Sep 11, 2019

You may have missed the story as you were leaving early last Friday for the long holiday weekend: Jack got hacked.

Jack, of course, is Jack Dorsey, CEO and co-founder of Twitter and Square. And ‘hacked’, in this instance, means that there were a number of inappropriate tweets that seemingly originated from his personal Twitter account. Twitter “regained control” of the account after about 15 minutes, but the damage was already done.

It’s worth examining exactly how the hackers gained access to Jack’s personal Twitter account. One might suspect that the highly visible CEO of a technology company would have best available security safeguards in place, and that any “hack” aimed at such an individual would require a tremendous amount of technical skill, coordination and resources.

Those suspicions would be wrong. The technique the hackers used was surprisingly simple and shockingly prevalent, especially in markets that have a majority of users with pre-paid mobile phone services: a SIM swap.

A SIM swap occurs when a fraudster, using a victim’s personal information gleaned off the dark web or other available sources, calls the victim’s mobile network operator (AT&T or T-Mobile, for example), and impersonating the victim, has the mobile network operator transfer the victim’s phone number to a different mobile device that is in the fraudster’s possession.

The fraudster then can use the personal information they’ve obtained to try and access the victim’s various accounts – bank accounts, email accounts, and, in this instance, a Twitter account. If the account provider recognizes that the “victim” is logging in through a new device, they will often send a SMS OTP – a one-time password that is usually a four- or six-digit pin code. Because the fraudster now owns the victim’s phone number, they receive that pin, enter the code, and are off to the races.

The number of mobile account takeovers has nearly doubled, growing from 380,000 instances in 2017 to nearly 680,000 instances in 2018, according to Javelin Research. In many instances, the victim only learns that their SIM has been “swapped” after the damage has been done – and recouping their lost funds can be a time-consuming, painful process.

In Jack’s instance, he didn’t lose any money – but he and the company he runs certainly lost a bit of credibility in the eyes of technology enthusiasts.

Why did they lose credibility? Couldn’t SIM swapping happen to anyone?

It could – and given the steady stream of corporate data breaches that occur seemingly every day, SIM swaps will continue. The issue is that SMS OTP – those pesky little pin codes – are woefully inadequate as a verification mechanism.  Not only are they prone to social engineering, but they also can be obtained by fraudsters via more nefarious and technical methods like malware.

This is not to say that two-factor authentication (2FA) is bad – it is a great security practice and we encourage everyone to use 2FA to secure their digital accounts. But SMS OTP is not a viable method of 2FA, especially as we spend more and more of our time and money via our mobile devices.

Mobile account takeover due to SIM swap is precisely the type of fraud that Boku Identity was built to detect. Because Boku has partnered with mobile network operators across the globe, our clients have access to real-time signals like SIM tenure that we can monitor to identify recent SIM swaps. Boku recommends this check be done before any authentication which may include SMS OTP, phone number verification or WhatsApp for Business (or any other authentication method).

To learn more about Boku Identity and how we can help you secure your business while providing a great customer experience, reach out to our Identity team.