In this post, I wish to cover ‘Sim Swap Fraud’ and some of the ways we can prevent it.
I’m not a natural writer, I only do these blogs in hope people will listen up and improve security. So feel free to read the Vice Post inspired by this research instead.
The last time I wrote a blog like this was when I found the TalkTalk data breach of 2015. Something the mainstream media have thankfully all ignored, opting for the livelier story of super hacking teens with a sprinkle of extra F.U.D. But hey, don’t look at me talking about poor server hygiene weeks before Dido, look at the kids with SQLmap. Rant over, where was I… Ah yes, Sim Swap Fraud.
What is Sim Swap Fraud
In fact, let’s first cover porting a number over without the fraud. Every number in the UK can have a Porting Authorisation Code (PAC) generated. This code, given to the mobile phone owner by their current network operator will allow you to switch providers. You simply ring up your current operator, ask for the PAC number and give this code to the new operator. A few days later your phone number has been transferred to a new network.
Now let’s add the fraud bit. This system has been abused for a decade as a way to ‘steal’ a persons mobile number. A criminal would just ring up your operator, pretend to be you and get the code. Following this task you just buy a new SIM card, port the number too it and bingo. You have stolen the number and even if the number is identified as stolen by this method, it will still take a few days to get it back. The reports from victims are distressing, people’s lives have been uprooted in a second and the impact doesn’t stop with a phone issue. The whole driving force behind this kind of fraud is your email address, your bank, your online life.
Wait a minute.. I hear you say “Your online life”. How is this then? Seems a big jump from your mobile number…
Well not really… Many email and social media accounts will reset an online account’s password if they can send a verification code to your phone. It’s a trivial task to go to an online account and type in the victims email address and then get a code sent to the phone number in your control. Once you have a Google account you could look at location history, emails, pictures etc. I don’t want to dwell on this point of escalation. For those this article is intended, I hope you know the level of access an email account can bring.
Other motivators for this attack could be:
- Bypass 2-factor accounts that have a compromised password already.
- Approve banking transactions with SMS notifications.
- Defame – Calls to your clients. Calls to your boss, embarrassment.
- Further Vishing calls using your number.
I wanted to Identify what networks were like dealing with the PAC issue procedure for their customers and I started working on some research. I knew it was a little bold, but I decided to carry on with it, mitigating the concerns I had with legality and ethics with some minor tweaks to the original plan. The assessment was far from scientific and it wasn’t repeated 50 times to get any kind of meaningful statistics – it was to serve as a proof of concept, after hearing a lot about Sim Swap Fraud in 2015 I had wondered if this was media hype or was this actually still a concern.
I started with purchasing SIM cards and Top Ups for all the major networks. I didn’t cover them all – I mean, how far do you go with being curious! but I think I got a good selection. The assessment would have to be as fair as possible, so uniformly I topped up and registered all the SIM cards using the same details. The registration process is documented along side each operator to give you a better understanding of what information they could validate me from. On the topic of validation, some operators validate customers using methods such as commonly dialled numbers or last top up amount. So for each SIM that I registered, I also placed 3 calls and sent an SMS to the same number. After registration I would then dial in to the operator using a landline – just to be sure they weren’t using the number or the ICCID to validate the call. I would then provide them with the minimum amount of information requested to obtain a PAC number, in places where the call handler requested poor information for validation such as ‘last top up amount’ incorrect answers were given in order to really push what a malicious caller could get away with. The results are what they are, please don’t make a judgement on a whole phone network based on this post alone, but I hope it gives a certain transparency to key areas of improvement within these household name brands. The networks were contacted 7 days ago and were offered a chance to comment.
If the stragglers want a statement attached feel free to send one and I’ll put it up. This isn’t about bashing brands, this is about securing people en masse. Most advice I’ve seen online focused on defence client side – the issue is almost totally provider side.
1 – Vodafone
It’s quite hard to register a phone that is prepay on Vodafone. I found that registration was supported and publicised for pay monthly and business customers, but not prepay. I navigated the menus until finding the customer retention/sorry you are leaving us extension. A call back was requested. A few minutes later an operator called back and took my details. Name+DOB+PIN Number+Memorable Name+Hint were all provided. The agent also sent a ‘code’ (9999) to the handset to validate that it was in my possession. Three numbers were then called and one SMS was sent from the device.
The call is straightforward enough, the top amount provided was wrong but the agent progresses with my request. In the video I am polite and make a few mistakes on purpose to portray I am not tech savvy. After the video finishes I am told the PAC number could not be provided over the phone and can only be issued to the device in a SMS message. The caller validation used: Name, DOB and incorrect last top up amount.
On registration I had high hopes for Vodafone, the agent was pushy and made me register a passcode and even a memorable word. Later when a situation like a PAC issue is being dealt with, it would be great to see this information being requested. It is daft setting a password for accounts, then not making it mandatory for all accounts to use it. Issuing the PAC directly to the device means you would need to have the mark’s phone. Still not an impossible situation to combine this call with a minutes access to the device, but if someone has your phone in an unlocked state and is of malicious intent – I’m guessing you have bigger concerns that day.
Statement from Vodafone
“We have investigated the issue that Mr De Vere raised and agree that the top up amount provided during the call was incorrect. Since all of the other security questions asked during the call were correctly answered our agent chose to issue the PAC code directly to the customer’s mobile number via text message. This approach ensured the security of the customer’s account.” – Vodafone UK
With the top up wrong it still only leaves Name and DOB, hardly brilliant for authentication but their saving grace is the refusal to give it out over the phone call.
2 – EE
Simple pay as you go registration from EE, online I created an account with a Name+Validated email+SMS Code to the mobile device.
The three calls were made from the phone and also an SMS was sent.
In the phone menu, first of all, I am asked to type in the mobile number the call pertains too, this step isn’t shown at the start. The top up amount is wrong during the call but the agent proceeds on anyway.
The PAC number is issued over the phone – A big no no! If you read this and work for a telco operator, please stop it. The caller validation used: Number, ICCID and incorrect top up amount.
The attempt is dependant on the knowledge of the SIM Number/ICCID. This could be found in an employees draw from a left over sim pack in a phone box, it can be obtained with 10 seconds of access to most phones (iPhone>Settings>General>ICCID). More options for validation were present for the agent such as an email address, even my name but these weren’t used on this call.
Operators seem to be using the ICCID a lot, almost like a password to get access to the PAC but with the amount of places that is available from and we’re talking left over SIM card packs, the actual SIM Card in a phone, to a guy with an IMSI catcher at the end of your drive. It simply isn’t a good enough method of validation.
Statement From EE
”EE take all matters of customer information, data and fraud seriously and have strict policies and procedures in place to prevent fraudulent activity and unauthorised access. All requests to make account changes, including swapping a SIM, require the person to provide a range of details to verify their identity. In this instance, it appears our standard protocol was not followed. Following our investigation, we will take the appropriate action with the agent in question and we are reminding all of our customer service staff of the correct procedures. We’re continually improving defences against this and other types of fraud and we advise customers to establish unique and strong passwords for each of their accounts and not share passwords online or over the phone with anyone. Any customers who suspect fraudulent activity on their account should contact EE customer service immediately” – EE
So again, admitting fault. It is worth noting that EE is planning to answer all the calls from the UK by the end of the year!
3 – O2
Nice and simple online registration, the details requested were SMS Code to mobile device+Name+DOB+Verified Email+Security Question and I noted they logged the phone model (Could be browser used on the phone or IMEI, I don’t know)
Pew-Pew is the only way to describe this call. The second I’m online I hear a British accent – I know it’s going to be harder, then the operator says “I’m just sending a 4 digit code to the device” you can hear me drop in the call. Game over for most attacks, after this point I am simply coasting through the call uninterested, waiting to see if I get the PAC on the phone or sent to the device. She ends up providing the PAC on the phone call, despite saying earlier she will SMS it.
I’ve got to give it to O2, after the SMS code to verify the device it was a non-test. Convenience and security are a constant tradeoff and companies have to place themselves somewhere on this line and I think O2 are in a good place – with room for improvement, the agent can be heard explaining that she will issue the PAC number through a text. The PAC number was then given over the phone call. The caller validation used: Name, Number, SMS Code, ICCID.
Statement from O2
“We’re pleased the research shows we hold the number one position for validating our customers. The security steps we have in place help to protect our customers from any attempt of fraudulent activity. The PIN check means we can confirm the customer has the handset with them so we’re able to share the PAC code. If our Pay Monthly contract customers cannot verify the PIN, the PAC code is sent to the registered email address we have on file or to the mobile via a text message.” – O2 Spokesperson
4 – GiffGaff
GiffGaff is an online only operator you kind of manage yourself. Help is there if you need it but it’s basically DIY. I registered on their online portal and provided a SIM card code to validate my SIM and be allocated a phone number. Info provided was Username+Full Name+Validated email+Password+Address+Full Card details
…Here it got interesting – there is no one to ring! I didn’t think I’d be hearing that today. GiffGaff provides an automated call handler to provide departing customers with a PAC number. Oh dear, that’s the second time a call handler has shot a company in the foot this year on the site.
I am left with my jaw on the table, the issue can only be explained as.
If you are on GiffGaff and you lend your phone to someone to ‘make a call’ and they ring a short number. Within 30 seconds you are in a situation where they could steal your phone number and reset most of your online accounts, at any point after for up to 30 days.
I talk about the security vs convenience tradeoff a lot, it’s the way it really is with companies. Here GiffGaff place all faith the caller is the owner of the device. No effort is made after this point, they have just connected the call handler bot to the database of PAC numbers and chucked it at their customers. Providing PAC numbers is an Ofcom requirement and it’s like a bunch of accountants looked at the requirement and thought what is the cheapest way we can implement this with little to no concern for our customers. Very easy, not secure! Must adapt! If you are on GiffGaff please set a nice hard lock screen code, disable Siri, don’t lend your phone to randoms you don’t trust.
The suggested fix for this is easy. Get rid of the call handling machine. GiffGaff currently provides the PAC code very clearly in the customer portal. There is literally no need for this to be a thing.
5 – Three UK
This was done online using the iPad. Three SIMs don’t like old Nokias so I used a 4G+Cellular iPad (The device itself doesn’t really matter). I registered the SIM card using the same methods as the other online registration portals providing Name, Number and a Password. Three also are pretty clued up with recognising one of their SIMs accessing the online portal so if that counts as registration I think it’s fair to add.
I put the SIM in a borrowed phone to ring the numbers then back in the iPad.
Please forgive the rude, abrupt persona it’s just an act. No different to an actor playing a bad guy – I don’t talk to people like this normally! But it was vital the call was handled in that manner. The person in a company that issues PAC numbers is mostly a customer retention agent, they are there to mop up the frustrated customers wanting to leave and they have powers to retain. At the start of the call I wanted to remove all hope of the retention. One short burst of ‘nope’ at the start did this! If you listen closely you can hear him sigh. His next objective is just to get me off the call on to the next one.
The PAC number was provided over a landline solely using the number and a 2nd guess at a top up. The worst today I’m afraid. No PAC warning message was sent to the device following the call. In the wild, this call would be classed as highly successful. The cause for concern is the way in which authentication is performed. It’s worth noting the last top up question should be dropped as it has about 8 combinations. The very fact the operator says ‘last top up’ already means I know it’s not direct debit. With 3’s new all-in-£20 deal, £20 is of course the amount everyone is topping up with. There might be a few on £15 (No £15 bundle with 3 anymore) and even less on £10. Also fraudsters know if you’re driving a nice new Porsche then you’re probably paying Direct Debit in full – because it’s easier right? The question itself is a mockery of security – it’s like setting a one letter passcode with only 8 letters in the alphabet and having unlimited calls to ring and try!
Some operators faired worse than others. I don’t want to give them too much of a hard time, I had a suspicion this was still a very valid and legitimate attack and the work I’ve done has only concluded in what I suspected. Lyca mobile didn’t answer their registration number despite several attempts over 2 days – so they are off the post simply because they couldn’t be bothered picking up a phone in my preparation stages. I could speculate that the majority of Lyca mobile won’t even be registered if it is this hard.
The issue with PAC numbers is they have to get from the operator to the customer as securely as possible. A big part of this transaction is the trust an operator must place in a caller. They should all work on securing this trust better, not just for PAC numbers but for all customer inbound calls. O2 can lead the way in this, an SMS message to the device straight away really was a wonderful sight and if nothing else confirmed the caller was at least in the vicinity of the phone.
- All operators should work towards NEVER, EVER, giving the PAC number over an inbound phone call. The chances of being a victim to this kind of fraud drop significantly if you require the device. Worldwide attacks are then limited to people around you – still a danger mind you! But a concern you can mitigate by good phone security and vigilance.
- All operators should either call back the mobile phone or send a series of warning SMS to customers. Followed by the PAC number, maybe 24hrs in the future after 3 alert messages.
- If they have the email address of the customer, I think a warning email would go a long way. No links, no interaction just “Your PAC Number has been issued by your network, if you did not do this someone maybe trying to steal your number – please call us using 2345 from your handset”
- If you implement a good password policy, implement it for all calls? I can’t understand the point of having an account password and secret name etc if you’re not then going to use them for issuing a PAC code. If this was the same on other platforms – imagine Windows offering a login prompt only some of the time, at random?!
- Once a PAC is issued to Mr Smith, Mrs Collins can use it with completely different details! Absolutely no validation of the previous owner exists when porting a number.
- The phone number verification systems we all use should be reviewed as a single point of failure.
Customer service staff are not a commodity you can purchase, untrained from cheaper, foreign call centres – they are the undervalued guardians of our lives. The big brands have to remember this and train them accordingly.
This article might cause a fuss and I apologise in advance but the situation is clear:
Providers are responsible for their own security and account authentication processes
About the author: Richard De Vere is Director and Principal consultant at The AntiSocial Engineer Limited, he has an extensive background in physical penetration testing and social engineering, including ‘red team’ exercises and information gathering assessments. You can listen to him talk about this work and similar ways social engineering impacts people at an upcoming event he is hosting with the Yorkshire Cyber Security Cluster on the 12th May 2016. Details of the event can be found here.