4 minute read
I hacked my friend’s website after a SIM swap attack
Here’s how easily your phone number could be stolen, why a successful SIM swap scam is only the beginning of your problems, and how you can avoid becoming a victim of it
We hear of SIM swapping / SIM hijacking / SIM swap scams all the time, yet many people think it can’t happen to them, so I tested a SIM swap attack on a friend – let’s call him Paul – to help people fully understand the risks. How it works All I needed for the test was Paul’s real name and phone number. Paul owns a real estate agency selling luxury properties in one of the most expensive locations in the UK. Like many people, his contact details are on his website and with some good old-fashioned internet research (or open-source intelligence, aka OSINT) I found out a whole lot more.
Advertisement
Acting like a true threat actor, I recorded any information I could find about Paul online, without submitting friend requests or follows on his social media. While some bad actors request a connection, for this experiment I kept my distance as I do know a lot about him.
It didn’t take long to find out a tremendous amount of information about Paul, especially through his public Instagram feed and wideopen Facebook posts. I was located dates and numbers that meant something to him, digging around for birthdays and anything else that looked of chronological interest. I soon found birth dates both for Paul and his son – I only needed to see public posts before, during and after their birthdays to work out the exact dates.
Most people in the UK use one of a small number of telecommunication companies, so I started with one and got lucky with the first company - it was Paul’s provider. After going through the system and getting hold of a very helpful agent I said I was Paul and gave his corresponding phone number. I then had to pass security.
For telecommunication companies, security is to prove who you are by giving two digits from a previously agreed PIN code. Lots of people may memorise credit card PIN numbers or the code to unlock their phones, but this is largely due to the need to actively use these codes; I doubt many people log into their phone provider’s account often enough to memorise their code. TRAP 1: using a PIN that is easily memorable, e.g. a birthday, which came in handy for my experiment.
I don’t know how many cracks at the code you get, but it is more than one. As part of the verification process I first submitted ‘1’ and ‘1’ (Paul’s son was born in 2011). It was wrong - but the agent gave me another go. I chose ‘8’ and ‘2’ (Paul was born in 1982), passed security and was asked to describe my problem in greater detail.
I gave a distressed account of how my phone had been stolen, how it was vital the SIM card was stopped, and that I had purchased a new SIM card and needed it ported across. I had a new SIM card ready to place into a spare phone and after giving the agent the new SIM number she confirmed the number would be ported within hours.
At this stage, Paul may have noticed his network signal dropped and no text messages were coming through, but he would still have had access the internet via Wi-Fi (he did, as he was in the office when I called his mobile provider).
Within two hours of turning my spare phone on and off multiple times I was granted full access to Paul’s number. I tested it by ringing my phone from the spare phone - the new SIM in my spare phone was now acting as Paul - his name appeared on my phone when it rang.
This is where the danger really can start. The consequences I knew it was only a matter of time before Paul figured something was up, so I went to his website and noted the host - a popular website builder. I used his email address against the “forgotten password” link (a hacker’s favourite button) to submit my request and see what would happen.
As Paul is moderately aware of cyberattacks, he had two-factor authentication (2FA) set up but to my joy, only via SMS – TRAP 2. Within seconds a code was sent via SMS to my spare phone. I entered it into his website and hey presto, I could now change his password.
I could have completed similar actions on Paul’s social media and web-based email, but I had made my point and decided to retract. I did think it fun to place a huge smiling mugshot of myself on his front page, which made for an interesting chat when I rang him on his landline to tell him his updated website was looking great. Paul was gobsmacked, but impressed at how quickly I had taken control of his most valuable asset. Protect yourself There are two main ways to thwart SIM swap attacks: • Never use anything linked to you in your PIN codes or passwords. • Where possible, replace SMSbased 2FA with an authenticator app or physical security key. • This would have stopped me gaining access to Paul’s mobile phone account, but more importantly, I couldn’t have changed his passwords. Once passwords are stolen, criminal hackers can block genuine account holders and it is extremely difficult, or even impossible, to regain control. The consequences for bank, email and social media accounts are particularly dire.
As for Paul, I returned control of his SIM and website, helped him set up an authenticator app and he changed his mobile provider’s PIN code. I also helped him remember the code by teaching him the ways of a password manager. Just as importantly, I advised him to stop sharing sensitive personal information on social media and limit who can see posts or other material there. www.eset.com
