The recent incident of the SIM Swap Scam which victimized Ian Caballero has exposed the long-known weakness of 2-factor authentication which uses an owner’s mobile number to verify online banking transactions and site logins.
The premise of a two-factor authentication theoretically strengthens the security of online accounts. This has been used by GMail for the longest time (introduced by Google in 2011) and then implemented later on by several other sites like Facebook and Paypal.
Even online banking sites like BDO have introduced SMS verification as well (One-Time Password).
Two-factor authentication requires two separate credentials — the standard password that a user memorizes and a second password or PIN which is sent to the user’s mobile phone within minutes of logging in.
This makes it harder for the scammer or hacker to intrude into emails or online banking accounts as the system requires to passwords. The premise here is that the 2nd factor, which is the SMS, is impossible to sniff out because it is understood to be within the possession of the owner.
With the second security option, it now becomes impossible for a hacker from China or Russia to hack into your GMail account because they will have to gain access to your mobile phone too.
The SIM Card Scam has demonstrated the very weakness of the 2nd physical factor — the SIM card.
Once a scammer or thief gains physical access of your mobile phone or SIM card, the modus becomes much easier. By having access to the SIM that is pre-registered to email accounts and banking accounts, it is then easy to retrieve the user name and reset the password — all of which are sent thru the validated mobile number.
In essence, the SIM card become a master key to your vault.
This reduces the strength of two-factor authentication as to how easy or hard it is to acquire the user’s SIM card.
1. SIM Cloning. Though this is harder now to clone SIM cards than many years back, it is still possible to clone them.
2. Theft, Robbery or Accidental Loss. There are dozens of phones lost or being stolen in Metro Manila every day.
3. SIM Swap Scam. Identity theft used to apply for a SIM card replacement.
The more chilling effect is that the next time you get robbed of your cellphone while commuting, the robbers are no longer limited to getting the money off of your wallet, then can also use your phone to transfer money out of your bank accounts. May be far off but who would have thought that the SIM card scam would go as far as transferring money from the victim’s BDO to the perpetrator’s Security Bank account.
The contention of the victim is that the telecoms company (in this case, Globe) was not thorough in making verifications when people apply for new postpaid lines or SIM replacements. It’s a loophole, that we can admit, but telcos operate within the realm of their own domain. They operate under the premise of minimum acceptable requirement that balances convenience and security. This is more or less the same protocol with many other institutions like credit card companies. But that’s another lengthy discussion altogether.
The post SIM Swap Scam exposes weakness of 2-factor authentication appeared first on YugaTech | Philippines, Tech News & Reviews.