A recent story by my colleague reminded me a big problem we have in IT Security industry. There is a focus on technical aspects of penetration tests, network and application security, while the chain is only as strong as its weakest link.
The story is real and actually the attack vector is quite well known. The victim used SMS as a second factor authentication (yes, I published Is SMS-based 2-FA really that bad? but never said that it is the best solution, see the follow-up Secure 2-FA guide) and here is how the attack started. An attacker was able to buy an anonymous pre-paid SIM in a convenience store and using just the full name and date of birth of the victim, he transferred the victim's phone number to the other telecommunications provider. Just like that, without any form of ID.
Can YOU actually protect yourself from this kind of attack?
The simple answer is - no. It's not even worth checking procedures at your telco provider, because it's the other one who is stealing your number.
You can mitigate the risk at some level by lowering the usability - register a second phone number and use it only for 2-FA. Websites which care about security do not disclose the full mobile phone number used for 2-FA and even if the attacker compromised your password, he would not be able to know this number. Do not store this number anywhere, especially in your e-mail or address book and do not set it as a contact phone in your bank.
How telcos can authenticate users when transferring a phone number?
Firstly, an example from Poland - in such cases telcos send a SMS message to the current number to confirm the transfer. Simple and not very costly.
Not surprisingly, call the current number! If you receive a phone call from a telco provider that someone wants to transfer your number, you won't answer yes.
Require a photo ID at a branch. Not just a scan, it can be faked. Or just stolen - if an attacker wants to transfer your 2-FA phone number, he can already have access to your mailbox where some people store scanned IDs. Usability - low.
Any trusted profile at a gov level using which you can sign such a request - e.g. in Estonia they have eID with a chip in it, thumbs up!
Block the old number for a day or two, maybe it raises some suspicion. Still, you might be on vacation or just enjoying a weekend without a phone at this time.
Have you ever pen tested procedures?
Companies often put a huge focus and budget on testing the IT platform itself but what about the IVR channel?
What data do you need to reset password or 2-FA device at your bank? Can you do it online?
Does your bank offer an IVR banking service? How do you authenticate in IVRs? Why do you need PINs or passwords if all you need is full name, date of birth or few details about your products? Can you change security questions? Or it is your personal data such as mother's maiden name or place of birth?
Do you remember the IVR PIN number you set 5 years ago? Can you turn IVR channel off? Why do we care about strong passwords if we allow 8-digit PINs in IVR with the same functionality as web online banking?
VoIP is getting more popular nowadays. Does your telco provider allow to activate additional VoIP access on your number? Does it allow to read or forward SMS to e-mail? Which data telcos require for authentication? Can you do it without access to your phone?
Some companies invest millions of dollars year by year to test security of your platform but all the attackers needs to do is call the domain registrator and reset some passwords? What authentication data do you need to transfer your domain?
Next time when you consider testing a web or mobile application, include testing authentication to all channels where you can remind, change or reset a password or 2-FA device in the target application. The attacker does not care if it was "out-of-scope".
Remember: a chain is only as strong as its weakest link.