SIM swap: don’t panic!
Written by
Lahis Kurtz (See all posts from this author)
5 de August de 2019
Your email accounts, whatsapp, etc. may be vulnerable because of two-factor authentication. That’s right: it may be serving for the opposite of what you would like. In today’s post, we explain what is SIM swap, the risks and how to protect yourself!
What is SIM swap
Your mobile number is digitally linked to a SIM card – a chip – that is embedded in the device. However, this number may be linked to another chip, which may be done by your service provider. This is what happens when you have the device stolen or lost, for example: just contact your service provider and ask to have your number linked to the new device’s chip.
It turns out that this procedure is very easy to be rigged. The mobile number was not meant to be a form of identity checking (as the Reply All podcast folks warn in this episode). Thus, without further difficulty, it is possible for someone malicious to change your phone number to another chip for a few moments without being noticed. This is SIM swap, commonly known as cell duping. This person will have access to everything your phone should receive, your contact list, and your verification code for two-factor SMS authentication accounts.
The way cloning is done is very simple: the attacker must have his mobile number and know some of the victim’s data. With this, he contacts the operator, pretends to be the victim and makes the switch. This is easier when the perpetrator has contacts within the telephone company, but it is also possible only by having personal information – such as databases leaked from time to time.
Two-factor authentication via SMS: what is the risk?
First, let’s look at what this form of two-factor authentication would be. It is a way to seek more security for your account, making it difficult for unauthorized third parties to gain access. In this case, in addition to the login and password, the service in question tests if you are yourself by sending a regular text message (SMS) to your registered mobile phone, with a code, and asks you to enter the code received by SMS when you log in to that service.
The SIM swap technique allows someone to receive this SMS and have access to their account anyway. In some cases, SMS also serves as a way to change your password, which makes SIM swap even more dangerous.
With this type of access, someone can use your whatsapp account, your email, access your contact list and even your bank app. This can be a way of committing a sadly common scam today, where the perpetrator whatsapp money to someone’s contacts by impersonating that person. As the money ends up being transferred to a cold account, until the discovery of the scam, there may already have been losses.
It is also possible to access that person’s message history in certain applications, such as Whatsapp – although the current media invasions suffered by Brazilian authorities that allowed their communications to leak were made by an even more common VoIP technique. , and steps have already been taken by ANATEL to prevent this attack technique in Brazil.
How to protect yourself from SIM swap
Two-factor authentication should be used, but where possible not with sending SMS as a second factor. See 3 alternative means of 2-step verification:
Apps
A safe and convenient way to put an extra layer of security on your account is by installing authentication apps like Google Authenticator or Authy.
In online services with this option to authenticate, you will need to register a device (a mobile phone or computer, for example) as authenticator through a QR Code that the service will generate, confirming the link. From this, the authentication app generates a code for the registered service account, such as your Instagram account, Facebook or other social networks. The confirmation code generated by the app renews quickly, and must be entered each time you try to log in to the account registered in the authenticating application.
For example, if I have this 2-step verification method in Gmail and want to access my email on a new device, it will prompt me for my login, password, and then a code that will be available in the configured authenticator app. In the case of Authy, this code gets obsolete every 30 seconds, and a valid code must be entered to gain access to the linked account.
PIN
Whatsapp is an application that does not allow two-step verification per application but provides the security PIN. It consists of a 6-digit number that the user must memorize and must be entered when the application requests it – which occurs randomly while using the messenger, and helps the user to memorize the number.
Token
Few services offer this form of authentication, the most common being access to bank accounts. The small device (similar to a USB stick) with USB port, which contains a digital key and also needs a PIN to be validated, is offered by some banks as an extra layer of security to their customers.
This is a very secure form of authentication because in addition to having the PIN, you must have the user’s physical key and login data in order to access your account.
Therefore, knowing the risks of SIM swap should not be a reason for despair, but to change your protection method to more effective techniques. Interested in other measures to secure your data and communications on the internet? Read 6 information security tips in this post!
The views and opinions expressed in this article are those of the authors.
Written by
Lahis Kurtz (See all posts from this author)
Head of research and researcher at the Institute of Research on Internet and Society (IRIS), PhD candidate at Law Programme of Federal University of Minas Gerais (UFMG), Master of Law on Information Society and Intellectual Property by Federal University of Santa Catarina (UFSC), Bachelor of Law by Federal University of Santa Maria (UFSM).
Member of research groups Electronic Government, digital inclusion and knowledge society (Egov) and Informational Law Research Center (NUDI), with ongoing research since 2010.
Interested in: information society, law and internet, electronic government, internet governance, access to information. Lawyer.