Careful using your phone for 2FA

ISACA Pre-Conference Workshop
ISACA Pre-Conference Workshop: Hands-on Cybersecurity Training
October 1, 2018
CEH Walkthrough
Certified Ethical Hacking Course Training
November 5, 2018

Recent SIM Swapping Scam Exposes Why

Your phone may no longer be a good factor in your MFA (multi-factor authentication) process.

As I finished reading about this case on Krebs and some other places, a few significant points came to mind. Some good and some bad. I’ll list them all out, then dig in with the rest of this article.

  1. Contrary to what it might sound like in some circles, law enforcement and the private sector are working together better. And this case in a lot of ways shows that together they are picking up a nice groove or flow. We’ll see clearly how things happened very quickly. And also how there were several law enforcement organizations and private businesses who worked together to wrap this one up quickly. This includes Verizon, T-Mobile, AT&T, Apple, Google, the FBI, and the Santa Clara CA sheriff’s department.
  2. Because of our dependency and steady increase in how we use our cell phones, combined with a gradual slip back into bad operational security habits, SIM swapping has a much more potential negative impact than in the past, i.e. kinda like when Jason Borne did it right before our eyes in Bourne Identity. Yes i know, technically what he did was a unicorn land version SIM cloning, but..
  3. A friend of mine who is absolutely crypto-currency obsessed has been warning for a while that people should be using hardware digital currency wallets instead of software/apps. Now he’s recommending multi-signature wallets, which is basically a way to require more than one user’s keys to do any Bitcoin transaction.
  4. Service providers such as cell phone service providers, ISP’s etc, need to do a more in regards to regularly providing “anti-social engineering” training for it’s customer service and support staff.
  5. Criminals still do dumb stuff sometimes, which ultimately leads to their capture.

Let’s first examine what actually happened based on the “statement of fact” obtained by Brian Krebs from Google; On August 17th, 2018 Xzavyer Clemente Narvaez was arrested by authorities while being accused of stealing over $1 million USD in digital currency, then using some of it to purchase a $200,000 McLaren. Yes, you read that right. This 19-year-old person, used $200k in stolen digital currency to purchase a McLaren, which is a luxury car.

Car security

Allegedly Narvaez took $150,000 in digital currency from one of his victims, according to the filings from prosecutors. First of all, it should be pointed out that SIM swaps happen all the time, legally. Picture this; the newest iPhone, Google Pixel comes out. You go stand in line at Apple, AT&T, Sprint, T-Mobile or wherever, purchase a new phone, then magically, the new phone has all your stuff coming to it, emails, etc. And you didn’t really have to configure anything from scratch! Awesome! Or you order a phone from Apple or Google, it comes in the mail and you simply turn it on, answer a few questions, then your apps and data (some of it) is already syncing to your new phone. Well, both of those experiences were usually made less painful due to SIM swapping. This is done by your cellular service provider when you “port” your old phone number to a new device or service. Often times it is simply a physical moving of your SIM card from the old device to the new device. Other times it’s a matter of porting your number from your old card to a new SIM card.

So here’s a scenario that explains how he got the digital currency exchange login for the victim.

Step 1 – This can be executed quite easily if the malicious party is an employee of a cellular service provider as was the case with Narvaez. In this step, he simply authorizes the swap, which means he requests that the victim’s number be changed from their current SIM to the new one, which is the SIM in a phone he controls. Another effective method of this is being able to social engineer a cellular service customer service or support agent into doing this for you. Buy a new phone online, call the provider to get it “activated” or have the number swapped to the new device. They will ask you for several pieces of the identity-confirming information, which most of that can be obtained passively through searches using open source intelligence gathering tools, or just Google hacks. The one thing they will ask that most people forget is the PIN associated with the account. Often times we never bother to actually set that PIN and it remains some default value set by the provider. This PIN is never used if you don’t try to make changes to your account over the phone. So the support and customer service agents are used to people not knowing it. Usually, we don’t talk to customer service to make changes, we do it online these days.

Step 2 – Here Narvaez would then go to either your bank login website, email login website or other places of authentication and immediately click the “I forgot my password” option. Here the authentication site/system will usually inform him that to reset the password, they will send a onetime code or link to the mobile phone number you associated with your account when you set it up. You’ve all seen this before right? They only show as the last few digits of your mobile phone. They look like this:

Password Code

Step 3 – Password reset link/code is sent to the mobile phone number via text, which that number is now associated with Narvaez’s SIM and IMEI number. So reset code comes to his phone. It should also be noted that during this time your phone will have no service. So if you’ve experienced times when unexpectedly in areas you normally have great service, you now suddenly see the dreaded “NO SERVICE” message on your strength indicator, it could very well have been this. Yes i know, this happens sometimes due to just interference with the signal etc. But we should at least recognize this as a potential warning.

Reset code

Step 4 – Now armed with the precious reset code/link, Narvaez clicks on the link, resets your email/bank/facebook password.

Password Change

And just that quickly he’s in. Some of the digital currently exchanges require you click on a link you received via email AND enter a one-time PIN sent to your mobile phone. In this case Narvaez would have simply opt’d to reset the password to your email first, which can usually be found pretty easily in public data sets, then follow that up by hitting the digital currency exchange, because at this point, he has access to your email account, which he reset first, and your mobile phone, which is now technically his mobile phone. Because remember, the code is not actually ever sent to your physical phone, it’s sent to your phone number, which can be associated with any physical device via SIM swapping as described in the Krebs article.

Step 5 – At this point, anything that can be reset with your email address, now belongs Narvaez. Also anything that can be reset with a text to your phone is his now as well.

Here’s what I think the implications are in laymen’s terms; We always teach that there are primarily three factors of authentication; something you have (phone) something you know (password), and something you are (fingerprint etc). We also teach that good security means you utilize at least two of these things, hence the popularity of 2FA (two factor authentication). For most of us, our passwords to a site would be the “something we know” factor and our phones serve as our “something we have” factor. Problem is, most of these sites are using one factor to authenticate the other, which technically defeats the entire model. Add to that the fact that your phone is something you have, but your phone NUMBER is not. You only have the number because AT&T/Sprint/Verizon/T-Mobile says you have it right now, but if someone such as an employee at a service provider store, like Narvaez, can simply render you not “having” that number anymore by making a phone call or more likely, entering a code into some terrible SIM swapping authorization application that they use internal to the service providers, then should you really count it as something you “have”? I would suggest not. Maybe call it 1 and 1/2 factor authentication? Or maybe use 2FA for what is was designed for, authenticating a user or entity and not for having one factor authenticate the other.

I would also like to give a shout out to Santa Clara County law enforcement https://www.facebook.com/sccosheriff/ Google, Apple, T-Mobile and AT&T for how quickly they were able round this up and shut it down. Hopefully this will be a part of a model for how industry and law enforcement work together in the future on these types of cases.