Wednesday, May 11, 2016

SIM swap fraud targets SMS-based two-factor authentication

Security is a constant cat-and-mouse game between developers/defenders and criminals. I and others have long recommended "two-factor authentication" for any sensitive accounts (email, banks) - you must enter both a password and a code generated either by a mobile app or sent to you via SMS/text message. It is a significant hurdle for crooks.

This method of security is becoming common enough for criminals to come up with ways to defeat it. One such method seen lately in the UK is a so-called "SIM swap" - the crook gains enough information to impersonate you, then calls your mobile carrier to claim your phone has been stolen. Your phone number is re-activated, but on the crook's phone - so the crook now receives the SMS or text codes meant for you.

Multi-factor authentication that uses a mobile app (or a separate token generator) is stronger security, but if SMS is what your bank offers, I still recommend enabling it. It's still far better than just a password.

What you should do

  • Enable any two-factor or multi-factor feature provided by your bank. A hardware token (a physical device generally about the size of a USB flash drive) is the strongest solution, though it's probably not practical to carry token generators for every important account. A mobile app (Google Authenticator and Duo Mobile are popular options) is the next best thing, and even an SMS or text message code still raises the bar that a criminal must overcome. is a great website with links to "how-to" documentation at many, many banks and service providers.
  • Be mindful of the personal information you share publicly. The more a criminal can learn about you (address, current location, date of birth, email addresses, children's names, payment card numbers, bank account numbers, etc.), the easier he or she can impersonate you to a service provider. If the identity thief can convince tech support that they are you, then for all intents and purposes, to that service provider they are you.

Do you have something to add? A question you'd like answered? Think I'm out of my mind? Join the conversation below, reach out by email at david (at), or hit me up on Twitter at @dnlongen

Whois David?

My photo

I have spent the better part of two decades in information technology and security, with roots in application developer support, system administration, and network security. My specialty is cyber threat intelligence - software vulnerabilities and patching, malware, social networking risks, etc. In particular, I strive to write about complex cyber topics in a way that can be understood by those outside the infosec industry.

Why do I do this? A common comment I get from friends and family is that complex security topics give them headaches. They want to know in simple terms how to stay safe in a connected world. Folks like me and my peers have chosen to make a profession out of hacking and defending. I've been doing this for the better part of two decades, and so have a high degree of knowledge in the field. Others have chosen different paths - paths where I would be lost. This is my effort to share my knowledge with those that are experts in something else.

When not in front of a digital screen, I spend my time raising five rambunctious teens and pre-teens - including two sets of twins. Our family enjoys archery, raising show and meat rabbits, and simply enjoying life in the Texas hill country.

For a decade I served as either Commander or a division leader for the Awana Club in Dripping Springs, Texas; while I have retired from that role I continue to have a passion for children's ministry. At the moment I teach 1st through 3rd grade Sunday School. Follow FBC Dripping Springs Kids to see what is going on in our children's ministries.