www.issms2fasecure.com Open in urlscan Pro
128.112.136.61  Public Scan

Form analysis
0 forms found in the DOM

Text Content

 * Findings
 * Paper/Data
 * Responses
 * Revisions
 * Citation
 * Contact


IS SMS 2FA SECURE?


NO.


AN EMPIRICAL STUDY OF WIRELESS CARRIER AUTHENTICATION FOR SIM SWAPS

PRESENTED AT SOUPS 2020

 * We examined the authentication procedures used by five prepaid wireless
   carriers when a customer attempts to change their SIM card, or SIM swap.
 * We found that all five carriers use insecure authentication challenges that
   can easily be subverted by attackers.
 * We reverse-engineered the authentication policies of over 140 websites that
   offer SMS-based authentication, and rated the vulnerability level of users of
   each website to a SIM swap attack.
 * We found 17 websites on which user accounts can be compromised based on a SIM
   swap alone. After over 60 days since our disclosure, nine of these websites
   remain vulnerable in their default configuration.


PAPER/DATA

Read the paper (final version) » Slides » Video »

--------------------------------------------------------------------------------

Please see the list of revisions here.

We provide an interactive dataset of our MFA analysis at over 140 websites here.


RESPONSES

 * In January 2020, T-Mobile informed us that after reviewing our research, it
   had discontinued the use of call logs for customer authentication.
 * In January 2020, Adobe and Online.net informed us that after reviewing our
   vulnerability disclosures, they have implemented fixes to to prevent user
   accounts from compromise based on a SIM swap alone.
 * In February 2020, eBay and Snapchat informed us that after reviewing our
   vulnerability disclosures, they have implemented fixes to to prevent user
   accounts from compromise based on a SIM swap alone.
 * Nine websites remain vulnerable in their default configuration: AOL, Amazon,
   Finnair, Gaijin Entertainment, Mailchimp, Paypal, Venmo, WordPress.com, and
   Yahoo. These websites either failed to respond to us, did not understand our
   vulnerability report, or stated that they won't fix the issue.
 * Three websites fixed the issue without notifying us: Blizzard, Microsoft, and
   Taxact. We re-examined these websites in March 2020.


REVISIONS

Update (June 20, 2020): We have updated the paper to incorporate suggestions
received during our submission to the Sixteenth Symposium on Usable Privacy and
Security (SOUPS 2020), including discussion on the ethical considerations of our
method. We thank the anonymous SOUPS reviewers for their feedback and guidance
throughout the editing process! The updated paper is contentwise identical to
the SOUPS version. The previous version can be found here.

Update (March 25, 2020): We have updated our annotated dataset with responses 60
days after our disclosure. Our paper draft has also been updated to include
website names and disclosure responses. The previous version can be found here.


CITATION

@inproceedings{lee2020empirical,
	title={An Empirical Study of Wireless Carrier Authentication for $\{$SIM$\}$ Swaps},
	author={Lee, Kevin and Kaiser, Benjamin and Mayer, Jonathan and Narayanan, Arvind},
	booktitle={Sixteenth Symposium on Usable Privacy and Security ($\{$SOUPS$\}$ 2020)},
	pages={61--79},
	url = {https://www.usenix.org/conference/soups2020/presentation/lee},
	year={2020}
}


CONTACT

We are computer science researchers affiliated with the Center for Information
Technology Policy at Princeton University.

Kevin Lee kvnl@cs.princeton.edu Ben Kaiser bkaiser@princeton.edu Jonathan Mayer
jonathan.mayer@princeton.edu Arvind Narayanan arvindn@cs.princeton.edu