SIM hijacking and the flaws of traditional two-factor authentication

SIM hijacking recently emerged as fraudsters’ latest tactic to access your personal accounts. And to be honest, it’s impressive. 

By tricking mobile service providers into believing he’s actually you, a hacker can transfer your telephone number to his device. Once the switch is made, the hacker gains access to your online accounts and can even receive two-factor authentication codes sent to your phone.

Although SIM hijacking takes a devastating toll on users’ privacy and digital security, the mobile industry is still struggling to prevent these kinds of attacks. But here’s what we know for sure: Phone numbers are a deeply flawed method of security. 

How does SIM hijacking work?

Nearly two-thirds (60%) of people report that having personal information compromised is their biggest cybersecurity concern, according to OpenVPN’s 2018 Cyber Hygiene study. Yet, many people don’t understand the risks they face. In fact, 25 percent of respondents said they use the same password for all online accounts, demonstrating the confusion that still exists around cybersecurity.

One of the latest developments in cybercrime takes advantage of that confusion to access users’ personal information via their mobile devices. SIM hijacking activates your mobile account on a SIM card that is in the possession of hackers. How do hackers pull it off? Simple. They just call your mobile provider and pretend to be you.  

Using personal information (full name, address, DOB, last four digits of your social security number, etc.) acquired through the dark web or other nefarious means, the hijacker successfully passes the two-step verification process. He then claims your SIM card is lost and asks the provider to port the phone number to a SIM card he already owns.  

Now that he’s taken control of your phone number, the hacker enjoys access to an alarming number of online accounts – Instagram, Amazon, Netflix, Paypal and other applications that rely on phone numbers as a method of authentication are vulnerable to breaches through SIM hijacking.

But the nightmare scenario arises if the hacker leverages SIM hijacking to gain access to your financial accounts. Most banks have added extra layers of security to prevent unauthorized account access. For example, Bank of America offers SafePass – a multi-factor security mechanism that sends customers a one-time, six-digit code to authorize higher-value transfers.

Here’s the catch: The one-time code SafePass users receive arrives on their mobile devices. If the hacker hijacks your SIM card, the code is sent to his device, leaving your bank account exposed to fraudulent transfers and theft.


(Image credit: Image Credit: freeGraphicToday / Pixabay)

VPNs may be the best response to SIM hijacking

Multi-factor authentication can prevent many types of cyberattacks. By requiring users to provide additional personal information and/or a one-time code (like SafePass), banks and service providers create additional safeguards against theft and unauthorized account access. 

But these kinds of safeguards may not be enough to prevent cybercrime caused by SIM hijacking. Remember: SIM hijackers often possess personal information about their victims – it’s what they use to con the mobile provider into transferring the mobile number to a new SIM card. By gaining access to the victim’s mobile device, the hijacker may then control both the mobile number and the credentials necessary to claim ownership of the victim’s financial or bank accounts.

That’s where virtual private networks (VPNs) enter the picture. VPNs offer a level of security that limits the fallout of a SIM hijacking event on users’ financial accounts. When banks set up VPNs to improve customer security, users are issued certificates for every device. To log into an account, the certificate on the device must match the certificate assigned to the account. If it doesn’t match, the login isn’t validated. Since it operates independent of SIM cards, the VPN credential prevents SIM hijackers from accessing users’ accounts.

Google’s “zero trust” security framework operates on the same principle. Users must certify every device that accesses the network. Device certification eliminates reliance on perimeter security and mitigates the risk of unauthorized access from either outside or inside the network. Essentially, “zero trust” security assumes all users who request access are untrustworthy and forces them to verify the authenticity of their device as well as their login information, making it virtually impossible for hackers to gain access.

With sophisticated attacks on the rise, businesses can no longer rely on text messages or phones as a second factor of authentication. Although VPNs are slightly more restrictive for public services, many businesses recognize the need for added security and are moving to VPNs. And for the millions of mobile phone users who are vulnerable to SIM hijacking, it’s not a moment too soon. 

Francis Dinha, CEO of OpenVPN

Francis Dinha

Francis Dinha is the CEO of OpenVPN.