Last spring, Dena Haritos Tsamitis left a work meeting to discover she was unable to get a signal on her cellphone. Even after rebooting the device, she couldn’t get service, leaving her unable to contact her college student daughter, who usually communicated with her throughout the day.
“She was frantic, worrying about me, because she had tried to reach me several times,” Tsamitis says she learned when she got home. “She said she called her friend to pick her up to look for me, because she was worried about me.”
Tsamitis called her phone company for help with the issue, only to discover she had been the victim of fraud.
“The customer service representative said, you purchased new phones earlier this afternoon, and therefore we cut the service from the old phone,” says Tsamitis. “And I said, no, I didn’t, I’ve been in meetings this afternoon.”
When it comes to digital security, Tsamitis is about far as from an amateur as could be: She’s a professor at Carnegie Mellon University, director of the school’s Information Networking Institute, and a founding director of CMU’s CyLab security and privacy institute. Yet it was still easy for criminals armed with fake IDs to purchase new devices and charge them to her account, a problem that wasn’t resolved until she spent hours on the phone with her carrier and even visited one of the company’s retail stores.
“It’s just very frustrating, and the carrier didn’t really have an appropriate response or guidance as to steps I can take,” she says. “I was just overwhelmed and frustrated at the number of hours it took to deal with this.”
And while the fraudsters who targeted Tsamitis may have simply been looking to steal hardware, other victims of similar crimes have seen attackers also hijack other logins linked to their phone numbers. Criminals who can trick or hack phone companies into letting them access legitimate customers’ accounts can use text-message-based password reset tools to gain access to private emails, social media, and even financial accounts.
“I was hacked today: my Twitter account, two email addresses, & my phone,” wrote Black Lives Matter activist DeRay McKesson on Twitter last June. “It was not due to passwords, they hacked my phone account itself.”
By calling @verizon and successfully changing my phone’s SIM, the hacker bypassed two-factor verification which I have on all accounts.
— deray mckesson (@deray) June 10, 2016
Calling his phone company, hackers were able to impersonate McKesson, have his phone number assigned to a new SIM card under their control and use that to reset his Twitter password through text-based authentication, he wrote. They then posted a number of tweets to his account, including one endorsing Donald Trump for president.
He isn’t the only prominent victim of such an attack: the popular YouTube host known as Boogie2988, known for his viral video rants under the name “Francis,” wrote on Medium last fall that a teenage hacker used a similar technique. The hacker tricked a Verizon employee into rerouting Boogie2988’s phone number to the hacker’s phone, which allowed the hacker to take control of Boogie2988’s email, YouTube, social media, and even PayPal accounts.
“PayPal had been raided but luckily they managed to freeze the assets when they realized something was wrong,” he wrote. “I had been locked out of my own account though and it took hours on the phone to regain access.”
Other accounts took weeks to recover, wrote the YouTube star, who didn’t respond to multiple requests for comment. And while he and Tsamitis were hacked by criminals who tricked individual phone company workers, other criminals have pulled off similar feats by exploiting security holes in phone company networks. Earlier this year, hackers reportedly drained German bank accounts by intercepting login confirmation codes sent via text, directing phone company computers to route the texts to their own systems.
Meet Signaling System 7, A Hacker’s Best Friend
The attack, and others like it, relied on an esoteric worldwide computer network known as Signaling System 7. It’s essentially a decades-old parallel internet used by telephone companies to route calls and texts between their systems, and experts say it was built with little attention to security, since historically phone companies assumed they could trust one another.
“In the 1980s, this is AT&T, they’re making an interconnect agreement with British Telecom in the U.K.,” says Dawood Ghalaieny, CEO of Dublin telecom security company Cellusys. “They don’t have any reason for BT to defraud them.”
But in the cellphone age, the number of companies with access to the global phone network has exploded, and not all telephone companies have the same level of security.
Many of those phone companies have systems connected both to the traditional internet and the phone signaling system. And like all internet-connected systems, they can be compromised by hackers who spot security flaws like out-of-date software with vulnerabilities or fire off targeted phishing attacks to employee inboxes.
Through such hacks, or if an unscrupulous employee allows them access, fraudsters can send messages through the phone signaling network, impersonating the hacked company. They contact the victim’s carrier, falsely claiming that the victim is traveling and using their phone on the hacked company’s network. Then, the victim’s phone company will route the victim’s incoming calls and texts to the hacked network. There, instead of being delivered to the victim’s phone, they’re passed on to the hackers. Since phone signaling systems are designed to make roaming across networks easy, and were built without this kind of fraud in mind, hackers are able to steal messages from even some of the most digitally secure phone companies by hacking into a weaker carrier elsewhere in the world.
And while theoretical attacks on the SS7 system have been discussed at computer security conferences for years–computer security experts even worked with Rep. Ted Lieu, a Democratic Congressman from California, to demonstrate the technique last year on 60 Minutes–phone companies have had difficulty fixing the problem.
“Security was never supposed to be a part of this, so applying security on top of all of this is a bit of a hack,” says Ghalaieny. Phone companies are gradually adding tools similar to internet firewalls that can filter out suspicious requests. For instance, they can notice if a phone is suddenly claimed to be connected to a network halfway around the world from where it was recently operating, and then alert security teams or block the request as clearly fraudulent, he says. And carriers and their security contractors can look for unusual patterns of requests that could indicate fraud, just as in other areas of digital security.
“You look for signatures, if you’re seeing certain patterns you proactively either stop them or you notify [security officials] so they’re not happening again,” says Pardeep Kohli, CEO of Dallas-area telecom software company Mavenir.
How Safe Is 2-Factor Authentication In The Age Of Phone Hacking?
To keep data safe from phone company hacks and fraud, many experts advise moving away from SMS-based authentication whenever possible. Ordinary text messages have recently gained popularity as part of two-factor authentication, where users log in to systems using two proofs of identity, like knowledge of a password and possession of a physical item. ATMs, which require both a card and a PIN to withdraw money, are a classic example. These days, many online services require users to enter a password and also a pin number texted to their mobile device before they log on to an internet-based service. But the National Institute of Standards and Technology last year stopped recommending SMS for the two-factor practice, thanks to the risk of phone hackers getting access to those texts.
Some companies now offer alternative approaches, including tools like Google’s Authenticator that use secure algorithms to generate codes on a user’s phone rather than sending them over the airwaves, and apps that send login codes over encrypted connections so that attackers can’t read them even if they intercept them.
“Systems like what we have at Duo are a lot safer because essentially what they do is verify who they’re talking to, and they actually validate they’re talking to the right device,” says Steve Manzuik, director of security research at two-factor authentication provider Duo Security. Duo’s app, like Google Authenticator and some other apps, uses a secret digital key that’s only stored on your phone to generate onetime login codes that Duo servers can verify came from your device, without needing to send text messages back and forth.
Similar systems are increasingly used by financial institutions to verify banking app users beyond just checking their passwords, he says.
But while there’s no doubt that text-based verification can be vulnerable to hacks and scams, Manzuik argues that in cases where it’s all that providers offer, it’s still better than simply using passwords.
“It definitely is risky, but it also depends on your personal threat model,” he says. “For the average person, I think having SMS is a lot better than having nothing at all.