Tova Dvorin, community manager, Unbound Technology on the topic of sim swapping.
SIM swap fraud has become one of the most common attacks on Internet of Things (IoT) devices over the past five years, with evidence showing anyone with a mobile phone is at risk. Figures from Action Fraud, the national fraud reporting centre, show the number of people falling victim to this kind of scam has shot up by 400% since 2015 and that it has caused losses of more than £10m to UK consumers.
SMS based one-time passwords (OTPs) have grown in popularity in recent years. This is the familiar authentication method where a service provider, such as a bank or email provider, sends a temporary code to a user’s mobile device that is required to be submitted within a specified time.
This system provides a level of two-factor authentication that, in addition to a user password, is expected to deliver security. One of the primary reasons for the popularity of SMS OTP is its user-friendliness, with users able to authenticate applications or transactions without pre-installing additional applications.
A serious and growing threat
However, there are some significant security concerns with SMS OTPs. Beyond the challenges that occur when users are traveling and may not receive SMS messages, they are also vulnerable to SIM swapping, malware and SS7 (Signalling System 7) attacks.
To carry out SIM swapping attacks a criminal impersonates the victim to the mobile provider (typically using public information) and switches their phone number to a new mobile device (and SIM) belonging to the attacker. As soon as this happens, any SMS-based OTP will be sent to the attacker, who now owns the victim’s phone number. They can then gain access to the victim’s accounts.
Preventing SIM-based attacks
For enterprises looking for better ways to prevent SIM swapping attacks, it is possible to use a better authentication method that utilises a ‘secret’ on the device itself and not just the phone number. In this scenario, since the secret inside the mobile phone is needed as part of the authentication process, taking over the victim’s phone number will not help an attacker spoof an identity.
There are several solutions that use a locally stored secret, including software one-time password tokens and soft-token SDKs (Software Development Kits). However, these suffer from a different vector of attack: the secret can be stolen from the user’s mobile device by malware, and then be used by an attacker elsewhere in order to impersonate the user’s device.
A much better solution would, therefore, require a local secret (so that SIM swapping is of no use to the attacker) while providing strong protection to prevent that secret from being stolen by malware. Traditional solutions to this require dedicated hardware (like one-time password tokens or smartcards) which suffer from very significant usability challenges. A better approach is available with security software that uses cryptographic authentication.
Based on a secure multi-party computation (MPC), cryptographic authentication protects cryptographic keys and secrets from being stolen by splitting them into multiple parts and sharing them between a mobile device and a server. The cryptographic key parts are never combined in any place, at any time – preventing the opportunity for theft. In the event an attacker steals only a portion of the cryptographic key, called a key share, that key share is useless without the remaining shares. Furthermore, the key shares are frequently randomised so that an attacker has to steal both shares at essentially the same time in order to learn anything.
Given the strong separation between users’ mobile devices and an organisation’s server, this is very difficult. The result is a software-only solution that combines usability and high security.
Read the latest edition of PCR’s monthly magazine below: