Enterprises must step up from two-factor authentication via smartphones or risk breach via SIM swap

SIM swap attacks pose a significant risk to enterprises that rely on employees authenticating using two-factor authentication via smartphone.

Security researchers from Princeton University, in a recently published report, have highlighted the ease at which hackers are able to bypass 2FA via smartphones, enabling attacks on victims’ bank accounts and access to enterprise cloud-based resources .

The findings were the result of 50 attempts by researchers, across five North American prepaid telecom companies, to see if they could port a ‘stolen’ number to a SIM card.

In the majority of instances, the researcher was successful once they had correctly answered one question when questioned by the telecom’s customer service representative. The sort of question that can easily be answered by a hacker with a minimal amount of time spent on social engineering.

“We also found that in general, callers only needed to successfully respond to one challenge in order to authenticate, even if they had failed numerous prior challenges. Within each carrier, procedures were generally consistent, although on nine occasions across two carriers, customer service representatives either did not authenticate the caller or leaked account information prior to authentication,” the report says.

Chris Edwards, Chief Technical Officer, Intercede comments:
“So-called ‘SIM swap’ attacks, where one-time passwords (OTPs) sent via SMS are intercepted by malicious actors should be a thing of the past. While generating OTPs and sending via SMS is a simple, low-cost way to implement two-factor authentication (2FA), it is inherently flawed as SMS is not designed as a secure communications channel. This means that OTPs can be intercepted by SIM swapping, rogue apps, or even be previewed from an unlocked phone’s screen. In 2020, now that it has become significantly easier and cheaper to implement stronger methods of multi-factor authentication, and move higher up the identity and access management hierarchy, such flawed authentication methods should be phased out.

To avoid ‘SIM swap’ style attacks, organisations should adopt technologies that are more secure and importantly, far more convenient for the consumer. These solutions put the authentication credentials in the phone itself rather than in the SIM. They work through PKI (certificates), OTP or FIDO (Faster IDentity Online) enabled apps and browsers, each of which can use a biometric (finger or face) or a PIN to authorise them. All of these are more secure than OTP via SMS, and have now become relatively easy to deploy at scale. While historically, CISOs may have avoided the strongest authentication methods due to cost or ease of use concerns, recent innovation has made these far more accessible to the general market, and no longer the sole preserve of governments and law enforcement.”

If you are exploring methods of strong authentication, contact us now via the form below to find out how MyID credential management makes strong authentication simple for enterprises large and small to integrate and run.