By Mark D. Rasch and Allison Nixon
In the Simpsons episode, “Bart vs. Lisa vs. the Third Grade,” the siblings are both abandoned while on a school trip despite the fact that Mrs. Crabapple, the teacher, had deployed a mechanism to ensure that all people on the bus were accounted for. As she explains, “Ah, the buddy system. Foolproof.” To put that into infosec terms, “Ah, the multifactor [multichannel] authentication system. Foolproof.” One vulnerability of a multichannel authentication system (e.g., email and phone) is that if BOTH channels are compromised, not only is the system compromised, it is compromised in a way that creates a false sense of security, authentication, and confidence. Ah, the buddy system. Foolproof.
Also, because each channel is used to authenticate the other (we alert to possible unauthorized access to email by sending a text to a phone), a compromise of ONE channel actually is a precursor to a compromise of the other. So, while multifactor or multichannel authentication is better in many cases than a single channel of authentication, recent developments in the hacker community have demonstrated that, by creating a false sense of authentication, it may do as much harm as good. Ah, the buddy system. Foolproof.
The problem is particularly acute when one of the authentication factors relies on a cell phone or messaging applications tied to the cell phone.
When MultiFactor becomes Zero Factor
One common “good security practice” recommended by practitioners is to use multichannel authentication; you authenticate yourself with both an email address and phone number. When your Gmail account is accessed, you get a text message to confirm that you authorize the access. We rely on the fact that more than one channel has to be compromised to effectively access an account without authorization. It’s a pretty good strategy.
The problem, however, is that when these separate channels aren’t as independent as we assume, it creates what is truly a false sense of security. If a single factor is compromised (say a phone), the intercepted text messages can compromise the other channel (the email). Modifying one channel effectively modifies the other. So we are down to one channel of authentication. What is worse, the existence of weak multifactor authentication creates a false sense that you are, in fact, dealing with the person you have “authenticated.” Ah, the buddy system. Foolproof.
The most common “second channel” of authentication is by a text message sent to your phone number. A one-time-use code sent via this channel is then used to authenticate the user.
A common fraud scheme lately, known as SIM swapping, has taken advantage of this. The Subscriber Identity Module (SIM) is one of the things that makes “your” phone “your” phone. A criminal swapping your SIM card number for theirs in the carrier’s database would permit their phone to act as your phone, intercepting your calls and texts, and enabling theft of any accounts that can be reclaimed using your calls and texts.
One everyday use of swapped SIMs is to steal cryptocurrency, which can be unlocked through the hijacked phone number. In November of 2019, for example, two Boston-area men were indicted for using SIM swapping and social engineering to attempt to steal cryptocurrency. The indictment laid out the scheme by noting:
A “SIM” card is an acronym for a Subscriber Identity Module card, which is a chip located inside a cell phone that stores information identifying and authenticating a cell phone subscriber. When a cell phone carrier reassigns a phone number from one physical phone to another-such as when a customer purchases a new phone but wants to retain the same number-the carrier switches the assignment of the cell phone number from the SIM card in the old phone to the SIM card in the new phone. This process is sometimes called “porting” a number. “SIM swapping” is a term for essentially the same process conducted without the authorization of the individual who legitimately controls the number.
Cybercriminals generally engage in SIM swapping by convincing a victim’s cell phone carrier to reassign the victim’s cell phone number from the SIM card inside the victim’s cell phone to the SIM card inside a cell phone controlled by the cybercriminals. The process of convincing the cell phone carrier that there is a legitimate reason for the switch is referred to as “social engineering.”
For instance, the cybercriminal may pose as the victim and claim his cell phone was lost or damaged, and that he needs to have his number transferred to another phone. Alternatively, the cybercriminal may claim to be a representative of the carrier working at a local store, with a customer who needs to have their number ported to a new device. SIM swapping is not always accomplished through social engineering-some cybercriminals engage in SIM swapping by bribing or conspiring with an employee of the cell phone carrier, sometimes referred to as a “plug,” and having that employee make the switch.
An “account takeover” is a technique that cybercriminals use to take control of a victim’s online accounts (e.g., a victim’s email, social media, or cryptocurrency accounts) without authorization. Cybercriminals use a variety of techniques to conduct account takeovers.
For example, cybercriminals who successfully SIM swap a victim may then pose as the victim with an online account provider and request that the provider sends account password-reset links or authentication codes to the SIM-swapped device now controlled by the cybercriminals.
The cybercriminals can then reset the victim’s account log-in credentials (e.g., username and password), even if the victim has tried to secure the account by requiring that an authentication code be sent (“two-factor authentication”). Cybercriminals can then use the log-in credentials to access the victim’s account without authorization, (i.e. “hack into” the account).
When users open accounts on social media platforms, such as Instagram or Twitter, they are generally asked to choose both a user name (also known as a “handle”) and a vanity name, which will also display on the account. · Most social media platforms will allow multiple users to have the same vanity name, but the handle must be a unique identifier for each user. For instance, there can be multiple Instagram users who have the display name “Shannon Sullivan,” but each account must have a different handle to identify the unique account (e.g., only one can be “@ShanS12345”). When a social media handle is an especially short, common, or well-known word or phrase, e.g. “@John,” or “@awesome,” the handle carries a particular cachet because the ability to capture such a common word for individual use suggests that the user was an especially early adopter of that social media network. Such high-value accounts are sometimes referred to as “OG accounts,” with “OG,” an acronym for “Original Gangster,” referring to veteran gang members, or in this case, veteran social media users. “OG accounts” are sometimes traded and/or offered for sale online.
Cybercriminals who engage in SIM swapping, account takeovers and cryptocurrency theft often collaborate with one another online, using various online monikers, in underground forums like “OGUsers” and “Hackforums,” as well as using real-time communications platforms.
The National Institute of Science and Technology (NIST) has published guidelines on “out of band” authentication in SP-80063B available on their website. As part of an overall security program, the guidelines recommend that those seeking to authenticate identity use a separate channel with a verifier (e.g., an SMS message, or even a verification through an app on the phone) “provided the device does not leak information from one channel to the other without the authorization of the claimant.” The Special Publication speaks of unique addressability, encryption, and security of the channel, but leaves a gaping hole. Authentication OF the second channel, as opposed to authentication TO the second channel. For example, the NIST guidelines suggest that a second channel can be used to “[a]uthenticate to a public mobile telephone network using a SIM card or equivalent that uniquely identifies the device.” Cool. But this ASSUMES that the SIM card “uniquely identifies the device.”
It. Does. Not.
The physical hardware contains unique identifiers like the International Mobile Equipment Identity (IMEI), which is distinct from the ICCID (Integrated Circuit Card Identifier), which is supposed to identify the SIM card itself. In fact, that’s why you can move one SIM to another device and have it continue to work. When I travel internationally, I take the SIM out of my iPhone and replace it with a SIM I buy overseas (cheaper data), and then take my domestic US SIM and put it into my android watch, just in case I need a US-based device as well. Pretty cool. But the HARDWARE signature is not necessary for the SIM to work. The NIST guidance notes that “If out-of-band verification is to be made using a secure application, such as on a smartphone, the verifier MAY send a push notification to that device.” And that’s the difference between a “secure” device and an “authentic” one. When my SIM is swapped, my phone is secure, and my SIM is secure. Well, reasonably so. But the hacker’s connection to the network is ALSO secure. It’s just that he is not me. And everyone thinks he is. Because he has my number.
Unfortunately, the NIST guidelines have a catch-22 making it all but impossible to actually verify identity. The guideline notes that “If out-of-band verification is to be made using the PSTN [Public Switch Telephone Network], the verifier SHALL verify that the pre-registered telephone number being used is associated with a specific physical device.” Typically this means validating something like an IMEI number of the phone.
The problem here is the IMEI numbers are considered by the phone companies to be CPNI — Consumer Private Network Information — data which is protected by law from disclosure. That makes it next to impossible for carriers to share this data in a way that it can be used to effectively authenticate.
The Weakest Link
Once the hacker becomes you on the cell phone, it’s trivial to become you everywhere else. Want to reset your Google password? Easy peasy lemon squeezy. Just make a password request, and Google will verify you with a text message to your authenticated phone number! Want to change settings for your Facebook, LinkedIn, or cryptocurrency wallet? It’s just an SMS message away. Now the hacker has corrupted both channels — email and phone — and can use these corrupted channels to obtain things like work credentials, VPN access, and can effectively become you. All with a simple text. If you compromise one channel, you effectively compromise them all. Ah, the buddy system.
The problem is that we treat SIMs as being strong and viably secure authenticators when they aren’t. Well, at least not as strong as we think. And the compromises are frequently not technical. If you corrupt or spoof employees at electronics stores, phone companies, authorized hardware sellers, or others, you can swap a SIM. If you can swap a SIM, you can change accounts. And you can then do some real damage.
Ah, the buddy system. Foolproof…
Until you have more clever fools.