How do I guard against a SIM port hack? What safeguards does Ting provide?

I read with great concern the article on medium about a SIM port hack where someone is able to port your SIM card to a phone that they control. The attacker then initiates a password reset  intercepting your 2-factor authentication to reset your gmail account and gain access to it. The article is at:

https://medium.com/coinmonks/the-most-expensive-lesson-of-my-life-details-of-sim-port-hack-35de11517124

How can I guard against a SIM port hack with my Ting account? Does Ting handle porting SIMs to new devices or is this handled by Sprint or T-Mobile? Does Ting have any safeguards against a SIM port attack? How do you verify when someone's identity who wants to port a SIM to another device? Can I set a PIN on my SIM to prevent it being ported?

Any information you could provide me on how to avoid a SIM port hack would be much appreciated.

Best Regards,

 

Hugh Pickens

0

Comments

9 comments
  • Hi Hugh, 

    This has come up on the Ting user forums before.

    A lot of the information is still the same, and I encourage you to read over my response there, but I wanted to make a special effort to review the high points about how security works on Ting, and what you should be mindful of. 

    We take security very seriously. We build in security from the ground up on this stuff, because in addition to wanting you to trust us with one of the most valuable assets in your digital life (your telephone number), we never want to be playing damage control like some MVNOs who use the last 4 digits of your phone number, or worse make it something like 0000.

    Ting porting PINs are designed to be random, even between devices on the same account with the same account number. Because, let's face it, most people would make their porting PIN something easily findable, like a birthday, some part of a social security number or an address. By taking customization out of the equation, we've made Ting resistant (though not immune) to the porting attacks method of SIM hijacking. The attacker would already need access to your Ting account dashboard to get this information, making enabling 2FA on your Ting account all that more important, even for the mild inconvenience. 

    The other big attack vector in SIM hijacking is socially engineering our agents into changing the active Ting SIM. We're a small company of just under 700 people total, and just under 200 of us work in Ting Mobile. And we talk to each other a lot. What attackers who socially engineer agents do is try to overwhelm them into giving up personal info and giving them access to your account.  What talking to each other allows us to do is highlight odd interactions or point out would-be attackers from using a technique called "agent shopping", where the attacker don't get what they want from the person who answers the phone so they hang up and try to socially engineer another agent into giving them the information they need. In this way, our small size works to our benefit.

    All they need is one agent who bypasses our normal security methods to change something on the account. It doesn't even have to be your SIM card. But our agents have it hammered in from DAY ONE that nobody can make changes to a Ting account without access to the email address on file for the account, and even then they need to confirm a temporary (thus ever-changing) account PIN. If they don't have that, we don't make changes. Period. If you've got 2FA on your email account, and you really should, this adds an additional layer of security to your Ting account without you having to have done a thing.

    So, to your questions specifically.

    Q: How can I guard against a SIM port hack with my Ting account?
    A: Enable 2FA anywhere you can, and where possible, use a hardware or software key rather than SMS. I use Authy.

    Q: Does Ting handle porting SIMs to new devices or is this handled by Sprint or T-Mobile?
    A: We do all of our own swapping and porting, and requests to and from Ting come specifically from us. We do use some infrastructure laid out by our network providers, but the requests as seen by your new or old carrier should be seen as Ting-specific.

    Q: Does Ting have any safeguards against a SIM port attack? 
    A. Yes. As laid out above, Ting porting PINs are random and otherwise inaccessible to someone who does not specifically have access to your Ting dashboard, controlled by you with a password and/or 2FA PIN. Even someone with access to the email who contacts our support should be required to provide a 2FA PIN.

    Q. How do you verify when someone's identity who wants to port a SIM to another device?
    A. Porting can be done by anyone with the not-otherwise-public Ting account number and strictly-private Ting porting PIN. Anyone with access to your Ting dashboard can access this information, so we recommend not sharing your Ting account password and as laid out above, enabling 2FA.

    Q. Can I set a PIN on my SIM to prevent it being ported?
    A. No, but yes. Access to your Ting account is restricted to you and you alone with your password or PIN. Someone contacting our support agents with access to your email still wouldn't have access to your dashboard, and as a nifty side-effect of us encouraging self-service, our first response to someone asking for porting information would be "Hey, it's on your Ting account dashboard under Account Settings." It's rare we provide this information via a support request, and even when we do it's only after access to the email address on file has been 100% verified with a temporary account PIN, an optional (and generally discouraged) permanent PIN, and/or your 2FA code from your 2FA provider of choice.

    No carrier is completely immune from these attacks, and attacks DO happen on Ting, though they're remarkably rare and I can't think of the last time I heard of one succeeding.  As more of your digital life relies on your phone number, the attacks and frequency are only going to get worse. But rest assured we're not sitting back on this one. We know how important it is that your number stay safe with us, and we will do our best to keep your trust.

    0
    Comment actions Permalink
  • Thanks. It sounds like you are doing everything right. I am pleased to know that it is Ting that can move my SIM to a new device and not T-Mobile or Sprint.  I just set up my Ting account for 2 factor authentication to give myself some extra security.

     

    HP

    0
    Comment actions Permalink
  • You've taken the right first steps! If you poke around some of your other favorite websites, you'll see that they, too, offer 2FA for logging in, giving you an additional layer of security.

    0
    Comment actions Permalink
  • This is something I was curious about. I've been reading about SIM port attacks on a blog by Brian Krebs, an IT security specialist who has become so good at his job, his own name keeps popping up on various dark hacking websites hosted in russia

     

    According to Krebs, SIM port attacks are relatively very rare, and almost always are a very hands-on type of attack that is used against the more wealthy holders of digital currencies such as Bitcoin. The method of operation usually involves bribing a phone store employee into bypassing 2FA & all other security layers

     

    And this is where I can see Ting having the advantage. Ting does not have workers who only care about clocking hours & going home

     

    At the moment, SIM port attacks are a James-Bond style news item that all the criminals are talking about, but never do. It's just not a practical way of stealing money

     

    In the meantime, the telecom industry is starting to get the word that brick and mortar storefronts need a serious security makeover. But nobody wants to splash out the cash for that as long as the general public remains unconcerned/ignorant by the quality of store management. I would think there are some board room meetings where fingers are pointed, words fly, but nothing gets fixed

    0
    Comment actions Permalink
  • You're absolutely right, Phil. And that's why we typically recommend against SMS 2FA, but it's typically better than no 2FA at all. 

    I've seen reports on the carrier subreddits about recruiters looking to bribe carrier employees to bypass security restrictions, and it clearly works sometimes, or they wouldn't keep asking. That said, we're pretty secure in our customer service team here at Ting and our security team has a watchful eye over it as well. It's always as soon as you look away that security holes get taken advantage of, right?

    0
    Comment actions Permalink
  • From the criminals point of view, it's not when you look away that a security hole gets taken advantage of. You see these things happening all the time. The moments where you don't see these things happening is when the crooks get away with it. The next level is when the crook sells such access to a dark market. What the crook wants, is to find an attack surface that nobody is keeping a watchful eye on. This cell-based 2FA problem is becoming old news, everyone who should know, ought to have understood by now. But the corporate mindset does not change quickly when basic mistakes are being made

     

    One basic mistake is to have the chief of IT security reporting to anyone sitting on the board, such as the chief of the HR department. When what needs to happen is that the chief of IT security should be sitting on the board and given the freedom to report directly to the CEO any changes that might need to be made

    0
    Comment actions Permalink
  • The benefit to our small size is that anyone can talk to our CEO at any time if they have a concern.

    0
    Comment actions Permalink
  • I would love the additional option to opt-in to a 24 hour waiting period for port-out or sim change. All while blasting sms, e-mail, and app notifications of what has been requested and when it will take effect. 

    I think the peace of mind that you won’t wake up to a hack, or discover one as you step off a long flight would be worth the inconvenience to security conscious customers. 

    0
    Comment actions Permalink
  • Hi Chris,

     This is an interesting idea that I am going to pass along to our product team who is in charge of the features that we offer here at Ting. I'm not sure if it would be possible but it's worth passing along to consider. 

     If anyone else has any suggestions for features that they would like to see Ting implement we do have a feature request forum that is open to everyone. 

    0
    Comment actions Permalink

Please sign in to leave a comment.