The brief but embarrassing hacking of Twitter boss Jack Dorsey shines the spotlight on SIM card fraud, which is becoming increasingly widespread and potentially very dangerous.
The founder of the social network is left for some jokes following insulting or racist messages posted on his behalf, but this type of attack can have far more serious consequences, from theft of personal data to misinformation.
The "SIM swap" or "SIM transfer" consists of a virtual SIM card theft: crooks pose as someone else to a mobile operator to recover the use of his phone number.
They then exploit a weakness of the double-factor authentication system, which forces users of certain platforms (social, banking ...) to provide their password and a series of unique numbers, often sent by SMS.
"The phone number associated with the account was exposed because of a security error of the telephone operator," said the social network, which says it has found "no sign that Twitter systems have been compromised" .
But "the problem is not solved," said Ori Eisen, founder of Trusona, a cybersecurity company specializing in password-free authentication.
SIM card scams have been gaining momentum in recent years, whether to take control of personal accounts on networks or make online purchases.
According to Ori Eisen, advances in automation technologies can generate billions of calls designed to manipulate consumers and encourage them to disclose information or passwords.
- Black market -
Hackers also use other methods, which do not even involve users.
Following the widespread theft of private data that has occurred in recent years, they have access to the mines of personal information on the black market of the web, which then allows them to trap operators.
"The messaging of mobile phones can be hacked by sophisticated technical means, but also by convincing one operator to migrate your account to another, on an unauthorized phone," said R. David Edelman, a former advisor to the White House who runs a research center on cybersecurity at the Massachusetts Institute of Technology.
"It takes no more than a few minutes of confusion to commit a mischief like the one Dorsey was a victim of," he says.
Thousands of such scams have been recorded in countries where mobile payments are common, such as Brazil, Mozambique, India or Spain.
According to Fabio Assolini and Andre Tenreiro, researchers at the cybersecurity firm Kaspersky, the security systems of many mobile operators "are insufficient and make their customers vulnerable to SIM card attacks", especially if hackers manage to recover dates birth and other similar data.
In a recent blog post, they write that in some cases cyber criminals have corrupted telephone company employees - for only $ 10 or $ 15 per victim.
"The interest in these attacks has become so important among cybercriminals that some resell this kind of service to others," say the researchers.
In Brazil, crooks have taken control of WhatsApp messaging accounts and are demanding "urgent payments" from the victim's friends.
- "Boulevard" -
"A boulevard has opened up to fraud," said Joseph Hall of the Center for Democracy & Technology Think Tank in Washington.
It regrets that not all operators have yet adopted artificial intelligence methods that make the difference between legitimate SIM card transfers, for example, due to theft or loss of device, and fraud.
Because the consequences could exceed the individual victims. Hall gives as an example a false tweet from the president, which could lead to a fall in the financial markets.
It calls for better ways to authenticate users, such as physical keys that plug into devices or software systems like the Google Authenticator app.
"Security professionals have to admit that what worked before does not work anymore," says Ori Eisen.
According to him, paradoxically, the injunctions to create longer and more complex passwords have reinforced the use of unsecured text messages for authentication.
"We have to look for solutions that are not easy to exploit by fraudsters but easy to adopt by people."
© 2019 AFP