Oct 25, 2019 2 min read CyberOps

Quick trick to assess your vulnerability to SIM swapping

I listened to an NPR story on SMS SIM swapping on my drive in this morning. This is a pretty well-documented threat vector whereby adversaries port your phone number over to their device at a key moment in an authentication hack so they can intercept a one-time verification code and impersonate you. The way it usually plays out, the intercepted code plays a part in "recovering" a "lost" password for your email account, which they then use to "recover" more passwords for more important accounts, and so on until they've taken over your access and done something terrible. The article features Allison Nixon of Flashpoint, which instantly adds tremendous credibility to anything cybersecurity - except maybe the use of the term itself, which I'll bet she abhors.

In any event, these attacks came to prominence over the years as assets of greater value came to be protected by texted-codes. The real watershed moment was when cryptocurrency wallets gained widespread usage and employed this protection. Those of us in the business got hip to this vector pretty early, and SMS multifactor authentication (MFA) has become an "eye rolling moment" for security practitioners. It's a valid eye-roll most of the time, though we should never let perfect be the enemy of good and SMS multifactor is still light-years ahead of any service that relies on only a username and password without multifactor at all.

In general I’ve been availing myself of MFA at every chance I get for about as long as the tech has existed. And I've used “gapped one-time-password" apps and devices such as Authy, Duo, or Yubikey in lieu of SMS for a long time as well. My usage predated the SIM swap abuse we see and was more driven by a combination of nerdy appreciation of the cryptographic elegance and wanting codes available while on an airplane without SMS service. But in a recent meeting where SMS auth came up and the eyes all rolled as usual, it dawned on me that I may have a few services still left in SMS-ville, and it would be awfully embarrassing if an even-unimportant account were compromised as a result. So it dawned on me to search my text-message history for the word "code". What I found was surprising!

The net was a list of services that are using SMS to send me codes. I starting writing them out in my notebook as I scrolled through my phone, and before you know it…

SIXTEEN.

I have over 20 non-SMS tokens and a desk full of hardware authenticators, and I would have thought I had SMS on only a handful of anachronistic services that don’t offer more elegant solutions yet. But lo and behold I found 16.

Some were truly draconian and had no better alternative.

And yet others employed SMS just used for initial signup, of course.

But many others only offered SMS years ago when I registered but could now be upgraded to a "gapped authenticator". And that's where this exercise bore fruit. It was worthwhile to step through them and upgrade everything I could. You may enjoy doing the same!