Multifactor authentication (MFA) is currently one of the most effective ways to secure an online account. Entering usernames and passwords is the default way of accessing accounts, but MFA adds one more requirement to authenticate the identity of a person logging in, such as having to enter a one-time smartphone code. This means that even if a hacker acquires a user’s credentials, their login attempts will be futile if they can't fulfill the subsequent security measures.
According to a 2019 Google report, MFA is an effective way to prevent account takeover, with an effectiveness rate of as much as 100% against automated bots and 96% on bulk phishing attacks using SMS codes. However, hackers who wish to take control of a user’s account and steal sensitive information have found a way around one-time SMS codes: SIM swapping.
What is SIM swapping?
SIM swapping is a new method of identity theft wherein an attacker convinces a smartphone carrier into switching a victim’s phone number to a new device that they control to be able to receive the SMS code prompt and eventually gain access to the account being targeted.
This attack is increasing in popularity due to the growing dependence on phone-based authentication methods. For instance, when online services ask a user to turn on MFA, they are typically asked to register a mobile number. This number will receive a code whenever the user tries to log in to a certain service, which “verifies” the identity of the person logging in.
How does it work?
SIM swapping is a comprehensive process that takes a lot of the hacker’s time and effort. The first step involves phishing for as much personal information from the victim as possible, such as birth date, phone numbers, and names of family members. Cybercriminals can send out fraudulent emails, make unsolicited phone calls, or access the user’s social media accounts to dig for any data they can use.
.Once they have gathered enough information about the victim, they will call the user’s network provider and claim that the original SIM card has been compromised and they would like to have it replaced. The network provider will then ask some security questions, which the attacker will be able to answer easily if they have collected enough information about the victim.
After the cybercriminals are provided with a SIM card bearing the victim’s new mobile number, they’ll have access to all of the user’s text messages and phone calls. Most alarmingly, the hackers will also be able to access all online accounts that use the number for MFA SMS codes. This will allow them to steal personal, financial, and other confidential information.
What does it mean for your business?
Your company uses email to communicate and collaborate, and you might be using MFA to secure your employees’ accounts. If you’ve opted for one-time codes to be sent to their personal mobile numbers, cybercriminals can easily request the network provider for a new SIM card, infiltrate a user’s account, and steal both sensitive personal and company information.
So what can you do?
Encourage your employees to protect their online accounts better from SIM swapping by using the following tips:
#1. Avoid revealing too much personal data online
Cybercriminals can easily steal personal information and use them to convince network providers that they are the rightful account owner. Teach your workforce to avoid publicly displaying sensitive information such as age, phone numbers, family members, and the like online to lessen the chances of someone impersonating them and using these to steal their accounts.
#2. Use authenticator apps
Organizations should avoid using SMS as a primary MFA method, as these messages are not encrypted and can be snooped on easily. Use authenticator apps such as Google Authenticator or Microsoft Authenticator.
These programs work by keeping six-digit codes for compatible accounts in sync on your phone and on the company’s servers. When you log in to an account, you’ll be asked to enter the six-digit code from your authenticator app. This eliminates the need to text the code, which cybercriminals can easily intercept.
#3. Use other MFA methods if possible
MFA goes beyond using one-time smartphone codes. You can also use more secure options such as fingerprints and facial recognition to verify a user’s identity. This way, no hacker will be able to access confidential files since they can’t bypass these security measures.
Don’t let SIM swapping attacks bring your business to its knees. Binatech’s network security solutions make it easy for you to safeguard your files 24/7/365 from prying eyes of hackers. Take the next step toward better data protection. Drop us a line to learn more!