TY - GEN
T1 - An empirical study of wireless carrier authentication for SIM swaps
AU - Lee, Kevin
AU - Kaiser, Ben
AU - Mayer, Jonathan
AU - Narayanan, Arvind
N1 - Publisher Copyright:
© 2020 by The USENIX Association.
PY - 2020
Y1 - 2020
N2 - We examined the authentication procedures used by five prepaid wireless carriers when a customer attempted to change their SIM card. These procedures are an important line of defense against attackers who seek to hijack victims' phone numbers by posing as the victim and calling the carrier to request that service be transferred to a SIM card the attacker possesses. We found that all five carriers used insecure authentication challenges that could be easily subverted by attackers. We also found that attackers generally only needed to target the most vulnerable authentication challenges, because the rest could be bypassed. Authentication of SIM swap requests presents a classic usability-security trade-off, with carriers underemphasizing security. In an anecdotal evaluation of postpaid accounts at three carriers, presented in Appendix A, we also found-very tentatively-that some carriers may have implemented stronger authentication for postpaid accounts than for prepaid accounts. To quantify the downstream effects of these vulnerabilities, we reverse-engineered the authentication policies of over 140 websites that offer phone-based authentication. We rated the level of vulnerability of users of each website to a SIM swap attack, and have released our findings as an annotated dataset on issms2fasecure.com. Notably, we found 17 websites on which user accounts can be compromised based on a SIM swap alone, i.e., without a password compromise. We encountered failures in vulnerability disclosure processes that resulted in these vulnerabilities remaining unfixed by nine of the 17 companies despite our responsible disclosure. Finally, we analyzed enterprise MFA solutions from three vendors, finding that two of them give users inadequate control over the security-usability tradeoff.
AB - We examined the authentication procedures used by five prepaid wireless carriers when a customer attempted to change their SIM card. These procedures are an important line of defense against attackers who seek to hijack victims' phone numbers by posing as the victim and calling the carrier to request that service be transferred to a SIM card the attacker possesses. We found that all five carriers used insecure authentication challenges that could be easily subverted by attackers. We also found that attackers generally only needed to target the most vulnerable authentication challenges, because the rest could be bypassed. Authentication of SIM swap requests presents a classic usability-security trade-off, with carriers underemphasizing security. In an anecdotal evaluation of postpaid accounts at three carriers, presented in Appendix A, we also found-very tentatively-that some carriers may have implemented stronger authentication for postpaid accounts than for prepaid accounts. To quantify the downstream effects of these vulnerabilities, we reverse-engineered the authentication policies of over 140 websites that offer phone-based authentication. We rated the level of vulnerability of users of each website to a SIM swap attack, and have released our findings as an annotated dataset on issms2fasecure.com. Notably, we found 17 websites on which user accounts can be compromised based on a SIM swap alone, i.e., without a password compromise. We encountered failures in vulnerability disclosure processes that resulted in these vulnerabilities remaining unfixed by nine of the 17 companies despite our responsible disclosure. Finally, we analyzed enterprise MFA solutions from three vendors, finding that two of them give users inadequate control over the security-usability tradeoff.
UR - http://www.scopus.com/inward/record.url?scp=85091884123&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85091884123&partnerID=8YFLogxK
M3 - Conference contribution
AN - SCOPUS:85091884123
T3 - Proceedings of the 16th Symposium on Usable Privacy and Security, SOUPS 2020
SP - 61
EP - 80
BT - Proceedings of the 16th Symposium on Usable Privacy and Security, SOUPS 2020
PB - USENIX Association
T2 - 16th Symposium on Usable Privacy and Security, SOUPS 2020
Y2 - 10 August 2020 through 11 August 2020
ER -