Spartak - Fotolia

How does port swapping work to bypass two-factor authentication?

With a port swapping attack, hackers can bypass two-factor authentication and control a victim's mobile device. Judith Myerson explains how the attacks work and how to stop them.

Digital currency broker Coinbase Inc. was reportedly hit with a port swapping attack in 2016. What is a port swapping...

attack, and are there any precautions companies should take?

Port swapping occurs when a thief ports a victim's phone number to a device under the thief's control. The attack begins with the thief searching for people who work in a particular industry or by sifting through social media accounts that mention bitcoin and Coinbase. It won't take long for the thief to find the victim's email address and mobile phone number online through a Contact Us page, for example.

Pretending to be a legitimate user, the thief calls the victim's mobile provider -- in the case of Coinbase, the provider was Verizon -- to port the phone number to a voice over IP provider, thus bypassing Authy, an app that provides multi-device two-factor authentication. Verizon accepted the phone number as an alternative to an email address to log in.

Shortly after the thief resets the email password, the victim receives a VZW FREE MSG message to confirm that his account password was created or changed. The victim didn't make the request, so he is directed to call Verizon by dialing *611 from his cellphone. The victim then discovers -- too late -- that his account was closed by the attacker.

Meanwhile, the thief changes the Coinbase password and text message information to enable two-factor authentication. If he is not caught in time, the thief is able to steal the money in the victim's account and put it in digital wallets he owns.

Here are some precautions companies should take when they get strange text messages from any phone service providers that might lead to a port swapping attack:

  • Call the phone provider's customer service line and set up a temporary PIN or password that can be changed later. Place an order to freeze a port and to lock each account attached to a current SIM. Don't reply to text messages about password changes.
  • Avoid using text message two-factor authentication. Disable Authy's multi-device functionality. Consider Google or Microsoft Authenticator, which use a QR code to store secret keys locally on a single device.
  • Use a unique, long password for your account.
  • Don't use text messaging for account recovery.

Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)

This was last published in December 2017

Dig Deeper on Threats and vulnerabilities