COVID-19 is causing many of us to order items online, and we're using online payment methods such as Paypal and Venmo to pay for the items.
In January 2020, researchers at the Center for Information Technology Policy at Princeton University released a study that showed that hackers could take control of users' accounts on those services and others as well.
A problem with multi-factor authentication
The researchers analyzed the multi-factor authentication (MFA) procedures used by 140 online sites that included social media networks, email providers, and enterprise solutions.
Multi-factor authentication is an online security measure and it refers to an authentication method that requires two or more pieces of evidence, or factors. Typical factors include:
- Something only the user knows - includes passwords, PINs, combinations, and code words
- Something only the user has - includes physical objects such as keys, smartphones, smart cards, USB drives, and token devices
- Something the user is - includes fingerprints, palm scanning, facial recognition, retina scans, iris scans, and voice verification.
The researchers found 17 companies where a phone that had been SIM swapped could then be used to reset an account's password. SIM swap fraud allows someone to take control of your phone, and a hacker can then gain full access to your online profiles on various websites.
The companies that were affected included, Adobe, Amazon, AOL, Blizzard, eBay, Finnair, Gaijin Entertainment, Mailchimp, Microsoft, Online, Paypal, Snapchat, Taxact, Venmo, WordPress, Yahoo and Zoho Mail.
The researchers attempted to report the vulnerability to the affected companies via three methods: direct reporting to the company, posting on bug bounty platforms such as HackerOne, and through customer support channels.
Adobe, Snapchat, and eBay acknowledged the vulnerability, and promptly fixed it. Blizzard, Microsoft, and Taxact fixed the vulnerability but did not inform the researchers.
Paypal deemed the researchers' report as being out-of-scope, and claimed that "the vulnerability is not in Paypal, as you mentioned this is an issue with the carriers and they need to fix it on their side."
Three of the four reports given to third-party bug bounty programs were disregarded. Even worse, HackerOne restricts those who have submitted what HackerOne considers to be too many bug reports from submitting new ones.
Five companies, AOL, Finnair, Mailchimp, Venmo, and WordPress, didn't respond to the researchers at all.*
How can someone take over your phone?
SIM stands for Subscriber Identification Module, and it is a card with an embedded integrated circuit in it that stores:
- Its unique Integrated Circuit Card Identifier (ICCID) that identifies each SIM internationally
- An International Mobile Subscriber Identity (IMSI) number that is a unique identification associated with all cellular networks
- Security authentication and ciphering information
- Temporary information related to the local network
- A list of those services the user has access to
- Two passwords: a Personal Identification Number (PIN) for ordinary use, and a Personal Unblocking Code (PUC) for unlocking the PIN.
All GSM (Global System for Mobile Communications) phones require a SIM card. For CDMA (Code Division Multiple Access) phones, only newer LTE (Long Term Evolution) phones require a SIM. SIM cards are also used within satellite phones, smartwatches, and cameras.
To convince cellphone carriers to SIM swap, hackers use personal information they get from data breaches, or information they glean from your social media accounts, such as your date of birth or your mother's maiden name.
Another way hackers can take over your phone is by getting you to call two phone numbers. You might receive a call or a text message telling you that you have won a contest and to call a certain number to claim your prize.
The reason for this is that some cell carriers' procedures include asking for two recently dialed numbers if a user can't remember their PIN or the answers to their security questions. Since the hacker will know these numbers, the SIM swap will be granted.
The same Princeton University researchers alerted the "big five" U.S. cellular carriers — Verizon, AT&T, T-Mobile, Sprint and U.S. Cellular — to this vulnerability. Of the carriers, only T-Mobile altered its use of call logs to authenticate customers.
Stories of those who have been SIM swapped
In a February 2018 article, Vice reported on several account holders who had been the victim of SIM swapping by a particular cellphone carrier.
TC, who battled a determined hacker throughout a day described his experience:
I was alerted this morning about someone trying to access my SIM. I told the rep to lock my account and not allow anything unless I am physically present in the store. 4 hours later my phone is alerted with a "No network available" message. I knew the hacker got through.
[The hacker] ... pretended to be a T-Mobile employee and got access to my SIM. ... I started to get alerts on all my email accounts that my passwords have been changed. It took about an hour to regain control of everything but I am panicked. I am unsure what they were able to grab ... [I am] currently just sitting staring at my email and bank accounts waiting for disaster.
Another user, BW, reported that their carrier SIM swapped their number, and the hacker then promptly applied for a credit card, got a $20,000 credit line, and went on a shopping spree. User HT described having $2,000 drained from her Wells Fargo account through Zelle.
Another user reported losing $2,000 through a bank transfer, and that, "The time it took from having my number 'stolen' to the money being transferred was only 18 minutes."
User MC wrote:
...I lost $5,200 in total, $1,999 from one account, $2,500 from another and $600 in credit card points redeemed for cash. I still haven't gotten my number back and have spent countless hours closing and reopening all my bank accounts, filling (sic) a police report, dealing with banks, credit card companies and [the carrier]. I've had to pay interest on my credit card as all my funds were frozen from Jan 9 to Jan 25th and I'm pretty sure I'll get some check return fees because I didn't change my transfer account for my auto-debits in time.
The best part was [the carrier] sent me a bill and charged me for ending my service and porting out my number. Are you kidding me?!?!
Is my phone hacked?
The things to look out for if you suspect your phone has been hacked are:
- A decrease in battery life - this may be due to rogue apps on your phone using its resources and transmitting information to a server
- Slowed performance - if your phone is freezing frequently, or if certain applications are either crashing to else refusing to close
- An increase in data usage - this can be caused by rogue apps running in the background and sending information back to a server
- Calls or texts to unrecognized numbers - malware may be forcing your phone to call premium-rate numbers
- An increase in pop-up windows - these can include adware, or phishing attempts asking you to type in sensitive information; while you can dismiss a pop-up by clicking an "X", some pop-ups have a faux "X" that actually takes you to a malicious site
- New apps installed without your permission - also if your phone frequently crashes then restarts
- Unusual activity on accounts linked to your phone - if you receive notifications of password resets or new accounts having been opened.
How to avoid being SIM swapped
To avoid SIM swapping, you can link your online accounts to a Voice over Internet Protocol (VoIP) number, such as Google Voice or Skype. Google Voice numbers are not linked to real SIM cards, so they are harder to hijack.
Another method you can use to avoid being SIM swapped is to add a PIN to your cellphone account.
- Go to your account profile, sign in, then choose Sign-in info.
- Under the Wireless passcode section, select Manage extra security.
- Enter your password when prompted.
- Go to this website.
- Sign in to your account then enter the PIN you want, twice.
- Click Submit.
- Set up a PIN the first time you sign in to your My T-Mobile account.
- Select Text messages or Security question and follow the prompts.
- Sign in to your account.
- Click on My Sprint, then select Profile and security.
- Choose Security information to update your PIN or security questions.
During this time of social distancing, it's just as important to take care of the health of your phone and online accounts as it is to take care of your own health.