OPENVPN CLOUD IS LIVE: TRY TODAY FOR FREE

SIM PIN

Recap from the December 2nd, 2019 CISO/Security Vendor Relationship Podcast

by Julie McLelland

A few years ago, hackers found a bug that allowed them to access personal data on any T-Mobile customer. The bug was very well known in the criminal underground and there was even a tutorial on how to exploit it on YouTube.

The bug exposed customers’ email addresses. Their billing account numbers, and the phone’s IMSI numbers (a unique, standardized number that identifies subscribers). It seems harmless, but just by knowing customer’s phone numbers, hackers could obtain their data. Once the hackers had that, they would impersonate the victim with T-Mobile’s customer support staff, ask for a new SIM card number, and hijack their phone numbers.

SIM hacking is not exclusive to T-Mobile though — in fact, this could happen at any carrier. The same scenario happens: the hacker obtains personal information about the victim, and then contacts the victim’s mobile telephone provider. The hacker uses different techniques to convince the telephone company to port the victim’s phone number to the hacker’s SIM.

Once this happens, the victim’s phone will lose connection to the network and the hacker will receive all the SMS and voice calls intended for the victim. This allows the hacker to intercept any 2FAs sent via text or call…which means they can obtain access to any account that uses 2FA, such as Amazon, Ebay, and Paypal, and bank accounts.

In this week’s Cloud Security Tip, Steve Prentice explains why two-factor authentication (2FA) is not enough.

“2FA might stop hackers from using easily searchable information like someone’s mother’s maiden name, but these bad actors have already discovered the weak link in this particular chain. They call the phone provider, pretend to be that specific victim, and ask to swap the victim’s SIM account information to a new SIM card – one that is in their possession.”

The good news? You can take steps to decrease the chances that a SIM hack will happen to you.

Add a SIM PIN

You can add another layer of protection to your phone by adding a SIM PIN or passcode. All major U.S. carriers offer this option – take them up on it.

AT&T

When enabling SIM lock, your device prompts you to enter a PIN code:

  • The default PIN code for an AT&T SIM card is 1111.
  • Change the default PIN code for more security.
  • After activating SIM lock, you must enter the PIN code if you move the SIM card to another device.
  • If you forget your SIM lock PIN code, learn how to get the PIN Unlock Key (PUK) code to unlock your SIM card.

Verizon

From the Home screen, navigate: Settings Settings icon > Cellular.
Tap SIM PIN then do one of the following:

  • Enable / Disable SIM PIN
  • Tap the SIM PIN switch to turn on Switch On or off Switch Off.
  • Enter the current SIM PIN then tap Done (upper-right).
  • Note The default SIM PIN is 1111.

Modify SIM PIN:

  • Ensure the SIM PIN switch is turned on Switch On.
  • Tap Change PIN.
  • Enter the current SIM PIN then tap Done.
  • Note The default SIM PIN is 1111.
  • Enter the new SIM PIN then tap Done.
  • Re-enter the SIM PIN then tap Done.

T-Mobile & Sprint

Navigate to the SIM PIN settings:
From the Home screen, tap Settings > Phone > SIM PIN.

  • Tap SIM PIN slider to ON (if necessary).
  • Tap Change PIN.
  • Enter current PIN (default is 1234).
  • Enter new PIN.
  • Enter new PIN again to confirm.
  • Tap Save.

Taking It A Step Further

“But as workplaces bring global collaborators and their personal phones deeper into the corporate ecosystem, a proactive education campaign on SIM PINs might be in order.” – Steve Prentice

Taking small steps like 2FA and setting up a SIM PIN will greatly increase security. For an even deeper layer of security — 2FA coupled with a business VPN solution like the OpenVPN Access Server, you can protect your organization on multiple fronts. 2FA and SIM PIN will decrease the risk posed by a compromise of sensitive login info, and Access Server will allow you to provide secure access for employees regardless of where they are working, greater access control, and stronger network access overall.

Share this story:

2FA Is Not Invincible
Split tunneling for your remote workforce
Shared Responsibility Model