Hello after a while now. Been many months since my last post.
Anyways, I want to share some insights about phone/sms identity attacks that were inspired from this t-mobile complaint on reddit. In there, the customer is a victim of the “phone porting attack” that only requires some PII on you and social engineering the gullible carrier customer care.
Following on this, I read a few other articles on attacks around phone identity theft and there is one good incident analysis article by Coinbase. Here the attacker obtains some PII of the user, calls customer care to set up a phone forward and eventually ports the number to another carrier. It is an incident that took place more than a year ago but is still relevant for some important takeaways as phone number based identity is still very insecure:
Anyways, I want to share some insights about phone/sms identity attacks that were inspired from this t-mobile complaint on reddit. In there, the customer is a victim of the “phone porting attack” that only requires some PII on you and social engineering the gullible carrier customer care.
Following on this, I read a few other articles on attacks around phone identity theft and there is one good incident analysis article by Coinbase. Here the attacker obtains some PII of the user, calls customer care to set up a phone forward and eventually ports the number to another carrier. It is an incident that took place more than a year ago but is still relevant for some important takeaways as phone number based identity is still very insecure:
- It is fairly easy to obtain PII on individuals online, which is used in social engineering the customer care.
- Customer service provided by mobile carriers is the weak link here. However, one can secure against it with a customer service pin/password(need to request from your carrier). This is also used to protect against “SIM swap fraud” (an older attack) as elaborated here. In short, “SIM swap” or “SIM splitting” is simply calling the customer service with your PII to get a new SIM card on your name.
- There is a good overlap between personal and professional accounts/security. As such, facebook, twitter, google and several other personal/professional accounts can have their password recovery hinged on SMS verification method and should be proactively changed.
- Having a VOIP number that is solely used for account verification/resets instead of the real number can prove very useful in the above case. Google voice has no customer care and is not susceptible to other phone network attacks.
- Use of password managers to generate long, random strings for passwords is supported by this article in the case that your SMS 2FA is compromised.
- And as we all know, moving away from SMS 2FA is a necessity especially with the difficult to detect SS7 protocol attacks (the app called SnoopSnitch can detect it but requires root).
No comments:
Post a Comment