{"id":514,"date":"2024-09-25T21:27:34","date_gmt":"2024-09-26T03:27:34","guid":{"rendered":"https:\/\/wpsites.ucalgary.ca\/jacobson-cpsc\/?p=514"},"modified":"2024-09-25T21:31:52","modified_gmt":"2024-09-26T03:31:52","slug":"an-attack-on-two-factor-authentication","status":"publish","type":"post","link":"https:\/\/wpsites.ucalgary.ca\/jacobson-cpsc\/2024\/09\/25\/an-attack-on-two-factor-authentication\/","title":{"rendered":"An Attack on Two-Factor Authentication"},"content":{"rendered":"\n

Passwords have become ubiquitous in our lives as the main tool of account authentication, but relying solely on passwords is not very secure. With so many websites we use daily requiring accounts and passwords, many individuals reuse passwords or use very weak ones, like password123 [1].<\/p>\n\n\n\n

If a password is reused on multiple sites, and one of those sites has a data breach, then those leaked credentials may be used on other sites, allowing the attacker to gain access easily [2]. Weak passwords, however, are highly susceptible to brute force attacks [3].<\/p>\n\n\n\n

One way to improve the security of your accounts is through two-factor authentication (2FA). As the name suggests, two different factors will be required to prove that you are the owner of that account. The factors used will be two of the following: something you know, something you have, and\/or something you are [4]. Most commonly, for login purposes, a password is used as one of the factors (something you know), and a one-time password sent to the user\u2019s phone by SMS is used as the second factor (something you have) [4].<\/p>\n\n\n\n

However, though this is more secure, having an OTP sent by SMS to your phone is vulnerable to the SIM swap attack.<\/p>\n\n\n\n

But First, What is a SIM Card?<\/h2>\n\n\n\n

A SIM card, which stands for Subscriber Identity Module, allows your phone to connect to the cellular network offered by your provider. It\u2019s a tiny chip which contains two key pieces of information. The first is the Integrated Circuit Card Identifier (ICCID) which uniquely identifies you in the network. The second is the International Mobile Subscriber Identity (IMSI) which holds information such as what country and mobile provider you use. This sensitive data is encrypted, allowing you to prove your identity in the mobile network [8].<\/p>\n\n\n\n

What is SIM Swapping?<\/h2>\n\n\n\n
\"\"<\/figure>\n\n\n\n

Source: Financial Cybercrime: A Comprehensive Survey of Deep Learning Approaches to Tackle the Evolving Financial Crime Landscape (Nicholls, Kuppa and Le-Khac, 2021) https:\/\/www.researchgate.net\/figure\/Diagram-of-the-SIM-Swap-process-Phase-1-attacker-accesses-victims-account-credentials_fig5_356887995<\/a><\/em><\/p>\n\n\n\n

SIM swapping is a targeted attack where the scammer is able to convince the victim\u2019s cell provider to send them a new SIM card for the victim\u2019s account [5]. The attacker is able to convince the cellphone provider that they are the victim through social engineering or other means, such as knowing the answers to your password recovery questions. Then, the attacker is able to receive an OTP for any accounts linked to that phone. This is especially an issue for bank and cryptocurrency accounts, where attackers are able to authenticate fraudulent withdrawals [5].<\/p>\n\n\n\n

SIM swapping is lucrative enough that SIM-swap-as-a-service is being offered by some hacker groups [5]. Many of these groups have gone after celebrities and other high profile individuals, amassing $1.8 million and $5 million in cryptocurrency in some recent individual attacks [6]. Even actress Sydney Sweeney has fell victim to this scam. Her X account was taken over and used to advertise a fraudulent cryptocurrency service [7].<\/p>\n\n\n\n

However, regular people have been targeted as well. In August of this year, 10 people in Toronto were arrested for using SIM swapping to defraud multiple individuals of over $1 million [9]. Over 1500 accounts were compromised by this group of attackers [9].<\/p>\n\n\n\n

How can you prevent a SIM Swap Attack?<\/h2>\n\n\n\n

There a few strategies you can use to reduce your risk of being a victim of a SIM swap. As recommended by Europol, if possible, use an authenticator app for 2FA, such as those offered by Google or Microsoft, rather than having codes sent by SMS [6]. As well, to avoid being a victim of social engineering attacks, limit the personal information you share online and avoid giving any such information to unknown callers [6]. Additionally, you can contact your mobile carrier and ensure your account is configured using the highest security settings. If possible, try to get your account configured so that acquiring new SIM cards can only be done in person [6].<\/p>\n\n\n\n

Another way to safeguard yourself is to be aware if you are currently experiencing a SIM swap attack. During an attack, your phone will lose service. You may see \u201cSOS\u201d in the top right of your phone where your cellular signal information typically is [9]. This disruption may only be temporary as the attacker will often switch back to the original SIM card after gaining access to your accounts [9]. If you experience an unexpected service disruption, contact your cellphone carrier to determine if any new SIM card requests were made recently. Also, notify your bank if you see any fraudulent activity taking place around that time.<\/p>\n\n\n\n

Conclusion<\/h2>\n\n\n\n

Though 2FA by SMS message is by no means perfectly secure, is still preferable to just using one factor of authentication, like a password. However, if an authenticator app is available for 2FA, that can provide an extra layer of protection against attacks such as SIM swap attacks. As always, staying on top of current advancements in security and authentication will allow you to keep your accounts secure, even as new attacks are identified.<\/p>\n\n\n\n

References<\/h2>\n\n\n\n

[1] https:\/\/www.nomios.com\/news-blog\/password-problem\/<\/a><\/p>\n\n\n\n

[2] https:\/\/www.cloudflare.com\/learning\/bots\/what-is-credential-stuffing\/<\/a><\/p>\n\n\n\n

[3] https:\/\/www.fortinet.com\/resources\/cyberglossary\/brute-force-attack#:~:text=A%20simple%20brute%20force%20attack,identification%20number%20(PIN)%20codes<\/a>.<\/p>\n\n\n\n

[4] https:\/\/www.pearsonitcertification.com\/articles\/article.aspx?p=1718488<\/a><\/p>\n\n\n\n

[5] https:\/\/arstechnica.com\/security\/2023\/11\/the-fcc-says-new-rules-will-curb-sim-swapping-im-pessimistic\/<\/a><\/p>\n\n\n\n

[6] https:\/\/arstechnica.com\/information-technology\/2021\/02\/authorities-bust-sim-swap-ring-they-say-took-millions-from-the-rich-and-famous\/<\/a><\/p>\n\n\n\n

[7] https:\/\/www.pcmag.com\/news\/sydney-sweeneys-x-account-reportedly-hijacked-via-yet-another-sim-swap<\/a><\/p>\n\n\n\n

[8] https:\/\/mobileklinik.ca\/blog\/how-do-sim-cards-work-and-where-can-you-buy-them\/<\/a><\/p>\n\n\n\n

[9] https:\/\/toronto.ctvnews.ca\/10-suspects-arrested-in-sim-swap-scam-toronto-police-say-1.6985584<\/a><\/p>\n\n\n\n

<\/p>\n","protected":false},"excerpt":{"rendered":"

Passwords have become ubiquitous in our lives as the main tool of account authentication, but relying solely on passwords is not very secure. With so many websites we use daily requiring accounts and passwords, many individuals reuse passwords or use very weak ones, like password123 [1]. If a password is reused on multiple sites, and … <\/p>\n

Continue reading “An Attack on Two-Factor Authentication”<\/span><\/a><\/p>\n","protected":false},"author":669,"featured_media":519,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"ngg_post_thumbnail":0,"footnotes":""},"categories":[1],"tags":[16,11,18,17],"class_list":["post-514","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-authentication","tag-security","tag-sim-swap","tag-two-factor-authentication","entry"],"featured_image_src":"https:\/\/wpsites.ucalgary.ca\/jacobson-cpsc\/wp-content\/uploads\/sites\/119\/2024\/09\/2024-09-25-600x383.png","featured_image_src_square":"https:\/\/wpsites.ucalgary.ca\/jacobson-cpsc\/wp-content\/uploads\/sites\/119\/2024\/09\/2024-09-25-600x383.png","author_info":{"display_name":"Nicole Lefebvre","author_link":"https:\/\/wpsites.ucalgary.ca\/jacobson-cpsc\/author\/nicole-lefebvre\/"},"_links":{"self":[{"href":"https:\/\/wpsites.ucalgary.ca\/jacobson-cpsc\/wp-json\/wp\/v2\/posts\/514","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/wpsites.ucalgary.ca\/jacobson-cpsc\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/wpsites.ucalgary.ca\/jacobson-cpsc\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/wpsites.ucalgary.ca\/jacobson-cpsc\/wp-json\/wp\/v2\/users\/669"}],"replies":[{"embeddable":true,"href":"https:\/\/wpsites.ucalgary.ca\/jacobson-cpsc\/wp-json\/wp\/v2\/comments?post=514"}],"version-history":[{"count":1,"href":"https:\/\/wpsites.ucalgary.ca\/jacobson-cpsc\/wp-json\/wp\/v2\/posts\/514\/revisions"}],"predecessor-version":[{"id":518,"href":"https:\/\/wpsites.ucalgary.ca\/jacobson-cpsc\/wp-json\/wp\/v2\/posts\/514\/revisions\/518"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/wpsites.ucalgary.ca\/jacobson-cpsc\/wp-json\/wp\/v2\/media\/519"}],"wp:attachment":[{"href":"https:\/\/wpsites.ucalgary.ca\/jacobson-cpsc\/wp-json\/wp\/v2\/media?parent=514"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/wpsites.ucalgary.ca\/jacobson-cpsc\/wp-json\/wp\/v2\/categories?post=514"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/wpsites.ucalgary.ca\/jacobson-cpsc\/wp-json\/wp\/v2\/tags?post=514"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}