Get best of the week

Why SMS authentication is bad and how to protect against SIM card theft

Hello, Habr! In a previous article, we touched on the topic that SMS authentication is not the best way for multi-factor authentication. This method is used by many web services: social networks, email clients, payment systems. In addition, the phone number is used as a login: to register VKontakte, in Telegram, and so on. 

If the SIM-card is stolen and SMS is intercepted, the consequences will be disastrous. Many users correspond in messengers with colleagues and partners, so not only personal data, but also corporate data will be at risk. If your company does not use a corporate infrastructure for communication, then unprotected employee accounts jeopardize the business. So it’s worth taking care of safety in advance.

In this article, we’ll take a few popular services and replace SMS authentication with more secure methods. At the same time, we will figure out how to further protect accounts from theft and sleep peacefully.
The article was inspired by MyCrypto longread, dedicated to SIMJacking (SimJacking). We studied their recommendations and compiled an up-to-date list for Russia. 


Why get rid of SMS authentication


Attackers can receive SMS and log into someone else’s account in several ways at once:

  1. If you can get a phone with a SIM card inside. 
  2. If you reissue the SIM card using fake documents. Fraudsters buy merged passport data and forge a power of attorney or even the passport itself. Whether the operator sends documents for inspection to the security service depends on the human factor. 
  3. If the SIM card is stolen in collusion with the operator’s staff.   
  4. If they intercept SMS using vulnerabilities in the SIM card itself or in the phone.

The second and third methods are the most massive. The danger is that the victim will not immediately understand that Simka was stolen. A scammer has every chance to cash in before you realize the problem and manage to regain access to your SIM card. 

By what signs is it clear that Simka was stolen:


  • The operator sends SMS to replace the SIM card.
  • The operator’s network disappears on the phone, rebooting does not help.
  • Letters come to the mail about attempts to reset the password in different services.
  • An Apple ID or Google Account starts asking for a password.
  • Messages about linking an account to a new device come.

  • If push messages are used somewhere for two-factor authentication, then codes from different services will start to come. 

How to prevent theft of a SIM card


  • , -, , , ( ).
  • , SIM- . « ».
  • /Face ID.
  • , . « » -, - . .   

, -   


If the SIM card has already been stolen, you will have no more than a day to lock. Therefore, you need to keep a quick lock script on hand:

  • think of a way to call the operator if you have lost your phone, for example, from a laptop or tablet. For example, install Skype or Viber there;
  • replenish balances for calls;
  • find the number of your mobile operator and write it in the Skype or Viber log;
  • Rehearse the loss of the phone: remove the SIM card and try to call the operator in the selected ways. 

How to get rid of SMS authentication and protect accounts 


Our general recommendation is to opt out of SMS authentication wherever you can. Let's see how to do this for popular web services. 

First, consider those that use SMS authentication. And then we protect those where the service itself is tied to a phone number.

Google account


  1. Googl «».
  2. « Google» . .

  3. .
    , . 
    • : .
    • : , .
      , . -.
    • Google authenticator: , .
      , .
    • Google: push-   . 
    • : . , USB- Google-, , Bluetooth Google-. , , , . « ».

  4. , . , push-, ( - ).


  5. : . , . - .



  6. https://myaccount.google.com/security



    • : , . , .
    • : ,
    • : . , .
    • Ways to verify your identity - backup email address : remove the backup address. 


    • Your devices : remove all unnecessary.


    • Third-party applications with account access : delete all applications that you are not using. 


    • Sign in with your Google Account : delete anything you don’t use.
    • Access to linked accounts : in the event of an account hijacking, it is possible to simplify access to other sites for an attacker. Delete everything.
    • Password Manager : Transfer passwords to a separate Password Manager. Disable autosave passwords.



Yandex


In Yandex-account there is no way to enable two-factor authentication without number binding. Therefore, we will use the “secret number” and include additional factors elsewhere.

  1. « ».



    • : (. )
    • : . .
    • : . , . 



  2. : « ». 


  3. " ". « ».


  4. Scroll to Mailboxes and Phone Numbers. Remove the recovery addresses.


  5. Go to the Yandex Money settings to the "password" tab.
    Here we go through all three buttons.



    • Issue emergency codes : rewrite and save the emergency codes, just as you did for your Google account.


    • Go to passwords in the application : select "application with passwords" and synchronize with one of the applications.


    • Click Always Ask For Password.



Now, in the same ways, protect ALL services that can use SMS authentication. 

If possible, replace it or attach it to a “secret number” and add a fingerprint input.

Here is a checklist of services in order of priority:
Personal:
  • .
  • : , . . 
  • : LastPass, 1Password . .
  • : iCloud, Dropbox, OneDrive . .
  • : Mail.ru . .
  • : Vk, Facebook, Twitter, Instagram, LinkedIn, Medium . .
  • : iMessage, Skype, Slack, Facebook Messenger   . .
  • : iCloud, Google Photos . .
  • : Evernote, Scribd  . .
  • : Reddit, Stackoverflow . .
  • - . .

:
  • Source code repositories : Github, Bitbucket, Gitlab, etc.
  • Hostings and platforms for sites : Parking, Wordpress, AWS, Microsoft Azure, Digital Ocean, etc. 
  • Task trackers, CRM and other platforms for work : Jira, Mailchimp, Trello, etc.

Telegram


The messenger account is tied to a phone number, therefore, in addition to two-factor authentication, we will configure additional protection. 

  1. Set your password and fingerprint login: go to Security Settings and select passcode & touch id.


  2. Hide the phone number: in the security settings, find Privacy and set the phone number to “nobody”. Disable calls here. Only add exceptions to people you trust.


  3. Enable two-factor password authentication. Do not use primary mail for recovery.




  4. Go to Devices and close all active sessions that seem suspicious.



All these measures will not fully protect against theft of SIM-cards, but will not allow to give jackpots to scammers. If users conduct remote work using personal devices and publicly available web services, this will protect both personal data and the data of colleagues.

More articles:


All Articles