Risks of Hacking via SMS Authentication

The information security industry is developing with leaps and bounds, but cybercriminals with cyber-fraudsters do not stand still. Today we will try to tell you why crypto traders and crypto enthusiasts, and any adequate people with a high need for confidentiality should stay away from SMS authentication and telephones, and why it’s time for SMS authentication to fall into oblivion.

We always recommend all our customers to untie SMS authentication wherever it is possible. This always raises a number of questions and requests so it’s time to talk about this in more detail.

So, the risks of intercepting SMS lies in the fact that an attacker, by intercepting a message, is able to seize your digital accounts, where the phone number is used as one of the forms of authentication or access recovery.

The main options are:

1. Bugging. The interception of SMS by law enforcement officers as a result of abuse of authority or misuse of materials by unsolicited investigative actions.
2. Duplication (cloning) of the SIM card through the mobile operator using the customer’s personal data and further use of the cloned SIM card in illegal activities.
3. A false base station of all incoming subscriber messages and further use of intercepted data in unlawful activities.
4. Hacking of the ‘Personal Account’ of the subscriber on the site or application of the cellular operator and forwarding all messages to the attacker`s address, as well as further use of the data obtained in unlawful activities.

Now let’s look at each of the risks in detail.

Bugging

The hidden investigative actions, among other things, provided for by chapter 21 of the Criminal Procedure Code of Ukraine include, ‘Withdrawal of information from transport telecommunications systems’, which in the populace is called wiretapping. In the Russian Federation, this is in accordance with Article 186 of the CCP – ‘Monitoring and recording of negotiations’. All over the world, there are similar rules for wiretapping.

The permission to conduct a wiretap is given in the following cases

• on criminal cases;
• on counterintelligence cases;
• in the framework of foreign intelligence.

Subjects who are allowed to use wiretapping are law enforcement agencies, special purpose law enforcement agencies (intelligence services), and foreign intelligence services.

Bugging in Ukraine and in most countries is conducted only for serious crimes. ‘Felony’ in Ukraine corresponds to the article, which assumes the term of imprisonment of a suspect of 5 years. For example, ‘Evasion from payment of taxes’ is not a heavy asset and it is impossible to receive a wiretapping in such case.

It’s vital to note that details of the forms and methods of conducting unsolicited investigative actions relate to information with limited access, for which disclosure criminal liability is provided, so that we will rely only on publicly available information and on foreign counterparts.

The harsh realities of the law enforcement system in the post-Soviet countries shows an extremely high level of corruption among law enforcement agencies. The expression ‘everything is bought and sold’, unfortunately, is also relevant in this area. Securocrats use searches and seizures and wiretaps as one of the forms of pressure on business, and sometimes for unvarnished raiding and robbery. Sometimes it’s just politics.

Let’s look at this in a very simple example. Investigator A starts a criminal case on the invented statement of Citizen Sh about alleged fraud on the notice board in the cyber domain. Citizen Sh claims that unknown fraudster asked him for an advance payment for the purchase of an IPhone 7 for a QIWI purse tied to a phone number of +38 … received money and walked off into the sunset. Investigator A classifies this action under Article 190 Part 3 of the Criminal Code of Ukraine ‘Computer Fraud’.

Within the framework of the criminal case, Investigator A receives a permission from the investigating judge to carry out unsolicited investigative actions. Next, some ‘unknown’ intercepts SMS on the specified number and restores access to Gmail’s Witness K’s email, which actually owns the number mentioned above. Further magically, the ‘unknown person’ using the password recovery form on the exchange gets full control over Witness K’s finances and also ‘walks off into the sunset’.

Citizen Sh suddenly states that he managed to amicably settle the conflict with the abuser. Investigator A closes the criminal case due to the absence of corpus delicti (there are many options, how else to do it). Witness K, after discovering the loss of the crypto, writes a statement to the police about the loss, but receives a refusal to enter data into a single register of pre-trial investigation, since the crypto currency is not money, an asset or goods, and it is impossible to steal it from the point of view of the Criminal Procedure Code. In this case, lawyers advise Witness K to write a statement about the fact of hacking the mail (exchange, purse). Then the investigation comes to a standstill.

Summing up: If you think that two-factor authentication in Telegram will accurately protect your correspondence, then you are mistaken. Remember that new malevolent schemes are created every day, and the security of the entire system is characterized by the safety of the weakest link in it.

Duplication (cloning of SIM cards)

Most cellular companies over the procedure of recovering a lost or stolen SIM card requires a copy of the passport (seldom checked with the original) and 2-3 last outgoing or incoming SMS. In addition, large companies’ call-centers employ ‘scripted people’ who do not have time to check everything, they simply follow the instructions.

By means of a particular example: the malefactor somehow manages to get a scan of your passport (university, work, hospital, Internet). Scan can be ordered at any similar passport store or on an old good forum for novice hackers (note, the store and forum is listed only as an example, this is not advice or a call for an action).

After receiving the scan, the attacker calls you on the pretext of a very important matter and asks you to call back for any reason. He repeats the request several times and hangs up on the pretext, for example, of a bad connection. After that, he keeps the data about your last calls, goes to the operator, and with the phrase ‘I forgot my passport, but I have a copy’, or by ‘prior arrangement’ easily gets a copy of your SIM card, answering questions about the latest outgoing or incoming calls.

Summing up: Then the classic begins with ‘restoration of the access’. In addition, you can create a clone Telegram, for example. Specifically described in this example, the circuit may not work in practice, but the analogs still work. Especially with amateurs who send documents through social networks.

False Base Station

You may ask ‘where will the criminals take money for an expensive equipment’ or ‘how will they decrypt the SMS’. The truth is that the Internet already has complete manuals for raising a false base station for intercepting SMS for $30 and a simple software.

Let me remind you that in 2010 the cost of handicraft equipment for interception of GSM actually started from $1500 to 5000. There is also more expensive and hard-to-reach equipment described in this article. Already relatively long ago there are quite large projects like OsmocomBB for studying GSM-networks and researching interception of data in GSM-networks.

Let’s model an example. Armed with a Motorola phone for $30, a pair of cords for $15 and a laptop, an attacker parks near your house/apartment/cottage, raises a false cellular station, intercepts SMS, restores all necessary accesses and escapes. Of course, we described a simplified version, in fact the entire process looks something like this with certain ‘modifications’ and, as a rule, requires preparation of the entire infrastructure in advance. It is important to warn that the example describes the concept of deploying its own base station without interacting with the real system.

Summing up: In reality, everything would be even more difficult, but the general tendency of the exposure of cellular operators to such attacks is visible here.

Hacking a personal account on the site

There are situations when cellular operators, saving on the security of their services, allow the possibility of hacking their own sites or applications through ‘personal account’, in which, as a rule, there is a wide functionality – from receiving SMS directly on the site to managing the user’s balance.

There is a real example of one mobile operator in Ukraine, which allowed the binding of an arbitrary number.

Summing up: All this illustrates the attitude of operators to information security. Sometimes you can pretend to be a ‘newbie’ and ask to set up a private room right in the liaison room for the granny who has forgotten phone at home, but the attacker, for example, suddenly has a copy of her passport at hand. The essence is simple: after taking possession of the user’s personal cabinet, you can change the routing of calls and SMS and redirect them to the number of the attacker.

How to Protect Yourself?

How to protect against the outlined risks? We forbid our clients to use the main phone as the recovery number for accessing important information. It must be necessarily another number, bought specifically for this purpose, never inserted in any of the used phones (so that it cannot be found and linked by IMEI). This phone should be in a dry, cool, and inaccessible place, turn on and replenish every 2-3 months to avoid the possibility of re-issuing the SIM card by the operator due to long non-use.

We recommend not to include such a number in the country of permanent deployment and activate services tied to this number, somewhere abroad. This is due to the peculiarity of the work of cellular operators and the conduct of wiretapping.

If an attacker does not know your recovery number, it will be more difficult for him to determine the target to be seized. Therefore, one number should be for social networks and completely different – to restore Gmail and financial payment tools.

In Europe, for example, in Germany, the level of protection of personal data is much higher than in the CIS countries, and therefore the combination with ‘came to the office and restored the number’ will not work. Moreover, you can ask any friend abroad (if any) to issue a recovery phone number under their passport details and store the SIM card at home.

Summing Up

We tried to contain as briefly as possible the main risks and ways of neutralizing them within the framework of this article. We have to warn that the list of risks listed above is not exhaustive, and for this purpose there are companies like Hacken.io that think out threats and risks for you, make up all possible vectors of attacks, starting from ‘securocrats’, ending with ‘hackers’ and even test the security of your applications.

Originally published in forklog