In my previous post, I discussed how using two-factor authentication will greatly reduce the risks associated with stolen passwords. In this post, I will share a real-world example of a recent incident and how it affects the types of two-factor technologies you should use.
In February this year, T-Mobile sent out a press release and a text message to all its users warning of a “port out scam.” To carry out the scam, a bad actor impersonates a user while visiting the store of a different carrier, whose employee is in on the scam.
To help put this into perspective, let’s say you are the user who is being impersonated.
The employee at the store uses their own system and enters your personal details, such as your address, which is generally available to public. Your phone number is also needed but that is easy to obtain since your phone number would probably be on your company website, every email you send, on your business cards, on your craigslist post, or even on a waitlist at the restaurant that you recently visited.
The employee then “confirms” over the phone that you are in fact standing in front of them and that they have your driver’s license. A few minutes later, the bad actor gets hold of a SIM card with your phone number on it.
Once this SIM card is activated, two important things start happening:
- Your phone stops working but this will likely happen in the middle of the night, so you don’t notice it for a while. Remember, its daytime somewhere in the world where a phone store is open. This doesn’t have to happen in your time zone.
- The bad actor now is receiving all your text messages.
The second issue is the most troubling.
For most people, SMS protects many secure-access accounts in their lives. If you lose your Gmail password, Gmail sends you a temporary code to reset your password via SMS. All the bad actor needs to do is click “forgot password” and they will easily gain access to your Gmail account.
For many websites, you can easily reset a password via text messaging, and others will require both text messaging and an email confirmation. In this instance, the bad actor now has access to both.
Once they have your email and access to your text messages, the bad actor can start accessing your money, your frequent flier miles, your credit card statements, your pictures, and much more. Many banks also verify your identity using SMS whenever you call them and cannot remember your password. If they want further verification, they email the email address on file which the bad actor also has access. Another very common use of this SIM card scam is to create Zelle transactions in your bank account, which effectively wires your money from your account to anybody with an email address.
For those of you who remember the recent "personal” photos that were released of Justin Bieber, this was exactly the scam that was used to pull his photos off of his cloud provider.
So, what does this mean for you?
As explained in the previous post, NIST quietly changed their security standards for passwords last year. One of the changes they made was to remove SMS from the two-factor standard, and the example I have shared is precisely the reason why.
While your firm should absolutely adopt two-factor authentication, your company should be upgrading to or implementing a system that does not involve SMS. Most applications today that have mobile apps send a signal to the mobile app so that the user can confirm their identity with their phone’s PIN code, fingerprint, or FaceID. This is known as “sign-in verification."
Finally, to mitigate the risk of this scam happening to you, I would highly suggest that you contact your phone carrier (especially if it is T-mobile) and make sure that your account requires a special PIN number to enable a port of your phone number.
Read part one of this post here.