Hi-jacking your SIM - the fallacy of 2 factor authentication

Apr 11 , 2020

Hi-jacking your SIM - the fallacy of 2 factor authentication

2 step factor authentication - aka 2fa is often touted as the defacto standard for protecting access to your digital life. From Gmail to AMazon & all over in between, its common place to use your mobile phone as part of the login mechanism. Because lets face it - who on earth would have both your passwords & your phone. That would be impossible wouldn't it?

As you've guessed - clearly not is the answer! It turns out using 2FA actually presents a huge security risk to your digital life & its one I no longer recommend. I became disillusioned with 2FA after a number of incidents last year; one involved both my partner & me losing our phones; the other was when I got locked out of a developer account whilst trying to hit a deadline. However, truth be known, both of these incidents could have been avoided or mitigated through better process but the experiences highlighted how the system fell apart when you had to regain access to an account.

Well the final nail has been driven into the coffin as far as 2FA goes. Hackers are turning to hi-jacking SIM cards, through none technical means, and once in control of a SIM, using it to access a victims accounts. Once hackers have gained access to an account they then move on to other accounts using details gleamed from the last.

Don't underestimate how devastating this can be - there are reports of victims losing everything, having bank accounts cleaned out, entire digital lives wiped forever. So how do hackers hi-jack your sim? Its dead simple....

They ask! Through social engineering, hackers build up a picture of their victims (gaining next of kin/spouse/phone numbers etc) from data avaialble online. They then contact a network provider and convince the support staff that they are actually the victim. Once the network provider is confident the hacker is the actual victim, the provider authorises the cloning of the victims SIM card (mst likely due to the original being "lost"). Once this second SIM is put into a phone, the original ceases to work. Like Highlander, there can be only one!

Once a SIM has been cloned hackers can literally run amok with your life - check these stories out to understand just how damaging this hack is.

  1. Man loses 1million after SIM cloned
  2. What is SIM Jacking?

As one developer pointed out - your phone was never designed to be the keys for your digital life so it really isn't best placed to protect you. By design, all web service authentication protocols are designed around protecting a password, not protecting a cell tower or your phone.

So, 2 step factor authentication. I don't do it. I'd not recommend you do either!