How to fend off a SIM-card attack on your cell phone: Kevin Lee
By
on
This is from the series Cookies: Tech Security & Privacy, a podcast
Kevin Lee recently co-wrote a fascinating study about how easy it is for an attacker to gain control of another person’s cell phone. From there, the attacker can use the phone’s multi-factor authentication tool – usually a security code provided over a text message — to do all kinds of damage, including making unauthorized purchases.
As part of the study, his research team managed to fool five wireless carriers, including Verizon Wireless, AT&T and T-Mobile, into moving a customer’s account to a different phone’s SIM card without their permission. He’s a doctoral student in computer science at Princeton, affiliated with the Center for Information Technology Policy.
Link: “An Empirical Study of Wireless Carrier Authentication for SIM Swaps,” by Kevin Lee, Benjamin Kaiser, Jonathan Mayer, and Arvind Narayanan, August 2020.
Transcript:
Aaron Nathans:
From the Princeton University School of Engineering and Applied Science, this is Cookies, a podcast about technology privacy and security. I’m Aaron Nathans. On this podcast, we’ll discuss how technology has transformed our lives from the way we connect with each other, to the way we shop, work and consume entertainment. And we’ll discuss some of the hidden tradeoffs we make as we take advantage of these new tools. Cookies, as you know, can be a tasty snack, but they can also be something that takes your data. On today’s episode we’ll talk with Kevin Lee, a doctoral student in computer science at Princeton. He’s affiliated with the Center for Information Technology Policy, where he embarked on a fascinating study about how easy it is for an attacker to gain control of another person’s cell phone. From there, the attacker can use the phone’s multi-factor authentication tool, usually a security code provided over a text message, to do all kinds of damage, including making unauthorized purchases.
Aaron Nathans:
As part of his study, his research team managed to fool five wireless carriers, including Verizon Wireless, AT&T, and T-Mobile, into moving a customer’s account to a different phone SIM card without their permission. Let’s get started. Kevin, welcome to the podcast.
Kevin Lee:
Hi Aaron. Thanks for having me.
Aaron Nathans:
Thanks for being here. So first, please tell me what got you interested in the area of tech security and privacy. And did you have any experiences in your life that caused you to realize just how vulnerable personal technology can leave us?
Kevin Lee:
Sure thing. I became interested in college after I took an introductory course in information security. In that course, I was fascinated to learn that many of the added security features on the web were a result of this fast-paced cat-and-mouse game between security experts and cyber criminals. I soon joined the security research group there as an undergraduate researcher. And from interacting with the Ph.D. students in the lab, I was able to learn a lot more about the current research at the time and best practices. Let me see. A few years ago, I lost my phone while riding the subway. I had been eyeing a new phone for quite some time, so I was a lot less upset than I should have been.
Kevin Lee:
However, I soon realized that I was signed into my email and various banking apps. And even though everything on the phone was protected by a screen block, it didn’t feel good being one correct entry away from my life being turned upside down. So therefore I had to remotely wipe the device, which also removed the ability to track it. And unfortunately, as with most things left on the New York City subway, I never saw my phone again. But the lesson there is having all of these personal devices, such as a smartphone, also increases your vulnerable surface area, so to speak. So you have to be vigilant not to lose it, and you also need a contingency plan if you do lose your device.
Aaron Nathans:
How do SIM cards work? What are some legitimate reasons that someone might want to swap their SIM card?
Kevin Lee:
So a SIM card is a chip that is inserted into your phone to provide cell service. Each SIM card has a unique serial number. And both the SIM card and device information are used to identify you in your phone network. SIM cards can only be set up once. So you can’t cancel your service and then give your SIM card to a friend for them to set up a new line of service. And they generally can be purchased through carriers, or they could also be purchased off the shelf at retail stores like Target, or even at the Apple store.
Kevin Lee:
There are two reasons that someone might want to swap their SIM card. Reason one, their old SIM card is not compatible with their new phone. So SIM cards come in three different sizes. So it could be the case that you get a new phone and the SIM card slot is too small, so you would want to perform a SIM swap. And the second reason is they don’t have access to their old SIM card anymore. That could either be that the old SIM card is now faulty, or they lost their old SIM card for, in my experience, when I lost my phone, I also had to call up my carrier and have them update the SIM card on my account to a new one.
Aaron Nathans:
So why did you have focus only on prepaid plans as part of this study?
Kevin Lee:
Mm-hmm (affirmative). That’s a good question. So our study involved interacting with company personnel in order to reconstruct the company’s authentication policy. So we were essentially reverse engineering the company policy, and for that, we needed to make sure we were getting the complete picture. So we needed scale, specifically we needed to make multiple interactions, and one from each account to make it unassuming. So we focused on prepaid accounts because they can be registered without undergoing a credit check. And this enables us to scale the number of test accounts.
Kevin Lee:
I will mention that prepaid plans do account for 21 percent of all U.S. wireless connections in 2019. And that equates to about 80 million connections. We also separately did one trial at one of the three post-paid carriers, T-Mobile, AT&T, and Verizon. And I had to use my own name for two of those accounts, and my coauthor’s name for the other one, with his permission. We did report our findings in the paper as well, but those should be treated anecdotally, since it was just one interaction and it may be incomplete. So in summary, we focused on prepaid plans because we can interact on scale, which was needed by our research method.
Aaron Nathans:
I don’t have a prepaid plan personally.
Kevin Lee:
Sure.
Aaron Nathans:
Do I have to worry about this too? Does your research reveal vulnerabilities for people with all kinds of plans?
Kevin Lee:
Sure. So, as I mentioned, this was an anecdotal test, but we did find some insecure authentication methods being used at that one call we made, granted, there weren’t as many insecure authentication methods being used on the post-paid side.
Aaron Nathans:
So what do people stand to lose if they are a victim of an unauthorized SIM card swap? Does this kind of attack happen often in the real world?
Kevin Lee:
Sure. So a SIM swap attack is a targeted attack in which cell service in your phone is diverted into another phone, and attackers do this by contacting your mobile provider impersonating you. They will convince an employee to update the SIM card on your account to a new SIM card in their possession. And this cuts off service on your phone, and now the attacker can receive all of your calls and messages. There are many implications of someone else being in control of your phone number. They’ve essentially hijacked your phone line.
Kevin Lee:
And one big one is they can now compromise these two-factor authentication passcodes that are delivered through text messages. And this gives attackers the ability to break into your online accounts. Now, in regards to the scale of the problem, in the news, we’ve all seen big entities, especially those who have amassed a lot of wealth in cryptocurrencies and whatnot, fall victim to SIM swap attacks. Most notably Jack Dorsey, the co-founder and CEO of Twitter had his Twitter account broken into in 2019, and attackers posted a series of ill-mannered tweets. And that was linked back to a SIM swap attack. So in our research, we actually show that everyone is susceptible to SIM swap attacks.
Aaron Nathans:
Okay. So please describe how your study worked. Which five carriers did you test? And how did you make sure that this was done ethically?
Kevin Lee:
So we wanted to find out whether mobile carriers have policies that allow for our systematic SIM swaps. And so we studied five carriers in the prepaid market, AT&T, T-Mobile, Tracfone, U.S. Mobile and Verizon Wireless. And we generated 10 fictitious identities. And for each one, we signed up for accounts at each carrier. We provided all the requested information and we set up all security measures available. Now, after a week of usage, we called in to request a SIM swap to a new card that we had bought. And we iterated through the authentication challenges presented to us. Now, during these calls, we simulated a weak attacker with the victim’s name and the phone number, and no other private information.
Aaron Nathans:
When you say weak attacker, what do you mean?
Kevin Lee:
An attacker who has to do the least amount of work, or has the least amount of information available. So this essentially gives us a lower bound on the barriers to entry of this vulnerability. If an attacker with no private information, or minimal information, can get into these accounts, then an attacker with more information can definitely get into these accounts.
Aaron Nathans:
So you’re not talking about a highly savvy technological wizard trying to do this, this is just an ordinary criminal who’s done a web search on how to break into somebody’s phone?
Kevin Lee:
That’s correct.
Aaron Nathans:
Okay.
Kevin Lee:
So our simulated attacker did have access to payment logs and call records, which I can talk about shortly. So we did all of this by following a script, and we withheld information if they were not in our weak attacker threat model. And we did that by providing non-answers. And as we mentioned, by simulating a weak attacker, we provide a lower bound for these types of attacks. And why do we do this? Well, we wanted to see if we could do better than just anecdotes in the news. Before our research, it was just assumed that this was a problem with bad actors on the inside of telecoms, or just bad guys visiting stores with fake IDs. We wanted to see if there was a way to quantify this vulnerability. So how easy is it to request a SIM swap? And we wanted to see what kinds of mechanisms are in place.
Kevin Lee:
And here’s where scale comes in. We wanted to ensure consistency. We wanted to take into account scenarios of catching customer service reps on a good day, and whether they would go above and beyond to help us. And we also wanted to see how much of this information can be found just by looking online. So how much of these security questions stemmed from personal identifiable information? Now, in terms of ethics, we did take ethical consideration. We consulted with our university’s institutional review board regarding human subjects research. And we designed our study to reduce and eliminate possible harms. One such measure we took was instead of recording the calls, we took notes on them. And here’s another thing, carrying out an unauthorized SIM swap, or a port out to hijack a victim’s phone number, is obviously unlawful. So in our cases, the same person simulated both the attacker and the victim. So there were no unauthorized transfers going on. And all of our test accounts were at all times controlled by our research team.
Aaron Nathans:
So, when they called customer service, what information were they asked for and how did they talk their way around their inability to give some of this information?
Kevin Lee:
Sure. So we observed providers using the following authentication challenges, and I’ll group them into six different categories like we did in the paper, personal information, account information, device information, usage, knowledge, and also possession. So for personal information, we were asked for the street address, the email address, or the date of birth. For account information, the last four digits of the payment card number, the activation date, and the last payment date and amount. For device information, we were asked to provide a device serial number, or the SIM card serial number. For usage information, we were asked to name recent numbers we had dialed. For knowledge, we were asked to provide a pin or password, or answers to security questions. And finally, for possession, they either sent us an SMS one-time passcode, or they emailed the one-time passcode to us.
Aaron Nathans:
Okay. So, if this was a real attacker, there would be a limit on how much information they would have, now because this was a study, you had all this information. So you had to actually impersonate somebody who had a limit, who didn’t necessarily have all the information. If I’m trying to break into your phone, I don’t have your Social Security number. I don’t know what day you were born. So you had to pretend like you didn’t have certain information.
Kevin Lee:
That’s correct. And yeah, that relates to the second part of the question you’d asked. So in regards to talking around her inability to give information, our callers, our research assistants, followed conversation scripts that we had provided with possible scenarios and responses. For instance, when asked to provide the device information, we told callers to act as if they were unfamiliar with navigating their device settings until customer service moved on. And in terms of providing a date of birth, we instructed callers to say that they were careless when signing up for their accounts and they had input an incorrect date. And it’s also important to note that we sat next to them during these calls, and we would silently provide help to them if needed.
Aaron Nathans:
These carriers, when they’re asking for authentication information, there are some ways that they try to authenticate more than others. One of them in your study was talking about recent phone call information. How would I know, if I was trying to break into your phone, how would I know about your recent phone calls? But there IS a way to manipulate that, right?
Kevin Lee:
That’s correct. So we discovered previously unknown insecure challenges based on manipulable information, and that’s call logs and also payment information. So why is this manipulable? Well, this is information that an attacker can actively create in order to take control over, for instance, payment information. Some carriers allow for unauthenticated refills with refill cards. An attacker can exploit this by purchasing a refill card at a retail store, and then making a refill on the victim’s account. And later when they call in to authenticate, they now know the payment date and even the payment amount. And this doesn’t cost much. You can get a $10 refill card for, well, $10. And that’s well worth it if you know the victim has thousands sitting in your bank account.
Kevin Lee:
And for call logs, attackers can trick victims into calling known numbers. So there are many ways to do this. They can either ring the victim and then hang up, or they could text them to call a certain number. So in essence, bait them into calling a known number. And in some cases we were even allowed to use incoming call records. So if a victim were to as so much answer a call coming in from an attacker, that will show up as an incoming call on the call record, and now their account is vulnerable. So call logs and payment information can be manipulated by an attacker.
Aaron Nathans:
So if the attacker is calling customer service and customer service will say, well, what’s the last call you made to try to authenticate?
Kevin Lee:
That’s correct. They’ll be able to provide that information, or in some cases, name two calls that you recently made in the past 45 days? And an attacker will be able to know this information, because they manipulated it.
Aaron Nathans:
Wow. That easy. You’re listening to Cookies, a podcast about technology security and privacy. We’re speaking with Kevin Lee, a graduate student in computer science at Princeton. On next week’s episode, we’ll talk with Annette Zimmerman, a technology and human rights fellow at Harvard University, specializing in the ethics of algorithmic decision-making, machine learning and artificial intelligence. It’s the hundredth anniversary of Princeton School of Engineering and Applied Science. To celebrate, we’re providing 100 facts about our past, our present, and our future, including some quiz questions to test your knowledge about the people, places and discoveries who’ve made us who we are. Join the conversation by following us on Instagram at EPrinceton, that’s the letter E-Princeton. But for now, back to our conversation with Kevin Lee. So why are security questions typically an insecure method of authentication?
Kevin Lee:
So security questions are insecure because they’re based on personally identifiable information, which is easily searchable. So let’s say a stranger, Alice, wants to break into Bob’s account by resetting his password. And the website asks for Bob’s dog’s name and Bob’s hometown. So Alice sees that Bob has a public photo on Facebook of him and his dog. And in the background is the dog’s food bowl with the name written on it. That’s probably the dog’s name. Alice sees which high school Bob attended on LinkedIn. That was probably in his hometown. So with this, Alice can now reset Bob’s password. Security questions can also be predictable if you can’t find anything on your victim. So according to a report released by Google in 2019, if you’re from South Korea, a hacker could get your birthplace 39 percent of the time with just 10 guesses.
Aaron Nathans:
So do you find the customer service agents are typically too nice in trying to help authenticate during a SIM card swap? When you call these customer service agents, at least in my experience, they’re trying to help you along, right?
Kevin Lee:
Yes, absolutely. I wouldn’t say typically, but there were a few cases. We did also find vulnerabilities in customer service reps, and by extension their interfaces. So two providers did not offer any challenges that our simulated attacker could answer correctly, yet customer service reps at these carriers allowed us to SIM swap without ever correctly authenticating. Now we thought something was wrong with it at our end. Some carriers disclosed personal information without authentication, including answers to authentication challenges.
Kevin Lee:
So in one instance, the representative disclosed the month of activation and the last payment date, and allowed multiple tries at guessing the last payment date. They also guided us in our guess by indicating whether we were getting closer or further from the correct date. In three instances, the customer service rep disclosed the billing address on the account before we even authenticated. And in one instance, a portion of the address was leaked. And in one more instance, part of the email address was disclosed. So what does this mean? Well, customer service agents were given a free rein. And they were subject to coercion or slip ups, even though our conversation script did not directly induce that.
Aaron Nathans:
So what exactly were the results of the study?
Kevin Lee:
Sure. So at all of our calls, at all of the carriers we were able to break in, and at all of the major carriers, we were able to break in a hundred percent of the time. And we had varying degrees of success at the two virtual carriers that’s Tracfone and US Mobile, just because their authentication challenges did not match our threat model. So these challenges mainly fell into three different categories as I mentioned, manipulable information, easily acquired information, or were a result of customer service reps having free rein.
Aaron Nathans:
So even these major carriers, these big names, Verizon Wireless, AT&T, T-Mobile, you were able to break in, no sweat.
Kevin Lee:
That’s correct. And that’s because all of them were using manipulable information as authentication challenges.
Aaron Nathans:
You presented the results of this study to the carriers. Did any carriers change their procedures as a result of the study?
Kevin Lee:
Yeah, that’s a good question. So in July 2019, we provided an initial notification of our findings to the carriers we studied and to CTIA, CTIA is the U.S. trade association representing the wireless telecom industry. And in September of 2019, we presented our findings in person. And after a few months in January 2020, T-Mobile informed us that after reviewing our research, they had discontinued the use of call logs for customer authentication.
Aaron Nathans:
So what steps can individuals take to protect themselves from being the victim of an unauthorized SIM card swap? And what do the companies and policymakers need to do to protect us?
Kevin Lee:
So in regards to protecting against SIM swaps, you can make sure all security measures against account changes are enabled on your account. Some carriers offer the option of heightened security for SIM swaps, such as restricting customer accounts, such that changes can only be made in store with a government-issued ID, or setting a special authentication pin for SIM swaps only. Also, limiting the personal identifiable information that you share online goes a long way as well. So even limiting your phone number. I’ve seen many colleagues who signed their phone number as in their signature of emails, that could put them at risk for SIM swaps.
Aaron Nathans:
Really?
Kevin Lee:
Yeah.
Aaron Nathans:
We all do that.
Kevin Lee:
Yeah. And a phone number essentially should be given on a need to know basis.
Aaron Nathans:
That’s wild. Is it possible when somebody calls to set up their phone account, or just calls customer service, and you just say, I want to add a certain level of security against SIM card swaps? What can you do to help me out?
Kevin Lee:
Yeah. So a good first step would be to call up your carrier, ask about these vulnerabilities and see if there is any security measures available to protect against SIM swaps. So there are also things that carriers can do. They should eliminate insecure challenges such as manipulable information or security questions. And they could also strengthen customer service interfaces to disallow bypass or guessing.
Aaron Nathans:
Websites use multi-factor authentication systems that may be secure in and of themselves, but when you add in the possibility of an unauthorized SIM card swap, it becomes a lot more insecure. Right?
Kevin Lee:
Absolutely. Earlier, I had mentioned that with a SIM swap, an immediate downstream effect is the compromise of SMS two factor authentication, which could lead to account break-ins. So in the second part of this study, we reverse engineered authentication policies of popular websites and determined how easy it is for an attacker to compromise a user’s account, provided that they have successfully carried out a SIM swap on the victim. So we signed up for accounts at each service and examined the multifactor authentication log-in schemes, and also recovery option pairs. It’s important to note that these accounts were not filled out with anything beyond requested personal information. So we found out most of these websites actually, first of all, recommend SMS for two factor authentication. This means that if you get SIM swapped, your two-factor authentication methods can now be bypassed. The attacker would then only need your password, which they could obtain through data dumps, social engineering, or compromising a means of account recovery, such as email.
Kevin Lee:
But more importantly, we found 17 additional websites that allow for account takeover with a SIM swap alone. So these are websites that simultaneously allow SMS for two-factor authentication and for password resets. So an attacker could presumably reset the password on the account and then afterwards go in to login and bypass two-factor authentication since they can now receive the code, and they also know the password. And we notified these websites during the study. And some of these websites did respond by making fixes and reporting them to us. And so what should these websites really be doing? Well, they need to step back and identify all the ways in which things could go wrong. They should implement a secure two-factor authentication option and move away from SMS two-factor authentication.
Aaron Nathans:
The whole thing is supposed to be secure, but a lot of them take the idea of, well, we’ve done our part, the rest of it it’s not our problem.
Kevin Lee:
Absolutely.
Aaron Nathans:
So finally, you and your advisor, Arvind Narayanan, have a new study underway regarding recycling telephone numbers. Can you tell me just a little bit about that?
Kevin Lee:
Sure. So SIM swaps are not the only reason SMS two-factor authentication is insecure. There’s an even more fundamental issue over here. And that’s because phone numbers are finite resources. There are only so many 10 digit number combinations. And with all the current regulation, we’re expected to run out of phone numbers by 2050. And that’s a good thing, without these rules, we would have run out back in 2006, according to some estimates. And so, one of these rules that has been stretching our supply of useful numbers is number recycling. So a disconnected phone number is made available again after some period of time, and that’s standard practice. However, phone number recycling carries with it several security and privacy issues affecting previous owners when the phone number gets reassigned. For example, an attacker can amass personally identifiable information on the previous owners on the web and perform impersonation attacks. And that’s an invasion of privacy.
Kevin Lee:
And here’s a second example. An attacker can hijack existing accounts at online services by performing a password reset and using SMS to authenticate himself. So in one completed part of this study, we empirically examined security and privacy risks of phone number recycling in the U.S. We sampled 259 available phone numbers across two wireless carriers. And for each number we use two different testing methods to look at risk. So in the first method we examined recycled numbers to see if they returned previous owner information at people search services. You’ll notice that this is directly related to an adversary amassing PII on the previous owner of a phone number. And that’s the first attack that I’d mentioned. And of those 259 numbers, a 171 of them returned hits on at least one of the people-search services we used. And method two, we examined recycled numbers to see if they returned linked accounts at six popular websites, including Facebook, Google, Yahoo, and Amazon.
Kevin Lee:
And you’ll know this, that this is directly related to an adversary hijacking existing accounts at online services. The second attack I’d mentioned. And of those 259 numbers, 171 of these also returned a linked account on at least one of these six websites. So in summary, most of these numbers we sampled were particularly vulnerable to number recycling attacks. And what does this mean? Well, it’s very feasible for attackers to carry out these two-number recycling attacks. And so this is an ongoing project. So as next steps we were identifying and examining more threats from number recycling, as well as best practices consumers can take.
Aaron Nathans:
Well, this has been really interesting and maybe a little scary, but information is power. And I really appreciate you sharing your insight with us.
Kevin Lee:
Absolutely. Thank you, Aaron.
Aaron Nathans:
Thank you, Kevin. We’ve been speaking with Kevin Lee, a graduate student in computer science at Princeton. I want to thank Kevin as well as our recording engineer, Dan Kerns. Thanks as well to Emily Lawrence, Molly Sharlach, Neil Adelantar, and Steve Schultz. Cookies is a production of the Princeton University School of Engineering and Applied Science. This podcast is available on iTunes, Spotify, Google Podcasts, Stitcher, and other platforms. Show notes and an audio recording of this podcast are available at our website, engineering.princeton.edu. If you get a chance, please leave a review. It helps. The views expressed on this podcast do not necessarily reflect those of Princeton University. I’m Aaron Nathans, digital media editor at Princeton Engineering. Watch your feed for another episode of Cookies soon. Peace.