DOC RABE Media – Fotolia
Many banks and corporate IT systems force users to use SMS one-time passwords to secure their accounts, but these can easily be bypassed for most users.
Imagine making a trip to the gym or swimming pool. Before heading to your activity, you lock your valuables away in a locker, meaning your phone and wallet are together. Given that banking providers will often send SMS text messages to your phone in order to approve suspicious transactions, if someone was able to gain entry to the locker and access your cards and your phone (bypassing your phone’s PIN), then surely they would be able to bypass any security measures around suspicious transactions.
This was the fate that faced Charlotte Morgan, who reported in a Twitter thread having had a thief bypass the locks to her gym locker and bypass security on her phone in order to steal money from her bank account and go on a £5,000 shopping spree. Charlotte noted that all her PINs, passcodes and passwords were different.
It is often claimed in security communities that “physical access is game over”, due to the vast amount of power an attacker has with control over your device, but in reality, there are tangible steps that individuals can take to protect themselves from falling victim to such attacks.
Many personal and corporate accounts will often use SMS text messages to deliver one-time passwords to add a further layer of security before someone is able to log into an online account, talk to a customer support representative (for example, using telephone banking) or even enrolling into mobile banking apps (with modern banking apps even displaying your card PIN number in the app user interface itself).
While SMS one-time passwords are not ideal (for example, if someone was able to intercept the message, they could get the code), the alternative is using two-factor authentication (2FA) apps or hardware tokens, which many vendors do not use as the default in order to reduce user friction.
You may well now be thinking that someone’s biometrics (fingerprint or facial recognition) or phone PIN number will prevent a malicious actor from getting access to their text messages. Indeed, security hardening measures on a user’s devices usually focus on making sure the software running on the phone is up to date and free of any malware that could steal data. I personally use apps like iVerify to stay on top of my mobile security; however, these measures can easily be bypassed for most users when it comes to SMS one-time passwords.
By simply removing the SIM card from your phone and placing it into another phone, you can then receive any SMS 2FA messages sent to that phone number without needing to unlock the phone itself. That phone will take the phone number of the previous phone.
For those of you reading this, you can take steps to protect both yourself and your organisation if you are in a position to give security advice within your organisation. By simply enabling a PIN lock on your SIM card, you can prevent a third party from using your SIM card on a different device without first entering that code (or obtaining a bypass code from the network provider, known as a PUK code). This code will also be prompted when the phone is restarted and needs to reconnect with your phone network provider.
An iPhone user can access this feature by navigating to Settings > Mobile Data > SIM PIN to change their SIM pin and activate it for use. On Android, this can be found in Settings > Security > Set up SIM card lock.
As mobile devices transition to using eSIMs instead of physical SIM cards, this is also likely to be less of a problem going forward. With Apple iPhone 14s in the US now exclusively using eSIMs, there is no physical SIM card to be transferred to a different device. That said, it is still possible to set up SIM PINs on eSIMs, and this could add an extra layer of security, particularly if your phone allows the reading of text messages or answering phone calls when in the locked state.
While many of us in cyber security understand the pitfalls of sending one-time passwords over SMS, the reality is that this is something we have no option but to use with many vendors. Therefore, it is best to secure ourselves to the best of our ability in these circumstances. SIM PINs are an important measure to help us in this, particularly while we are reliant on physical SIM cards.
Junade Ali is an experienced technologist with an interest in software engineering management, computer security research and distributed systems.
SMS pumping attacks and how to mitigate them
Staying with tried-and-true legacy systems can feel like the safest route. But as the world changes at a dizzying pace, IT …
Understanding issues such as which systems hinder organizational performance can help IT leaders decide which legacy systems to …
Enterprise Strategy Group’s Doug Cahill discusses survey results that show using integrated technologies from multiple vendors …
As the school year culminated, ransomware attacks surged across K-12 schools and universities, causing class disruptions and …
A cyber attack against Chinese systems integrator Kinmax led to the theft of TSMC proprietary data, which LockBit threatened to …
Enterprises are looking at AI-driven approaches to help human teams modernize and accelerate application development to refactor …
Cisco is focused on simplifying, securing and delivering better experiences across networking, security, collaboration and apps …
Protocol analyzer tools, such as Wireshark and tcpdump, can help network administrators identify protocols in the network, …
The new MCN Foundation can find and connect to public clouds and provide visibility. The company’s full-stack product powers the …
At SUSECON 2023, SUSE announced cloud-native AI-based observability with Opni and alluded to more announcements this year. …
Organizations should consider data center tiers of colocation providers or for their own data centers based on their uptime needs…
Many organizations use pay-as-you-go models with public cloud providers to run their Red Hat products in the cloud. Explore how …
A lack of data trust can undermine customer loyalty and corporate success. To avoid the consequences, understand the effects of …
As part of the open source community developing the data storage platform, the vendor unveiled the platform’s latest iteration …
Knowledge graphs work with graph databases to offer different data storage options than a traditional database, particularly in …
All Rights Reserved, Copyright 2000 – 2023, TechTarget
Privacy Policy
Cookie Preferences
Do Not Sell or Share My Personal Information