background image


SIM Swaps: A 2-Factor Failure?


When a business has multiple logins, there are multiple points of vulnerability through which a hacker can gain access to your account. Over the last few years, 2-factor authentication (2FA) has become the standard for most online accounts and social networks. 2FA requires users to authenticate the account by using a secure key, which can be sent to your mobile device or generated by some form of password manager. The problem with this system is that if someone were to gain access to your phone or your phone number, they could very easily circumvent the added security and still get into your account.

The social media giant, Instagram, was recently breached due to compromised 2-factor authentication. How? SIM cards– the little chip you insert in your phone to register it with your phone number and connect to your service provider’s network.

SIM Swaps are a terrifying new way that hackers are attempting to gain access to our information. They simply convince your SIM provider that they are you, and to transfer your phone number to their personal SIM. They can then use your number to gain access to your 2-factor authentication PIN and subsequently gain access to your online accounts. SIM swaps have been causing grief for internet users all over the globe, in a range of industries. For example, Entrepreneur and Investor Michael Terpin lost over $23 million in cryptocurrencies because AT&T negligently allowed his number to be swapped over to a hacker’s SIM card.

Back in June, Reddit experienced a mass breach of several accounts. The hacker was actually able to intercept the 2-factor authentication codes sent by SMS and gain access to a plethora of data and user information.

The problem with SIM swaps is that they are impossible to predict and extremely difficult to manage. No matter how good your security is, if you use 2-factor authentication using your mobile number, you are vulnerable to SIM swaps.

So how can you prevent these kinds of attacks?

Although there is little that can be done to prevent theft like this, certain tactics can prove to be effective. For one, keep a very close eye on your personal phone and number. If for any reason, you notice that your calls are not connecting, or text messages are not delivering, it may be a cause for alarm.

Secondly, while 2-factor authentication is still the recommended security setup for individuals and businesses, large and small, a better solution may be to use an authentication app on your phone to generate a 2-factor key. Certain applications will connect with your online accounts and generate 30-second codes to log in when prompted for a 2-factor key. These applications are more secure because they cannot be intercepted but may cause problems if you lose your device; however, this is a much more certain way to ensure that your data does not end up in the wrong hands.

Applications such as Authy, LastPass, 1Password, Duo Mobile, and solutions from both Microsoft and Google can help you configure your accounts more securely and protect from SIM swaps. Many online networks allow for password authenticators, including Facebook.

Finally, for those that are most concerned for their online security, the best way to lock down your 2FA is to either use an encrypted hardware key or keep a second, completely private phone number for SMS authentication. The idea of using a private phone number can prevent hackers from attempting to steal your number or intercept your texts. Encrypted hardware keys allow for a completely physical solution to authenticate your texts. These keys can come in the form of USB’s and will simply plug into your computer to authenticate your accounts after you enter your username and password.

What valuable data could be at risk for your company? Contact the Packetlabs team today!