Threat Model: SIM Swapping
Previously we discussed Vulnerabilities, Threats, and Risk and how they all tie in together.
In this post, we’ll talk about a real world scenario and see how this threat model can play out.
As a brief recap from the previous post on this topic, a vulnerability refers to a flaw in a system, a threat is the potential danger or perpetrator. A risk refers to the impact of that threat exploiting that vulnerability and the likelihood that it will happen.
Let’s say the threat you’re trying to protect against is unauthorized access to your data. The vulnerability here is a misconfiguration in the authentication system, for example no 2FA enforced. The risk is the impact of your data being accessed and likelihood of this scenario being carried out.
In a a previous post, we discussed SIM Swapping and the impact of this threat.
You can make the argument that not everyone is at risk for this type of threat equally. Think journalists, high net worth individuals, or someone who is worth a lot in Crypto. In this case, the risk is applied differently. The impact of a successful SIM Swap is great in either case, however the likelihood is not the same.
Another way of saying this would be, the threat model for a journalist is different than that of say an administration professional at a University.
The TLDR is that a strong form of MFA will be your best bet here.
We can think of two main forms of SIM Swapping here.
Getting your phone number ported to another (attacker owned) phone
The physical threat
Now let’s go over each of these scenarios.
SIM Swap Fraud
SIM Swap attacks of this kind can be carried out with some recon and social engineering. It could look like this:
An attacker does some enumeration on you and builds a profile, (enough to answer your security questions), contacts your mobile carrier, and convinces them to port your phone number over to their SIM card.
The attacker can also bribe them, as this has worked before.
In the end, they have your SIM ported over to a phone in their possession. All chaos then ensues.
They have access to your SMS texts, email, and accounts flows. This means, they can get into your accounts and reset everything, kicking off the password reset flows, effectively locking you out of your accounts.
OTP and SMS are vulnerable in this case, given that one-time passwords will go to the phone number that is ported to the attackers phone; and SMS well, is SMS being sent to the attackers phone.
Another way attackers can accomplish is by stealing credentials. They can do so via initial access brokers (IABs) where they purchase credentials and then take the steps outlined above.
So what can you do?
In this podcast conversation, two experienced Security professionals go over this topic. The timestamp specifically discussing SIM Swapping is 16:10.
Here are some steps to take to protect yourself
Setup a PIN on your mobile account
Setup a PIN on your SIM
Limit the amount of information you share online
Use answers only you would know (or wrong answers) for your security questions
Use security keys or passkeys as your 2nd factor
Now let’s go over these in a bit more detail.
Setting a PIN on your mobile account. You do this with your carrier. This way, if someone tries calling to port your phone number to another SIM, they will need to know this PIN to move further.
Setting a PIN on your SIM. You do this locally on your phone. This process will vary if you’re on iOS or Android, but you want to take this step to protect your phone’s data. This means upon any restart or removal of the SIM, the PIN is needed for any actual usability of the phone.
You can do this for a SIM card or eSIM.
Limit the amount of information you share online. In today’s times, this one might be difficult for a lot of people. Think before you share on social media and other sites. Most of the times it’s just not worth it.
Use security question answers only you would know. The more obscure the better. Some security professionals opt for fake answers here. (Just make sure you remember them)
Opt out of SMS as your second factor. There’s just too much potential for exploit when using SMS-based MFA.
Use security keys or passkeys. Doing this will ensure you are using the strongest form of two-factor authorization.
If you’re using hardware security keys you are using phish-proof measures to protect yourself, just ask Google employees.
This also ensures that a physical attack is the only threat that is able to be successful for a SIM Swap.
The Physical Threat
This is one of the most precarious threats out there albeit not as common, however has definitely been documented. In this threat model, the impact of this risk is great as the victim’s life is in danger, but the likelihood for most people would be lower.
However certain threat actors have opted for this kind of physical attack as part of their arsenal. Black bag operations where a target is defined and pursued.
In this scenario, this would be someone locking in as you as the target, physically threatening you for your credentials, and having you 2FA in with your security key. You decide what is the risk here in your day to day life.
That being said, hardware security keys are still the strongest form of MFA and should still be the route you choose.
This is sort of like someone being against physical security keys because of the risk of someone being in proximity of your laptop (think open office), using the plugged in key to your laptop to 2FA in and log in as you. There are greater risks out there.
Wrapping Up
This post covered SIM Swap attacks and how to better protect yourself against them, going over how threat modeling could look like. In the end, where you choose to focus your security efforts to protect yourself depends on your threat model.
I hope you learned something new in this post. See you in the next one.