In previous blogs, we’ve highlighted the dangers of mobile devices at work, especially given the widespread use of BYOD (“Bring Your Own Device”) policies in organizations. Mobile devices, at minimum, risk exposed data, data breaches, and account compromises. Businesses can implement Mobile Device Management (MDM) and 2FA to mitigate the threat, but neither of these is foolproof, especially as more sophisticated attacks can break these measures easily.
Even 2FA, which is normally thought of as an effective mitigator of attacks, isn’t enough. SIM swapping and 2FA bypass or interception attacks are highly advanced methods that seek to target 2FA blind spots or vulnerabilities, leaving businesses exposed if they don’t have the right safeguards in place.
In this article, we dive deep into each of these attack types, what they are, and how they work, and also provide effective measures you can take to protect your business from them.
SIM swapping, or SIM hijacking, occurs when a fraudster transfers your phone number to a SIM card they control, enabling them to intercept calls and texts, including security codes from banks and other institutions.
The attack is done remotely and is often highly targeted. Once successful, the cyber criminals have access to your phone number, meaning they receive 2FA codes and can access accounts secured with SMS 2FA.
The attack occurs at the mobile device service provider—so no physical access to the device is required. In some cases, hackers bribe mobile operator employees to carry out SIM swap attacks.
SIM swaps are sophisticated attacks usually aimed at high-value targets. Threat actors collect a target’s personal information via social media, phishing, or the dark web. Once they have enough information, they can reach out to the mobile service provider, impersonating the target.
A SIM swap attack is initiated via identity fraud, so the more personal data the imposters have, the easier it is to successfully execute. These fraudsters often look to obtain birth dates, physical addresses, social security numbers, and any other related personal information. With enough data, a hacker can convince the mobile operator to swap a SIM from the actual SIM to the hacker’s fraudulent one.
Once successful, the target’s “old” SIM will no longer function. Telltale signs that a SIM swap has occurred are loss of phone service, inability to make calls or send texts, or receive notifications from your carrier about SIM or device changes that you didn’t authorize. Depending on how quickly an attacker moves to compromise accounts, you may lose access to bank accounts, social media accounts, and even your email. The danger of SIM-swap attacks is that SMS 2FA codes are sent to the attacker, meaning they have full access and control.
These attacks are extremely dangerous and can lead to devastating financial consequences. They can also lead to reputational damage if the hacker logs into your social media accounts and starts posting.
How much damage this attack can incur depends on how fast an attacker moves. To resolve it, victims need to reach out to their mobile service provider and reverse the SIM swap. Unfortunately, the time it takes to do this can be lengthy, and a lot of the damage can occur in the interim.
Preventive and proactive measures are available for this type of attack. Here are some examples to minimize the effectiveness of these attacks:
In a business context, the above points are table stakes, and any mobile device user should utilize a mobile operator that offers a callback or PIN service. For security leaders, it’s helpful to make employees aware of their options, but it’s impossible to enforce such policies on users’ personal devices. That’s why a mobile MDR service that detects device anomalies is so crucial.
2FA has largely become the norm for many services. An individual logs in and then must take an additional action to authenticate. The additional action might be clicking a link in an email, typing in a code, or using some form of biometric verification, such as fingerprint or facial recognition.
Various media exist to provide the additional code, such as email, SMS, and authenticator apps. The most common are email and SMS, but they are also the riskiest.
2FA sounds great in theory, but it has repeatedly proven to fall far short of the mark when trying to prevent targeted account compromise attacks. Hackers have become experts at intercepting 2FA authentication, both via mobile phones and other means.
Two high-profile incidents occurred against Chrome and Microsoft 365 users. An all-out campaign targeting Chrome extension developers recently resulted in several malicious Chrome extensions that intercepted 2FA details. The hackers sent phishing emails to Chrome developers, then inserted malicious code into legitimate extensions that would intercept a user’s login flow.
As for Microsoft 365, a cybercrime group called “Sneaky Log” distributed a phishing-as-a-service kit via Telegram that allowed subscribers to intercept 2FA authentication when people logged into Microsoft 365.
While these are software-specific vulnerabilities, mobile devices are especially at risk of 2FA bypass attacks, especially SMS-based 2FA. Here are some of the major methods used to intercept 2FA codes.
The human element remains one of the weakest links in cybersecurity, and hackers are very much aware of this. Phishing is largely successful because of human errors and fallibility. The more data a hacker has about someone, the easier it becomes to use social engineering techniques to manipulate that person.
Hackers might pretend to be a colleague in need, or hack into an executive’s email account and then send a message to the victim to “please share the code you just received!” If the hacker sounds desperate enough, the victim might share the code. Such attacks have a surprisingly high success rate, which is why awareness training is so vital.
Another social engineering tactic is the “prompt bomb,” where someone is bombarded with so many 2FA notifications that they eventually approve one, either by mistake or just to make the notifications go away. This was the cause of a widely publicized hack against Uber.
SMSes aren’t encrypted, meaning an attacker with access to communications can see the messaging between accounts.
The global communications network runs largely on a protocol developed in the 1970s called “Signaling System No. 7” (SS7). This protocol lacks encryption and has repeatedly been proven insecure. A newer protocol called Diameter is unfortunately also largely insecure when misconfigured, leaving organizations vulnerable to MitM attacks.
This attack vector has become so severe that the FBI even sent a message to Americans to “stop texting” because of fears of message interception by China.
Companies should revert to secure texting options instead, as through apps that utilize end-to-end encryption.
Some legacy apps have used predictable OTP generators, making it easy for hackers to predict the next number. While OTP generators have become more sophisticated, businesses should remain vigilant about this potential risk whenever signing up for new services.
In the rush to get a product to market, startups might skimp on security best practices, such as opting for a less secure OTP method.
In “consent phishing” exploits, attackers deceive users into granting permissions to malicious third-party applications. These applications request access to legitimate services like Google or Microsoft accounts, as in the two exploits described earlier.
Attackers can also intercept remote access protocol permissions, which are designed for a third party to see a device’s activity (think: a support channel offering help for an app). A victim grants permission to view and monitor activity, giving a hacker clear access to any sent SMS codes.
This method effectively bypasses traditional authentication mechanisms, as the attacker operates through an application the user has authorized.
Finally, there is also SIM swapping, which we discussed earlier.
These attacks aren’t just a problem for individuals. Device compromise is a major problem for organizations, especially when an employer device is targeted. Compromising personal devices can also lead to organizational compromise if employees have business data on their devices.
Security leaders should start with awareness. Knowing these attacks exist, and communicating about them to employees, will improve vigilance. Business owners can also suggest that employees use stronger security practices, like avoiding SMS 2FA, and putting in the safeguards mentioned earlier to protect against SIM-swapping. These include additional verification methods or just freezing accounts from any changes to personal SIM.
Protect against 2FA bypass attacks by opting for a hardware authentication method. That is the most secure, but authenticator apps have a more reasonable balance between user-friendliness and device security.
The points above will significantly reduce the risk of 2FA and SIM swapping attacks. However, nothing is guaranteed, which is why it’s so vital to invest in a robust, non-invasive mobile MDR solution that quickly takes action if the “wolf gets in the door.”
Modern cybersecurity solutions must take two approaches: prevention and remediation. Mobile MDR answers both, quickly providing feedback if anomalous behavior is detected on a device, thus allowing you to take fast action to prevent damage. Speed is of the essence when a mobile device is compromised.
To learn more about SolCyber’s comprehensive Mobile MDR solutions, check out our mobile solutions page or reach out to us directly.
By subscribing you agree to our Privacy Policy and provide consent to receive updates from our company.
