The IT Nerd

My wife and I have been customers of Freedom Mobile since the end of the year. And I have to admit that one thing that does give me cause to pause is the Freedom My Account Web Portal located at https://login.freedommobile.ca. I say that because in the age of SIM swap attacks, I question if this web portal can adequately defend against a threat actor who wanted to do either or both.

First let me explain what a SIM swap attack is. This is where a threat actor takes over the SIM card on your cell phone by porting the number from the SIM card in your phone to a SIM card inside a phone that they have control over. Why would they want to do that? Well, if you have text message based two factor authentication set up, those authentication messages will now come to the threat actor’s SIM card instead of yours. Which means that if they already have your user name to a given online account that relies on two factor authentication, you’re pwned because they can reset the password to said account to get in, assuming that they don’t already have the password. If you want an example of how bad a SIM swap attack could be, take a look at this article written by Brian Krebs on a very large scale SIM swap attack that affected 130 organizations.

Here’s a couple of examples of why SIM swap attacks are dangerous. Late last year I wrote about telephone scams from threat actors pretending to be Rogers, TELUS, or Bell, offering great deals and a new phone to the unsuspecting. But in reality, what the threat actors were doing was that they were trying to get victims to hand over the two factor authentication codes that victims got via email or text message so that they can get into the victim’s account and order a new phone for shipment overseas. Now imagine if they could just focus in on the text message group by doing a SIM swap so they don’t even need to call you to do that. Or how about this? A threat actor does a SIM swap attack and is able to get the two factor authentication codes for your bank account. Then they proceed to drain your bank account dry. Clearly these are non trivial results of a SIM swap attack, which is why the security that telcos provide to stop these attacks need to be top shelf.

Now here’s why I question if Freedom Mobile is doing enough on this front. When you go to https://login.freedommobile.ca, you see this:

Here you will be asked to enter your Freedom Mobile phone number and a four digit PIN number that you chose when you set yourself up to access this web portal. Realistically, Freedom Mobile needs to have proper accounts with proper passwords. And have a password complexity requirement. For example, all passwords need to be a minimum of eight characters with one capital letter, a number, and a special character ($%#& for example). I say that because I can see a scenario where a threat actor who tries a credential stuffing attack by trying various combinations of the PIN number to see if they can get into the account. To be fair, I have not tested this which means that I have no idea if Freedom Mobile can defend against this attack. But seeing that only four digits are in play here, if I were a threat actor, that’s what I would try first as I have “only” 9999 possibilities to work with. Which from a security perspective is pretty weak.

The other thing that Freedom Mobile should do is move away from delivering the two factor authentication via text message. I say that because of this:

Once you enter your Freedom Mobile number and enter the PIN you get to choose the phone number that you want a text message with a two factor authentication code delivered to, and confirm that phone number.

Here’s where you get to enter the security code that you get via text message.

Now I will admit that there’s a lot of hoops that a threat actor would have to hop through to pull an attack on Freedom Mobile off. But as evidenced by the Brian Krebs story, threat actors if they are motivated enough and believe that there’s value in doing so will find a way to pull this sort of attack off.

But let me hand some free advice to Freedom Mobile to help them to kill off this potential attack vector. My current bank of choice is CIBC. Their mobile app has an option to receive verification codes via push notification rather than text. So if you try to log into the CIBC website, you’ll get a push notification on your phone as long as the CIBC app is installed on your phone. That does two things. First a SIM swap attack won’t work because it’s not tied to your phone number. Second, if your phone gets stolen you can kill push notification access to that phone. Now for Freedom Mobile to do something like this, it would require them to do a real phone app rather than the one that they presently have which only replicates the exact functionality of https://login.freedommobile.ca in a mobile friendly way. But that would be something that would be a worthy endeavour in my opinion.

Now I will put it out there that I could be completely off base here and Freedom Mobile may have security measures “behind the curtain” so to speak that addresses my concerns. If they do and they are willing to go on the record about how they protect customers from this sort of attack, I’d love to hear from Freedom Mobile about this and publish a story with their response. To be clear, I don’t expect them to tell the world exactly what they are doing. But Freedom Mobile addressing these concerns would be a smart move on their part because I am sure that their customers would love to hear how they are being protected from SIM swap attacks among other threats that exist in the world in 2024.

This entry was posted on February 1, 2024 at 9:15 am and is filed under Commentary with tags Freedom Mobile. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.