SIM Swapping Cryptocurrency Theft Case Exposes OTP Weaknesses

Date: 2019-06-13
Author: Anders Adolfsson, Technical Consultant

Next >> Do not wait to migrate from unsupported Microsoft FIM CM or MIM CM

Previous << Congratulations to Thales and Gemalto

News articles provide reasons nearly every week of why pushed one-time passwords (OTP) and out-of-band as identification are terrible ideas when it comes to data security.

In one recent egregious example, nine people were charged with stealing nearly $2.5 million in unnamed cryptocurrency from random people. As the story goes, six members of a hacking group known as "The Community" apparently bribed three mobile phone service providers to turn over the stolen identities of their companies' users.

One member of the hacking group, Irish citizen Conor Freeman of Dublin, just 20 years old, faces as much as 100 years in a U.S prison - he'd be extradited to the U.S. -- for his part in the scheme. All the defendants are being charged with wire fraud. The hackers also are charged with aggravated identity theft.

As their name implies, one-time passwords are valid for just one login session or transaction, on a computer system or other digital device. An out-of-band authentication is a type of two-factor authentication requiring a secondary verification method through a separate communication channel along with an ID and password.

The trick in cases like this is that as users must watch and better understand their log-in activities and adjust their security requirements as needed with any and all external identity providers (IDP). When they log in using SMS, for instance, they are relying on the security of a third-party infrastructure (the cell company, in this case) and are trusting the company to handle user identities (and their authentication/verification) carefully.

Because in this case the infrastructure was attacked - by an inside job - the security of the workflow was compromised, and the hackers made off with nearly $2.5 million.

In the cell phone case, the U.S. Department of Justice says the "SIM swapping" the hackers used involved fraudulently porting a user's number to a new SIM card belonging to the attacker. They fooled the provider into porting the number to the SIM card by providing required personal information (in this case, information supplied by the telco's employees).

Once they had the numbers successfully linked to their SIM cards, the hackers reset passwords and gained access to online accounts - from cloud storage to email to cryptocurrency wallets.

SIM swapping - especially when it can lead to infiltrating cryptocurrency accounts - is reportedly a growing trend, according to other reports in the news.

What this incident and others like it tell us is that even when users and subscribers are skilled in technology (and not everyone is) companies should be informing them if and when any security concerns take place in back-end systems regarding their Activity like this would give the end user the chance to "monitor" such things and alert the IT department about suspicious actions being performed.

To learn more about how vSEC:CMS can help protect your customers and employees, contact us here,