark).
Then, the attacker will ring up each of the telco’s one at a time.
“Hi, I’m Zooko. Look, I’m out travelling on business and my mobile phone has been stolen. I think I left it on the table at a food court to be honest. Anyways, I’ve got another SIM card here with me already, and I’ve got a spare phone to pop the SIM into. My date of birth is 1st of April 1987 (You tell them this because you know it’s bound to be one of the security questions they ask). I’m expecting an important business call soon, can you help me out and get the number transferred? If you can also block the IMEI number of that other phone too, I don’t want the person who stole it to be able to use my phone.”
That’s pretty much it!
Most of the time the person on the other end of the phone is just going to say “Sure, here you go, the number is transferring through to that SIM card. It’ll be done in an hour”.
People can “put notes” on their account with their mobile carrier instructing their staff not to transfer their number etc, but often times the person on the other end of the line is just trying to be helpful and will ignore it.
The attacker now has a mobile phone with their victims cellphone number now on it, without having to have gone in to any store and see any phone company employees, and it can even happen from the other side of the country.
Are you scared? You should be!
All it takes is a little social engineering and the “security” is totally void.
This is why mobile (SMS) 2FA is completely 100% unreliable and should not be used. Ever!
If you’ve ever logged in somewhere and they’ve sent you a text message to “verify” you are you, that’s an easily-bypassed security method that simply makes it more likely your entire identity will be stolen, just to get access to your Crypto exchange account.
Have you got your Cellphone as a way to get back into your Gmail account, or similar? Go remove it, now! Before you do any further reading.
Once an attacker has your mobile phone number in their control, they will usually also attempt to log in to your email account with the “Forgot my password”. This password reset procedure will often send a text to your phone (Or an attackers phone now they have your mobile number), you enter the code it sends you, and then it’ll let you choose a new password.
Has an attacker got in to the persons email account? You can now request a password-reset for most online accounts, such as their Crypto Exchange accounts.
Of course if you have a company / corporate email then usually you’ll have a slightly different password-reset process. If you have a Gmail, or Outlook email though, that’s usually how you get back in to your email.
It’s not difficult, sadly.
Alternatively if the person re-uses usernames / passwords, and all that stands between the attacker and the victims crypto exchange account is SMS-2FA, then they’re in with a grin now, without even having to get into their email account.
So what can be done about this?
Two things come to mind:
- Don’t use your cellphone for 2FA. It’s not secure and can’t be trusted. If you must, for, say, a single exchange, don’t re-use your mobile number. Get a burner mobile. Alternatively, just use a better exchange.
- Use Digi-ID by DigiByte. It’s far safer and removes many of the incentives to ever even attempt SIM-jacking.
You see if your credentials are not a username, password, and SMS-2FA, it removes any incentive for an attacker to try and SIM-swap in the first place. There’s nothing to be gained, no financial reason for an attacker to invest that time, and so you can largely minimize the hacking attempt even before it has occurred.
I’ve seen a number of reports doing the rounds lately of high-profile SIM-swap attacks. Often times to the tune of 6–7 figures (USD) worth of cryptocurrency gets stolen. Many of the responses I see have been belittling the victim for poor security practice, while many often overlook the cryptocurrency exchange / service itself which enables such a poor practice.
Let’s be real here:
- We know SMS-2FA is insecure
- We know we shouldn’t use it
- We know there are far better, safer, faster, and more secure alternatives
Why then is there not a more public outcry for genuine security from the cryptocurrency exchange themselves, or other such service then?
What we need to start doing is demanding better security practices from cryptocurrency exchanges. There is really no excuse for them to be enabling this kind of poor practice under the illusion of security. Many end-users simply don’t know better, and if the Engineering Manager at BitGo (a blockchain security company) can get his funds stolen, then how is your grandma supposed to know any better as she gets in to cryptocurrency?
These exchanges have Digi-ID support implemented, and there’s no way they can SIM-swap and get in to your account with Digi-ID.
Think about it for a minute:
By removing the ‘vulnerability’ of a 3rd-party that is your mobile carrier, then even IF an attacker successfully SIM-swaps, they still can’t get anything out of your exchange account.
If there’s no way a SIM-swap can get an attacker in to your account, you remove the incentive for an attacker to steal your phone number.
So it’s time we start demanding better security from cryptocurrency exchanges and digital asset management solutions.
It’s time we start demanding Digi-ID.
Want to learn more about it? We’ve got a quick introduction video, or you can learn more at www.digi-id.io