SIM Hijacking: An imminent threat to anybody with a phone

 

Miscreants recently siphoned INR 4.57 million from Creative Engineers’ bank account. The attackers first hacked the proprietor’s gmail account and sent an email to Airtel to confirm the SIM swap. With access to his email and phone number, they were able to gain access to his internet banking credentials, to carry out the attack. The attackers employed SIM hijacking, which is the process of deactivating a SIM and appropriating a phone number, to pass the internet banking authentication.

SIM hijacking bypass 2 step verification
Fig 1: SIM hijacking to bypass 2 step verification

If you have a phone, you are a target.

Other than being a convenient mode of communication, mobile phones also serve as authentication for a variety of services. 

Since password protection alone could not secure accounts, we introduced 2 Factor Authentication, linked to our email or phone number, to protect sensitive accounts. This includes emails, online banking accounts, and cryptocurrency exchanges.

Time has come, to assess if 2 Factor Authentication is still ironclad. Given the success of attacks such as SIM hijacking, it looks like hackers have found a way to get around that as well.

Overview

SIM Hijacking is the process through which a hacker confiscates your phone number and deactivates your SIM card, rendering it non-functional.

Getting access to your SIM is usually just one part of a larger scam. In order to siphon your bank accounts or steal sensitive information, a hacker needs access to your account details also. Without which they cannot successfully bypass 2 Factor Authentication.

SIM Hijacking is also used to steal Instagram usernames that are then sold for Bitcoin. This form of attack, though not as rampant, should be monitored, considering the potential impact.

Sophisticated strategies to compromise a phone number

  • SS7 and Diameter attacks function by attacking the underlying telecom network/protocol. This allows an attacker to take over any phone number by intercepting SMS-based tokens, account recovery codes, and calls.
  • IMSI catchers are RF devices that enable an attacker to take over a phone number by intercepting and injecting cell traffic. This method requires physical proximity to the target.

    ISMI catcher used for SIM hijacking

    Fig 3: ISMI catcher used for SIM hijacking

  • SIM Hijacking targets a carrier through conventional attacks, or by social engineering support staff, to take control of a phone number. This is known as SIM porting/hijacking, which is becoming increasingly popular with attackers.

Execution of SIM Hijacking

  • In India, hackers often contact victims, posing as executives from telecom companies, offering better network plans or discounts. They usually verify your full name, address, phone number, DOB, last four digits of social security number (SSN), Aadhaar number, or other security questions. 
  • The attacker then tries to obtain your unique 20-digit SIM number and SIM swap authentication. For example: If you are a Vodafone user, the attacker will use a new Vodafone SIM to process the SIM exchange. Vodafone will send a confirmation SMS on your phone number. And the attacker will instruct you to press a digit to authenticate the SIM swap. Vodafone will then officially initiate the SIM swap.
  • Once the swap is successful, your SIM will stop working and won’t have cell reception. On the other hand, the attacker’s new SIM will be fully functional.
  • The attacker, in most cases, will already have your banking ID and password. All they need is the OTP to perform fraudulent financial transactions. Hijacking your number allows the attackers to pass the 2-step verification process. This gives the hacker access to your accounts across Google, Twitter, Facebook, O365, online banking, and crypto currency trading platforms.

 

SIM Hijacking process flow

Fig 4. Execution of SIM Hijacking

What if the hacker has an individual’s email ID but not their phone number?
  • With your email ID the hacker will initiate a password reset process for your accounts.
  • The hacker can reset your password using a link or a secret code received via email, SMS, or phone call.
  • To reset a password with an SMS or a phone call, the prompt displays part of the phone number. Depending on the platform, the number of digits visible, may vary. This is because there is no standardized way to mask personal identifiable information (PII) such as phone numbers. For example, Paypal reveals the first digit and the last four digits. While some other platforms show the first digit and the last 2 digits.
  • Similarly, the hacker will use your email on different platforms to reveal more digits of your phone number.
  • A typical Indian mobile number format is: “+91-XXXX-NNNNNN”. The first four digits indicate an operator’s code, while the remaining six digits are unique to the subscriber. The hacker narrows the options by detecting the operator code.
  • There are many ways an attacker can verify if the shortlisted phone numbers are linked to the email address:- Using search engines to check if you have posted your phone number on a forum, website, etc.,
    – Employing online services such as Pipl or Spokeo that have huge databases with personal information
    – Using telephone system online services that allow you to reverse search the owner of a phone by its number.
  • By abusing password reset options, and by brute-forcing using publicly available information, a hacker can obtain your complete phone number.
Reverse search

When the hacker has a phone number, this process is reversed, to obtain the corresponding email ID. Services such as Amazon and Twitter allow password reset using a phone number. For this, a verification link is sent to the associated email ID. The prompt for which, displays a few characters of the email ID. Amazon provides the first and last letter of the username and the full domain. Also, the number of masked characters reveal the length of the username.

Tell-tale signs

Sign of SIM hijacking
Fig 2: Sign of SIM hijacking

While it is incumbent on telecom carriers to enforce stringent measures to prevent attacks that target phone numbers, it is also important for us, as mobile phone users, to be able to identify the signs of a SIM Hijacking attack.

You are a victim of SIM Hijacking if you:

  • Lose cell service for an extended period of time.
  • Get locked out of your email and social media accounts because the passwords have been reset.
  • Receive suspicious calls, during which the executive asks for your personal details or SIM number.

Preventive measures

Another layer of security, while helpful in the short term, won’t be fool proof. As witnessed from the breach of previous security frameworks, hackers will find a way to circumvent the new layer of security as well. So, how do we shield ourselves against SIM Hijacking:

  • Use PIN based authentication. Most carriers offer the option to protect your accounts using a passcode or PIN.
  • Using an authentication app such as Google Authenticator instead of receiving the two-factor authentication code via SMS.
  • Link sensitive accounts to a separate phone number and keep it confidential.
  • Label email addresses and phone numbers. So that the hint prompt displays labels such as “Home phone”, instead of your phone number.

Conclusion

As evident from the recent attack on Creative Engineers, hackers are increasingly resorting to SIM hijacking. And being linked to the services we use every day, makes each of our phone numbers valuable targets.

While telecom operators need to bolster the security of their networks, as users, our best defense is awareness. We can protect ourselves by taking simple precautions and by understanding how scammers orchestrate such attacks.

Charlton Rodrigues
Cybersecurity researcher
Cybersecurity researcher at CloudSEK, supporting the POC team as well. As a speaker he has addressed crowds on topics related to cybersecurity. He occasionally publishes podcasts on fitness and healthy living.
This is Alt
Cyber Intelligence Editor, CloudSEK
Total Posts: 2
She is a Cyber Intelligence Editor at CloudSEK. A lawyer by training and a content writer by choice, she prefers to write on matters concerning current affairs, security, and human frailty.
×
Charlton Rodrigues
Cybersecurity researcher
Cybersecurity researcher at CloudSEK, supporting the POC team as well. As a speaker he has addressed crowds on topics related to cybersecurity. He occasionally publishes podcasts on fitness and healthy living.
Latest Posts
CloudSEK is continuously analyzing the Surface, Deep and Dark web to identify the emerging threat indicators and trends. For real-time threats emerging against your organization or industry, you can request a demo for free.