Threat Model: SIM Swapping Revisited
Threat Model Series
In a previous post we discussed different Threats, and Risk and how they tie in together.
In this post, we’ll talk about a real world scenario and see how this threat model can play out.
Let’s say the threat you’re trying to protect against is unauthorized access to your data. The vulnerability here is a misconfiguration in the authentication system, for example no second factor or MFA enforced. The risk is the impact of your data being accessed and likelihood of this scenario being carried out.
You can make the argument that not everyone is at risk for this type of threat equally. Think journalists, high net worth individuals, or someone who is worth a lot in Crypto. In this case, the risk is applied differently. The impact of a successful SIM Swap is great in either case, however the likelihood is not the same.
Another way of saying this would be, the threat model for a journalist is different from that of say a maintenance worker at a University.
The TLDR is that a strong form of MFA will be your best bet here.
We can think of two main forms of SIM Swapping here.
Getting your phone number ported to another (attacker owned) phone
The physical threat
Now let’s go over each of these scenarios.
SIM Swap Fraud
SIM Swap attacks of this kind can be carried out with recon and social engineering. It could look like this:
An attacker does some enumeration on their target and builds a profile, (enough to answer security questions), contacts the mobile carrier, answers the security question, and convinces them to port the target’s phone number over to their SIM card.
The attacker can also bribe them, as this has worked before.
In the end, they have your SIM ported over to a phone in their possession. Chaos then ensues.
In a nutshell, it could look like this
They have access to your SMS texts, email, and accounts flows. This means, they can get into your accounts and reset everything, kicking off the password reset flows, effectively locking you out of your accounts.
We should not underestimate the scale of the effects of SIM Swaps, as groups like Lapsus$ have shown us in recent years.
OTP and SMS are vulnerable in this case, given that one-time codes will go to the phone number that is ported to the attackers phone; and SMS is being sent to the attackers phone.
Another way attackers can accomplish this is by stealing credentials. They can do so via initial access brokers (IABs) where they purchase credentials and then take the steps outlined above.
So what can you do?
In this previous podcast conversation, two experienced Security practitioners go over this topic. The timestamp specifically discussing SIM Swapping is 16:10.
Here are some steps to take to protect yourself
Setup a PIN on your carrier account
Setup a PIN on your SIM
Use answers only you would know (or wrong answers) for your security questions
Use security keys or passkeys as your 2nd factor
Now let’s go over these in a bit more detail.
Setting a PIN on your mobile account. You do this with your carrier. This way, if someone tries calling to port your phone number to another SIM, they will need to know this PIN to move further.
Enabling a SIM Lock on your phone. Sometimes known as a port-out lock, this will prevent unauthorized account changes, and can be your single biggest security measure against SIM Swapping.
Setting a PIN on your SIM. You do this locally on your phone. This process will vary if you’re on iOS or Android. This means upon any restart or removal of the SIM, the PIN is needed for any actual service of the phone.
You can do this for a SIM card or an eSIM.
Use security question answers only you would know. The more obscure the better. Some security professionals opt for fake answers here. (Just make sure you remember them)
On a related note, consider the amount of information you share online. In today’s times, this might be difficult for a lot of people. Think before you share on social media and other sites. Most of the time it’s just not worth it from a risk perspective.
Opt out of SMS as your second factor whenever possible. There’s just too much downside potential when using SMS-based MFA.
Use security keys or passkeys. Doing this will ensure you are using the strongest form of two-factor authorization.
If you’re using hardware security keys you are using phish-proof measures to protect yourself, just ask Google employees.
This also ensures that a physical attack is the only threat that is able for a successful SIM Swap.
The Physical Threat
This is one of the most precarious threats out there albeit not as common, however has definitely been documented. In this threat model, the impact of this risk is great as the victim’s life is in danger, but the likelihood for most people would be lower.
However certain threat actors have opted for this kind of physical attack as part of their arsenal. Black bag operations where a target is pursued for their assets (tied to their phone).
In this scenario, this would be someone locking in as you as the target, physically threatening you for your credentials, and having you authenticate with your security key. You decide what is the risk here in your day to day life.
That being said, hardware security keys are still the strongest form of MFA and should still be the route you choose.
Consider someone being against physical security keys because of the risk of someone being in proximity of your laptop (think open office), using the plugged in key to your laptop to auth, and log in as you. There are greater risks out there for most people.
Adding security keys to your 2FA and adding a SIM lock are probably the biggest ROI actions the average internet user can take to protect themselves.
Wrapping Up
This post covered SIM Swap attacks and how to better protect yourself against them, going over how threat modeling could look like.
Taking measures such as
Setting up a PIN on your carrier account
Enabling a SIM lock
Use answers only you would know (or wrong answers) for your security questions
Use security keys or passkeys as your 2nd factor
In the end, where you choose to focus your security efforts to protect yourself depends on your threat model.
I hope you learned something new in this post. See you in the next one!