Why T-Mobile’s Hack is So Terrifying: A Primer on SIM Swapping Hacks

Episode Resources:

• Resilience Cybersecurity & Data Privacy

• 8 Useful Small Business Cybersecurity Tips You Need to Know – Resilience Cybersecurity & Data Privacy

• How To Destroy Perfectly Good Cybersecurity Policies – Resilience Cybersecurity & Data Privacy

• Hackers Claim They Breached T-Mobile More Than 100 Times in 2022 – Krebs on Security

• What is SIM swapping? SIM swap fraud explained and how to help protect yourself – Norton Security Blog

• Why Phone Numbers Stink As Identity Proof – Krebs on Security

• What are SIM swap attacks, and how can you prevent them? – 1Password Security Blog

• How to Protect Yourself Against a SIM Swap Attack – WIRED

Episode Transcript

Brian: Hey everybody. Thank you for joining us here on the Fearless Paranoia podcast where we seek to demystify the complex and confoundingly confusing world of cybersecurity. I’m Brian, the cybersecurity attorney.

Ryan: And I’m Ryan, the cybersecurity architect.

Brian: And we actually have a subject today that is something that Ryan is much better at introducing than I am. So, Ryan, tell us a little bit about what gets us to our topic today.

Ryan: Well, we come in the past episodes that we started talking about T Mobile and some of the challenges that were faced there through their recent breach, one of which is that numerous pieces of personally identifiable information about their customer base were released as a result of this breach. Normally, you think to yourself, well, that information may or may not be overly useful. I mean, name, address, phone number of a lot of T mobile’s customers, that information should be relatively readily available online already from either previous breaches or just public data. But what really ties this in and makes this interesting is it opens up a new avenue of attack that a lot of people aren’t inherently familiar with. And it kind of goes hand in hand with defeating some of the particular techniques that we’ve talked about in other episodes that are used to help safeguard your account stuff like multi-factor authentication, using things like a text message to secure an authentication means what T mobile’s breach inherently does, that opens up a new avenue that we’re gonna spend a little time talking about today, and that is SIM Swapping. And so SIM Swapping is in short, the type of attack where a user’s using a telephone for some sort of method, some sort of piece of the authentication chain, typically, it’s either going to be receiving a phone call for a verification check, or more commonly receiving an SMS or a text message with a code that they will then use to respond back to be the second factor of authentication. So, the SIM Swapping actually occurs when they try to hijack the use of that second factor method. So, in order to get into your account, typically, its username, password accounts access. We’ve always talked about putting up multiple factors of authentication to help really increase the security level of that account. But if one of those is a text message, that means that in order for someone to get into your account, they now have to either get that text message or that code from you or they have to find somebody to intercept that transmission, which is exactly where SIM Swapping goes. SIM Swapping is really the short version is when they take the information that you use to produce your account. And also, coincidentally, the information that you used to work with T Mobile or whoever support to identify yourself to them to make changes to your account. And they actually do just that. They impersonate you and they make changes to your account and have your account ported to a new SIM card. A SIM is the Subscriber Identity Module. That’s the hardware that’s used by your phone to identify you to the carrier when you communicate with the tower.

Brian: Just to be clear, I think most people are probably at least familiar. If they’re not familiar with the term SIM card, they’re actually familiar with the device, even iPhones now basically, it’s you’re changing the physical card from one phone to the next. It’s the tool that essentially identifies you to your carrier when you go from one phone to the other. So, it is something that most people now do handle, even if they may not appreciate what it does.

Ryan: Absolutely. And you do this every time you change phones. So when you upgrade from one iPhone to the next one, Android phone, whatever to the next, you’re either going to take your existing SIM card from your old phone and move it to your new phone, which will then seamlessly transfer that service, or at least the service connection from your old phone to your new therefore disabling your old phones ability to use the cellular connection and handing that off.

Brian: And I think one of the important things to bear in mind is when it says transferring the service, it’s almost easiest, although this is not a complete explanation. But the easiest way to think about it is transferring your phone number basically it’s your account is what brings your phone number and the ability to use that phone number to connect from one phone to the next.

Ryan: Being older like we are I like to think of it as the old switchboard when you had the old switchboard operators back in the day and the old PSTN networks and they would actually physically pull a plug from one side to the other to finish establishing that connection. Well, effectively. This is the identity module that allows the phone to establish the connection to the tower and the service to receive that communication. And that’s what tells the tower itself. This is the user we’re trying to contact on the other end. Because phones are portable, you can swap SIM cards, if you and I swapped SIM cards between our phones, we would effectively my service would light up on your phone, your services light up on my phone within reason there’s other small pieces that will, we won’t get into the caveats, but we use the same process every time we upgrade. And that’s really where the vulnerability of this comes into play is during that upgrade. Portability of phones is a very common thing nowadays. It’s very, very common to see people upgrade phones or swap phones and so carriers have become very lacks on the regulations and the restrictions as far as how do we secure our you know, defend those transactions from abuse or from social engineering. So, in this case, if you’re going to at the user level, contact T Mobile and say hey, I’d like to transfer my service you know, I ran over my phone and I stamped my SIM card, so I got a new SIM card. Here’s the ID number for it. I need you to transfer my service well now T Mobile’s rep thinks, well, we can’t just do that, because obviously, I can’t verify you just by your voice on the other end of the phone. So, let’s go through some account validation, read me your address, or your social or your whatever other identification information is tied to your account here that I can use to do secondary validation. But all of that information was lost in the breach. So therefore, impersonating a user on the T Mobile Network, if you’re an expert social engineer is getting to be more and more of a trivial process, which again, makes it easier to exploit processes like these where all you have to do now is get a batch of blank SIM cards and a phone and you can effectively sit and SIM Swap people all day long.

Brian: Okay, let me just jump in real quick here. Because the way you just explained it actually just sort of triggered this, I don’t know, we’ll call it just a lightning storm of revelation and pain in my head when you said that T Mobile because of the fact that they had all of this information on all of their users that got taken for whatever reason, and yes, believe it or not, I am a privacy and security professional for whatever reason, that’s the first time that I’d really thought about the fact that not only did they lose all the information that they’ve collected on you, for the purposes of operating your services, they’ve lost all the information that they’ve collected on you that they can use to verify you are who you are. And they’ve lost that data to people who want to use that data maliciously.

Ryan: For that very purpose. For identifying as you, impersonating you. And yes, there’s very, very few things to stop them from getting in the way of this, I don’t know the full extent of…

Brian: I’m suddenly very disturbed that even though I’ve seen articles about this, they tend to exclusively be in tech or security publications, not in any mainstream discussions about what this can really mean. I personally think that SIM Swapping may be one of the changing phones, moving your SIM card from one card to the next may be one of the most common ubiquitous things, it may be one of those few things that we all have in common. And now all of a sudden, despite the fact that no one has really talked about it on a general news level, this is something impacting millions of people.

Ryan: Absolutely, and millions is right on the money. Now typically, SIM Swapping attacks tend to be a little more challenging than kind of your average like hit and run style cybersecurity attack or exploiting a basic vulnerability. It would amount to something similar like doing vulnerability scans broadly on the internet looking for an exploitable hole that you can jump in and then jumping in it when you get there would be similar to like a phishing attack where you just broadly sweep and you wait for somebody to respond somebody to be gullible or vulnerable to those type of attacks. spearfishing is like the counter to generalized phishing, where you’re actually targeting an individual with specific information to really kind of increase the likelihood of the vulnerability taking a factor being successful.

Brian:   You’re listening to the Fearless Paranoia podcast. For more information on keeping yourself your family and your company protected against cyber threats, check out the Resilience Cybersecurity and Data Privacy blog. If you’re enjoying this podcast, please like and subscribe using any of your favorite podcast platforms. Also, please share this podcast with anyone you think would find it helpful or useful. We rely on listeners like you to help get the word out about this show, and we appreciate the support. Now, time for some more cybersecurity…

Brian: Well, we’ve talked on this podcast several times about how a lot of these data breaches make things like spear phishing easier because they reveal more information about you that makes it easier to tailor one of those attacks.

Ryan: Yeah, absolutely. And so from this side here, to me, SIM Swapping is a much more personalized attack much more like a spear phishing, it doesn’t need to be. And it doesn’t say that in all cases, it will be but to me, if you’re gonna go through the effort of social engineering to break into an account with a service, like T Mobile, you may not succeed the first time, you may have to put in pretty significant effort to actually get it to work. But once you do get it to work, you’ve got in most cases that kind of a timeframe that you have to work with it. At some point, a user will notice that their cellular service has gone down, they’ll reach out to the carrier, I’ll say, well, yeah, we ported this over to your new device user, they’ll say, well, I don’t have a new device. And then they’ll start that whole process of debugging what happened, but in that interim is when things will happen. And that’s when they usually typically act, that’s when they’re going to try and use the ability to intercept those text messages to get into your accounts to see if they can reset some of your password and see if they can use those MFA checks to their advantage to do exactly those type of things. Having the SIM Swap doesn’t necessarily give them access to your phone or the data and things on your phone. But it gives them access to the communication layer of your phone, which means they can receive phone calls on your behalf. They can make phone calls potentially on your behalf, they can receive and send text messages on your behalf at least during the time that service is there. So, there is some opportunity as well for them to not just abuse the attack vector to get into your credentials. But if they have any other credentials or methods of contact for people that they can abuse that trust layer to send text messages with links, perhaps in them to everybody that they know that’s a contact of yours. If they have a contact list somewhere. That would be a really nice way of sending that out. Again, you might not click on a link from a phone number you don’t know but you’re much more likely to click on a link from a phone number from somebody that’s very close to you, especially if somebody say let’s say somebody said so. asked me and sent you a link free iPhone. I mean, you think of me like, why would Ryan send me a link this, hopefully, maybe you should be safe, there might be a likelihood that you might click on it, I hope you wouldn’t but and I won’t ever send you links via text message. But it’s one of those things, you abused the trust layer behind that. And that’s where the social engineering piece layers on top of the technological piece to really kind of make a devastating attack towards an unprepared person.

Brian: Well, yeah, that’s the thing I was going to mention is that it leaves people who trust I mean, I guess you go back to the whole thing, saying a bank will never call you and ask you for a login information, financial institutions, or how anyone else who’s got your information as security in place, they will never reach out to you and ask for that information. And you should always be the one if you’re going to give information, make sure you’re the one making the call, if you’re going to give information, make sure that you’re the one initiating the conversation makes it kind of dangerous when someone can use a phone number saying I’m from this trusted source. And then when the person calls back, they’re able to essentially stand in as that phone number that is a potentially catastrophic security breach for most people, because most people wouldn’t be in a position to say that, okay, I’ve called you and you’re not who I think I’m calling. Now, the flip side of that is, it’s probably going to be pretty unlikely that a financial institution is going to have a phone number that could be subject to a SIM Swap attack. But that’s almost why it seems like you increase the potential vulnerabilities because the small companies, the small businesses, the professional services, who may operate from a cell phone, the ones who you wouldn’t suspect hackers from having gone all in on because who hacks small, you know, shingle out the door CPA or law firm. But when you’ve got a specific target, you can go after small, very specific organizations. And that can be very dangerous.

Ryan: And a lot of times those specific targets, if they weren’t generating the kind of attention that somebody like this is going after a lot of times, they usually have extended measures in place to protect whatever it is that others may attempt to come at. But it’s those secondary layers that are ripe for abuse. So again, when target was one of the original ones that got hacked back in the kind of late or late 2000s. Feels weird saying that, but the late part of the first 2000 are the first decade of the Yes, whatever they call those, it wasn’t actually target directly, they got hacked, they were hacked through a vendor that got compromised and a vendor account that was compromised. So again, they will take any opportunity to exploit any layer that is available. And that usually means a lot of those downstream layers that are often easily ignored, and usually, in most cases very overprivileged, also that tend to be the easiest to exploit.

Brian: And thinking that anyone would be invulnerable to this kind of scam is also pointless. What are some of the examples of how this has been used and how this has affected users in the past? Just to start by saying Jack Dorsey’s Twitter account, Jack Dorsey, as in the founder of Twitter had his Twitter account hijacked because someone SIM Swapped his phone. This is not something that only happens to every day non tech savvy users, this can happen to anyone.

Ryan: As a matter of fact, some of the most high-profile cases tend to be reported like in the EU, there was a huge celebrity SIM Swapping ring that was torn apart that was responsible for I believe it was either 60 million or a bit over 100 million worth of bitcoin and other assets that were pilfered through SIM Swapping against celebrities. Other high value targets, I think they said in 2021 was the last major statistic, I heard that in 2021, there was like $250 million worth of potential losses that were attributed to SIM Swapping attacks as being one of the initial entry points, the list is going to continue to grow, especially as we start seeing cases like T Mobile and timely enough right now AT and T just entered the news, large breach as well. So now that Verizon T Mobile and AT and T have all been hit, we’ve hit pretty much the three major primary carriers in the US and…

Brian: I was gonna say it just keeps sounding better and better that we keep winnowing down our available providers.

Ryan: And I think that’s why it’s important that you start looking at SIM Swapping as being a realistic strategy nowadays, which means that looking at things like two factor or multi-factor based on something like an SMS message is probably outdated at this point. And again, it’s probably better than having no two factor or no multi-factor. But we should start moving to things more like phishing resistant level MFA methods like hardware keys or authenticator, applications or those kinds of things, but they all come with their own inherent challenges and problems as well. So again, it comes down to just making sure you have good layers and just good diversity throughout your whole security ecosystem.

Brian: Yeah, that was one of the things when we talked about MFA, we didn’t really get into the difference between basic MFA and phishing resistant MFA. A lot of cybersecurity regulations have been released in the last six months make strong case MFA that is not phishing resistant must be considered differently and as inferior to the phishing resistant MFA and the SMS and emails to your phone and anything using your phone number as a way to confirm authentication on multi-factor authentication is a weaker form of MFA. And obviously, it’s one of the major reasons why this is explicitly exploited. What are the potential long-term risks or consequences to SIM Swapping becoming such a common and pervasive form of attack.

Ryan: I think the future that we’re looking at with SIM Swapping is I think SIM Swapping is going to be going to continue to become more prevalent and more common. I think that unless the carrier’s really step up and start to produce better procedures, better policies on how to guarantee that level of identity to do users may be required that bowl SIM Swaps, things moving from service from one system to another required to be done at the store level, require physical identification, start looking at opportunities like that, again, that’s not a perfect method either. But they’re gonna have to work together independently or together to start refining those processes to make sure that we lock that down because realistically, that’s a system that only they have control over notoriously those industries that are that large, and that complex tend to be quite slow to catch up and move through regulations and protections. And so at this point, I would say that we’ll continue to see a rise in this until at which time they’re really forced to kind of go down the route of further security measures transactions.

Brian:   You’re listening to the Fearless Paranoia podcast, we’re here to help make the complex language of cybersecurity understandable. So if there are topics or issues that you’d like Ryan and I to break down in an episode, send us an email at info@fearlessparanoia.com or reach out to us on Facebook or LinkedIn. For more information about today’s episode, be sure to check out Fearless Paranoia.com where you’ll find a full transcript as well as links to helpful resources and any research and reports discussed during this episode. While you’re there, check out our other posts and podcasts as well as additional helpful resources for learning about cybersecurity. Now, back to the show.

Brian: That’s interesting, which says mean in reality SIM Swapping really is you’re the victim. And generally speaking, other than being alert to the possibility of SIM Swapping occurring, you’re not the target of the activity your phone carrier is and I know a lot of people aren’t going to enjoy hearing this. But the bottom line is is it’s going to come down to how easy it is to fool the call center rabbit the hackers speak to in determining whether or not this is successful. Now how long it is successful for is probably going to depend largely on the victim, the person who owns the phone depending on them understanding and knowing what it means and how they can detect when something like this has happened. And also, the defenses one could put in place. Obviously, with T mobile’s hack giving all the information T Mobile has to identify and authenticate you, that sucks. There’s not a lot you can say to anyone, you could have been safe and sparse with your use of personal information on social media and never shared a lot of this information. And yet all the information that can be used about you is taken in this hack. But in most cases, making sure that you’re not putting easy answers to these authentication questions on the internet and available is going to help you not just in SIM Swapping, it’s gonna help you in a lot of contexts.

Ryan: One other thing you can do with the carriers to which a lot of standard users and just don’t do in the cellular industry is something you can do the same way you can in the credit industry in the credit industry, you can put a pin on access to your account and you can put a pin on access to your account through your carrier as well. It may not be the best mechanism in the world. But it is one more thing that would put a layer between a potential social engineer and the call center that only you and T Mobile should potentially have access to. And that should be in theory, if they follow their procedure properly healthy one more hurdle in the way of preventing, you know, general account takeover from social engineering side.

Brian: Yeah, one has to wonder whether or not there’s legal implications beyond simply complying with what they may have posted as their own policies for companies like T Mobile in situations like this, just like let’s face it. I think most people in this country who were conscious of what happened with Equifax in 2017 don’t believe that there was any substantial justice meted out against Equifax despite the fact that it was demonstrated over and over and over again, that they were explicitly negligent in how they collected and held personal information of those 150 million people. But the problem was because an individual is not the customer of a credit reporting agency, there were much more limited ways that Equifax could be punished for their negligence, even though they are explicitly subject to one of the few privacy laws, this country has the Fair Credit Reporting Act. So it’s difficult to see how a company like this is going to be held responsible beyond damage to reputation. And then of course, if all the major companies are all hacked, and equally damaged, how does that help anybody. So it’s going to have to be about making sure that you keep yourself safe in as many ways and from as many fronts as possible.

Ryan: That’s exactly it, which means we have to take security out of those untrusted hands and start putting them back into methods and mechanisms that are more back directly in our control. So again, you can’t guarantee that phone service is going to make it to your phone because that’s a responsibility of the carrier, you only play a small portion in that transaction, and you don’t have management control over it doing something like using a hardware token. Once you’ve purchased that that’s your device you own that you own the, you know, the entirety of the device, all of the procedures around it. And so that becomes your connection, your direct connection back into those accounts that only you can validate and you’re just using a technology that was paid for as the tool to access that. So, I think that’s just where the conversation is going to continue to kind of go, that will happen at both a personal and an enterprise level. It’s unfortunate that we have to kind of pivot again so quickly. And I think that we’ll continue to see constant pivots in the security industry, because even the most phishing resistant of MFA types will eventually become vulnerable to some process, some policy, something somewhere, there’s always a zero-day waiting in the winds for just about everything. So, I think the biggest key with security is just understanding that the internet is going to be one of those places where a lot of our personal data is going to be, we have to be careful about what data goes out there. And we have to be just mindful at all times about the susceptibility of that data to different vulnerabilities that usually will be outside of our control.

Brian: I think that we’re in a situation where we always have to be mindful that security is somewhat out of our hands. So, to keep what is in our hands front and center in our daily habits and practices. Well, that’s all the time we had to talk about SIM Swapping today. There are undoubtedly aspects to this type of cyberattack that are going to be a part of things we talked about in the future, just as there are aspects that have been relevant to things we’ve already discussed. We hope you’ve enjoyed the episode. We hope you found the information interesting and useful. If you’ve enjoyed what you’ve heard, subscribe to us on any of your favorite podcasting platforms. Also, if you think there’s anyone who could benefit from this information, go ahead and share it out as much and as often as possible. Ryan, do you want to take us out?

Ryan: Yeah, absolutely. Our podcast is only as successful as the information that gets to you and your guys’ willingness to absorb it. So please like, share, subscribe, all those wonderful things, make sure that you help us get that message out there so we could do our best to help keep the world safe from the looming threats that exist in the cybersecurity landscape. On behalf of Brian, our attorney and myself the cybersecurity architect, we are going to do our best to continue to break down these complex topics of cybersecurity into manageable digestible chunks so that you the listener can be secure and safe. On behalf of Fearless Paranoia. We will see you guys next time.