Large companies are exposed to vulnerabilities that can cause serious financial losses – and some of these vulnerabilities come from apparently secure procedures. This has been highlighted by a recent lawsuit against AT&T for the theft of a total of 24 million dollars from one of the company’s clients, the cryptocurrency investor, Michael Terpin. Far from carrying out a highly complex attack that got through the firewalls and security barriers in the cryptocurrency platform or the telecommunications company, the attackers used an extremely simple attack vector: the victim’s phone number.
SIM cards are vulnerable
Terpin is basing his lawsuit on the responsibility the provider has for the double attack that he suffered: the first of the attacks used a SIM swap hack that gave the attacker access to his phone, and thus to all his applications for online services. In this context, SIM cards are essential in two factor authentication (2FA) processes. In theory, there can’t be two SIM cards with the same number at the same time; as such, the authentication of an online account using a phone number is an apparently secure process: the owner of the account receives the tokens – that is the access codes for the online account – generally via SMS, straight to their mobile.
However, there are times when the SIM card may not be under the control of its owner, either when the card has been lost or otherwise physically disabled. At this moment, the data can be transferred to a device belonging to someone else, who has usurped the real owner, whether intentionally or by mistake. According to the lawsuit, after the first SIM swap hack, an AT&T employee must have shared with an attacker one of the tokens received by Terpin on his phone to reactivate the SIM card.
This is how the second attack would have taken place: the attacker, after gaining control of the SIM and, as such, all of Terpin’s online accounts with 2FA, was able to access the cryptocurrency platform and in this way, extract his money. Terpin believes that the provider is negligent, both for the employee complicit in the theft, and for not cancelling the connection between his data and the SIM quickly enough to get ahead of the attacker.
In any case, he is not the first victim of this kind of attack, since 2FA is one of the most commonly used procedures in large companies for their online services. For this reason, many experts have cast doubt on the security of 2FA via mobile phones.
Given that users are entirely in the hands of their own devices and of the security measures of the telecoms operator, if this authentication is the only control measure, it can also be dangerous for large companies. Especially if employees use corporate mobiles that give them access to sensitive company information. As we mentioned in a previous blog post, directors are the largest risk for a company’s mobile security, and if, in addition, it is a large company, the losses stemming from an attack could run into millions.
While it may sound surprising, it is large companies (not SMEs) that act worst when faced with cyberattacks and vulnerabilities. This is what is shown by the data in the report Penetration Risk Report, written by the cybersecurity advisor Coalfire.
The study shows that of the vulnerabilities found in large companies, 49% were deemed high risk, compared to 38% in SMEs. Among the most common vulnerabilities mentioned in the study were insecure protocols. This last case includes the security risks related to corporate mobile phones, such as SIM swat hacking, as happened to Terpin.
How can large companies minimize their mobile security risks?
As 2FA has been shown to be insufficient, employees should use authentication apps for their corporate devices. These apps generate a temporary 6 digit tokens linked to chosen accounts, which are automatically regenerated every 30 seconds, thus significantly reducing the options for attackers to take control of apps and services, even if they have managed to take over the SIM.
Another key measure for improving mobile security is to protect the corporate network itself: heads of security must provide workers with encrypted connections so that employees can securely access corporate systems remotely, using virtual private networks (VPNs).
Finally, it is vital that large companies have advanced cybersecurity solutions that offer detailed visibility of all the activity on endpoints, total control off all running processes and a reduction of the attack surface. Having a partner like Panda for Key Accounts is a guarantee of avoiding risks. We are allies of Key Accounts, with a department dedicated exclusively to providing support and specific solutions, as well as creating a security strategies for companies with over 5,000 workstations. We focus on what is most important: our strategy is aimed at protecting the endpoint, where all the employees’ and the company’s critical information is stored. In this way, we manage to keep any kind of attack, no matter how complex it may seem, from endangering companies.
The post The risk of using phone numbers as authenticators for sensitive information appeared first on Panda Security Mediacenter.