An empirical study of wireless carrier authentication for SIM swaps

Kevin Lee, Ben Kaiser, Jonathan Mayer, Arvind Narayanan

Research output: Chapter in Book/Report/Conference proceedingConference contribution

32 Scopus citations

Abstract

We examined the authentication procedures used by five prepaid wireless carriers when a customer attempted to change their SIM card. These procedures are an important line of defense against attackers who seek to hijack victims' phone numbers by posing as the victim and calling the carrier to request that service be transferred to a SIM card the attacker possesses. We found that all five carriers used insecure authentication challenges that could be easily subverted by attackers. We also found that attackers generally only needed to target the most vulnerable authentication challenges, because the rest could be bypassed. Authentication of SIM swap requests presents a classic usability-security trade-off, with carriers underemphasizing security. In an anecdotal evaluation of postpaid accounts at three carriers, presented in Appendix A, we also found-very tentatively-that some carriers may have implemented stronger authentication for postpaid accounts than for prepaid accounts. To quantify the downstream effects of these vulnerabilities, we reverse-engineered the authentication policies of over 140 websites that offer phone-based authentication. We rated the level of vulnerability of users of each website to a SIM swap attack, and have released our findings as an annotated dataset on issms2fasecure.com. Notably, we found 17 websites on which user accounts can be compromised based on a SIM swap alone, i.e., without a password compromise. We encountered failures in vulnerability disclosure processes that resulted in these vulnerabilities remaining unfixed by nine of the 17 companies despite our responsible disclosure. Finally, we analyzed enterprise MFA solutions from three vendors, finding that two of them give users inadequate control over the security-usability tradeoff.

Original languageEnglish (US)
Title of host publicationProceedings of the 16th Symposium on Usable Privacy and Security, SOUPS 2020
PublisherUSENIX Association
Pages61-80
Number of pages20
ISBN (Electronic)9781939133168
StatePublished - 2020
Event16th Symposium on Usable Privacy and Security, SOUPS 2020 - Virtual, Online
Duration: Aug 10 2020Aug 11 2020

Publication series

NameProceedings of the 16th Symposium on Usable Privacy and Security, SOUPS 2020

Conference

Conference16th Symposium on Usable Privacy and Security, SOUPS 2020
CityVirtual, Online
Period8/10/208/11/20

All Science Journal Classification (ASJC) codes

  • Computer Networks and Communications
  • Safety, Risk, Reliability and Quality

Fingerprint

Dive into the research topics of 'An empirical study of wireless carrier authentication for SIM swaps'. Together they form a unique fingerprint.

Cite this