Phone numbers are easily stolen in SIM swap attacks

This article is a re-edited version of "I tried to hack a friend's website using a SIM swap attack" published in the "Cyber ​​Security Information Bureau" provided by Canon Marketing Japan.

How easy is it to launch a SIM swap attack? And what can an attacker do after hijacking a phone number? The bottom line is that it's surprisingly easy to launch a SIM swap attack, and an attacker can do anything.

SIM swapping is also known as SIM hijacking or SIM swap scam. You may have heard these words. However, many will think that it doesn't happen to them. In fact, I hear people say, "I will never be hacked" and "I don't know why I am being targeted." However, it is true that malicious attackers launch a huge number of attacks every day, and we, the general consumer, are also the target. Why not take concrete measures to mitigate these risks?

The specific countermeasures will be described later, but first, I would like to explain how the SIM swap attack was tested in order to deepen the understanding of the risk itself. What happened in reality must help us understand cyber attacks. In fact, we did a similar test last year to show you how easy it is to hijack your account on the messenger app WhatsApp using your phone number. It would have been a very good lesson for a colleague who was the victim.

This test was conducted with a friend I had been friends with since I was a student. Let's call his name "Paul" here. When asked if he could try hacking Paul to educate him about the dangers of cyberattacks and to protect people from future attacks, he was happy to take part in the test. ..

How SIM swapping works

All you need to test is Paul's real name and phone number. He runs a real estate agent and sells luxury properties in the wealthiest areas of the UK. His contact information was posted on the website, as many companies do. In addition, his detailed personal information was obtained from a simple Internet search and public information called OSINT (Open Source Intelligence).

Like a real attacker, he recorded information about Paul found online. Also, I avoided following on social media and applying for friends. In reality, the attacker may try to connect with the target on SNS, but in this case it is assumed that he is already familiar with Paul, so I decided to take a distance.

It didn't take long to get more information about Paul from the information published on Instagram and Facebook. He also researched what might be of interest to him on his birthday or chronologically, in order to identify dates and numbers that were meaningful to him. Immediately, I was able to see posts published on multiple social media before and after his birthday. It made it very easy to identify the birthdays of Paul and his son. I found that no tricks were needed to identify my birthday, so I recorded these dates and proceeded to the next test.

"5 major US wireless carriers vulnerable to SIM swapping attacks (English only)"

Most people in the UK have contracts with one of several carriers. When I tested from one of them, it turned out that the telecommunications company that attacked first was the correct answer. After confirming how to contact the telecommunications company, he contacted a kind person in charge, calling himself Paul and giving him the phone number needed to verify his identity.

Many telecommunications companies authenticate themselves using two digits of a preset PIN code. Many people will remember their credit card PIN and mobile phone unlock code. Since this is used frequently, it can be said that it is a type of information that is memorized sensuously.

However, few people contact the telecommunications company so often that they remember their PIN code. In other words, I wondered if I was using a PIN that was easy to remember in relation to me, such as my date of birth.

As a result, that was exactly the case. I didn't know how many chances I had, but I'll be able to try the PIN code at least once. In the telecommunications company's identity verification process, he first took the last two digits of 2011, Paul's son's birthday, and told him "1" and "1". This was a mistake. And the kind person urged me to try another number. Next, from 1982, Paul's birthday, he told him "8" and "2". Then, the person in charge told me that the identity verification was completed without any problem and I would like him to talk about the contents of the request.

So, tell the person in charge that your mobile phone was stolen, that you have to stop your current SIM card, that you purchased a new SIM card, and that you want to switch to a spare mobile phone. rice field. I already had a new SIM card ready for use as a spare cell phone. When I gave the new SIM card number to the person in charge, the person in charge replied that Paul's phone number would be transferred to the new SIM card within a few hours.

At this point, Paul would have noticed that the cell phone was turned off and the text message was no longer reachable. However, if you are connected to Wi-Fi, you can use the Internet. In fact, when he contacted the carrier, Paul was in the office and was connected to the Internet from his cell phone.

Two hours later, after several reboots of the spare cell phone, Paul's phone number was fully accessible. The spare cell phone was replaced by Paul's phone. As the person in charge of the telecommunications company said, when I called from the spare mobile phone to my phone, the name of "Paul" was displayed there.

But this is just the beginning. It's really dangerous from here.

Result of attack

Paul thought it was only a matter of time before he noticed the incident, so when he visited his website and checked the host, he found that he was using a popular website creation tool. This is a method often used by attackers, but I clicked the "Forgot password? Click here" link and entered Paul's email address. This is to verify what happens if you ask to regain access to your account.

Paul had some knowledge of cyberattacks, so he had enabled two-factor authentication (2FA). However, it was an SMS-only authentication. This is also one of the common mistakes. I clicked on the verification page and proceeded with the procedure, and within a few seconds I received a code for two-factor verification in the SMS of the spare mobile phone. When I went back to the website and entered the code, it was very easy to change the password for the website.

I could have done a similar test on Paul's social media or a webmail account, but I ended the test here because I got enough results. That said, I wondered if I could have an interesting conversation when I contacted Paul if I posted my huge photo on his website. Needless to say, he was amazed and at the same time impressed with how easy it was to steal valuable assets.

How to protect yourself from SIM swap scams

Readers of this article may be wondering how to protect their account.

Below are two main ways to prevent SIM swap attacks.

• Do not include your personal information in your PIN code or password • If possible, replace two-factor authentication with SMS with an authentication app or physical security key

If these measures were taken, it would not have been possible to hijack the account in this test. But more importantly, he wouldn't have been able to change the password for his account. If password information is stolen, a malicious attacker can lock out the account holder and lose control. Bank accounts, email, and even social media will be affected, with serious consequences.

Returning to Paul, he returned his SIM card and website account to him for advice on setting up an authentication app and urging him to change his carrier's PIN code from his birthday. He also taught him how to use a password manager to remember his PIN code. In addition, he advised to avoid posting important personal information on social media and limit who can view the post.

[Quote / Source] I hacked my friend's website after a SIM swap attack by Jake Moore 27 May 2021 --11:30 AM https://www.welivesecurity.com/2021/05/27/i-hacked-friends-website -sim-swap-attack /

■ Related sites