How hackers evade two factor authentications?

Hackers can evade two factor authentications by stealing the second factor, such as a one-time password (OTP) or a cryptographic key. They can also use social engineering techniques to obtain the second factor from the user.

However, in this post I will discuss a technique which is becoming very much prevalent these days – SIM swapping.

SIM switching costs people millions of dollars per year, and the number of cases is increasing tremendously.

What is SIM Swapping?

SIM stands for Subscriber Identity Module. It is a small card that stores your phone number, contacts, and other information. When you switch phones, you can simply remove your old SIM card and put it in your new phone.

SIM swapping is a technique used to exploit a mobile phone’s SIM card. Attackers typically try to call a victim’s mobile phone provider and impersonate the victim in order to get the provider to switch the victim’s SIM card to a new SIM card owned by the attacker.

Once the attacker has control of the victim’s SIM card, they can reset the victim’s passwords, access the victim’s email and other accounts, and even track the victim’s location.

Why SIM swapping incidents are increasing?

Given that many carriers don’t ask in-depth security questions that fully verify that the caller is in fact the authorized cell phone user, SIM swapping usually not a tough plan to implement effectively.

Frequently, the challenge questions can be answered using previously phished data or even publicly available information from social networking sites.

People and businesses have grown accustomed to being able to confirm identity by asking simple inquiries such as their Social Security number or mother’s maiden name. Unfortunately, when data breaches involving millions of individuals occur on a regular basis, this comes apart totally.

Phishing and insider-threat pathways are two further methods. When it was revealed in 2019 that Twitter CEO Jack Dorsey had been the victim of a SIM swap, hackers paid off phone company personnel to perform the switch for them.

Who is responsible for the security?

End users have virtually little control over whether or not they become victims of SIM-jacking jerks. It is primarily the job of the mobile phone company to keep implement more secure solutions.

Moving away from SMS-based 2FA is a best practice that all businesses can embrace.

SIM-swapping assaults have been going on for more than a decade, resulting in billions of dollars in stolen bitcoin and other financial crimes. SMS-based MFA has to be the most widely utilized MFA method on the internet, and most individuals don’t have a choice whether or not to use it.

Mobile providers should take the following safeguards, according to the FBI:

Educate employees and conduct training sessions on SIM swapping.
Carefully inspect incoming email addresses containing official correspondence for slight changes that can make fraudulent addresses appear legitimate and resemble actual clients’ names.
Set strict security protocols enabling employees to effectively verify customer credentials before changing their numbers to a new device.
Authenticate calls from third-party authorized retailers requesting customer information.

How to stay protected?

Individuals should also take the following steps, according to the FBI:

Do not advertise information about financial assets, including ownership or investment of cryptocurrency, on social-media websites and forums.
Do not provide your mobile number account information over the phone to representatives that request your account password or PIN. Verify the call by dialing the customer service line of your mobile carrier.
Avoid posting personal information online, such as mobile phone number, address or other personal identifying information.
Use a variation of unique passwords to access online accounts.
Be aware of any changes in SMS-based connectivity.
Use strong MFA methods such as biometrics, physical security tokens or standalone authentication applications to access online accounts.
Do not store passwords, usernames or other information for easy login on mobile device applications.