Profile picture
, 17 tweets, 23 min read
My Authors
Read all threads
"SIM swap" attacks have been in the news for years. They’ve enabled serious financial crimes and even a hack of the Twitter CEO's account. We spent 6 months researching how vulnerable wireless accounts are to these attacks. Our draft study is out today. issms2fasecure.com
SIM swap attacks are low-tech but devastating: the attacker calls your carrier, pretends to be you, and asks to transfer service to a new SIM—one that the attacker controls. That’s bad enough, but hundreds of websites use SMS for 2-factor auth, putting your accounts at risk.
This study needed a mix of creativity, grunt work, and knowledge of the industry. All credit to @PrincetonCITP PhD students @kvn_l33 and @bkaiser93, as well as my faculty colleague @jonathanmayer (who previously worked at the @FCC on wireless carrier security).
@PrincetonCITP @kvn_l33 @bkaiser93 @jonathanmayer @FCC We tested 5 major U.S. wireless carriers. For each carrier, we created 10 prepaid accounts and attempted a SIM swap on each account. We used prepaid because it’s easier to appear to be 10 different customers, which allowed us to test the consistency of carrier procedures.
@PrincetonCITP @kvn_l33 @bkaiser93 @jonathanmayer @FCC Unfortunately, all five carriers used authentication methods that are considered insecure in the computer security community. Taken together, these findings help explain why SIM swaps have been such a persistent problem. More details in our paper: issms2fasecure.com/assets/sim_swa…
@PrincetonCITP @kvn_l33 @bkaiser93 @jonathanmayer @FCC One unusual finding: some carriers ask about recent calls the subscriber made, reasoning that an attacker can’t know this. But attackers can easily trick the victim into placing a call. *Inbound* calls were sometimes sufficient too—and obviously the attacker can call the victim.
@PrincetonCITP @kvn_l33 @bkaiser93 @jonathanmayer @FCC Authentication with account payment history was also insecure. We found that an attacker could purchase a small refill card, apply it to the victim’s account without authentication, and then use the amount and timing of the refill to carry out a SIM swap attack!
@PrincetonCITP @kvn_l33 @bkaiser93 @jonathanmayer @FCC Particularly worrying: we didn’t see any indication that carriers were responding to authentication red flags. Failing a series of challenges just led to more challenges. Some customer service representatives even gave us hints. And some just… forgot to authenticate the caller.
@PrincetonCITP @kvn_l33 @bkaiser93 @jonathanmayer @FCC We notified the carriers initially in July and gave a detailed presentation to the carriers and @CTIA (the wireless trade association) in September. To its credit, @TMobile recently informed us that, in response to our research, it no longer uses call logs for authentication.
@PrincetonCITP @kvn_l33 @bkaiser93 @jonathanmayer @FCC @CTIA @TMobile How bad is it to fall victim to a SIM swap? After studying the carriers, we looked at popular websites that use SMS as an authentication factor. We tested 145 websites in total, using the handy database at twofactorauth.org as a starting point.
@PrincetonCITP @kvn_l33 @bkaiser93 @jonathanmayer @FCC @CTIA @TMobile We have a number of concerning findings but the most problematic is that there are 17 websites that simultaneously allow SMS both for password recovery and as the second factor for authentication. Given the ease of SIM swaps, that’s zero-factor auth, not two-factor auth.
@PrincetonCITP @kvn_l33 @bkaiser93 @jonathanmayer @FCC @CTIA @TMobile My guess is that in most of these cases the website operators don’t realize how insecure their configuration is. We’ve redacted the names of these websites for now and have begun notifying them. Unfortunately, some of these websites have billions of users each.
@PrincetonCITP @kvn_l33 @bkaiser93 @jonathanmayer @FCC @CTIA @TMobile While we were doing this research, it got personal for me. Around midnight on a Saturday, I got the dreaded text saying my service was being transferred to a new SIM. Smart move by the attacker—they counted on having the rest of the night to get into my online accounts.
@PrincetonCITP @kvn_l33 @bkaiser93 @jonathanmayer @FCC @CTIA @TMobile The reason the attacker didn’t manage to ruin my life is that I was on baby duty that night with a newborn who was keeping me awake. My wife was extremely confused when I woke her up, handed her a crying baby, and said I had to go take care of an emergency.😂
@PrincetonCITP @kvn_l33 @bkaiser93 @jonathanmayer @FCC @CTIA @TMobile When I called customer service, I was in for a shock. They were not able to authenticate me (despite apparently having no problem authenticating the attacker). In particular, their system for emailing me a one-time password failed but they insisted the problem was on my end.
@PrincetonCITP @kvn_l33 @bkaiser93 @jonathanmayer @FCC @CTIA @TMobile In the craziest twist, we had *just* completed our initial analysis and knew the weaknesses of my carrier’s authentication protocol, and so I was able to use that info to talk the rep into handing me back my own account.
@PrincetonCITP @kvn_l33 @bkaiser93 @jonathanmayer @FCC @CTIA @TMobile Until the carriers fix these problems, you’re at risk of a SIM swap. But you can protect yourself right now. Take a few minutes to check all your online accounts. Make sure 2-factor authentication is enabled, and it’s a secure option such as an authenticator app, and not SMS.
Missing some Tweet in this thread? You can try to force a refresh.

Enjoying this thread?

Keep Current with Arvind Narayanan

Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

More from @random_walker see all

Profile picture
Arvind Narayanan
@random_walker
In a world where most companies use dark patterns, it’s easy to stand out by doing the right thing. Netflix will remind people who haven't watched in a while and may have forgotten that they subscribed. If they don’t respond, it will automatically cancel. media.netflix.com/en/company-blo…
Meanwhile, here's an innovation from the dark side. news.ycombinator.com/item?id=232798…
Hundreds of companies make it deliberately hard to cancel online subscriptions. It would be a huge public service to make a directory of cancellation procedures and dark patterns.

justdelete.me used to be a great crowd-sourced project but hasn't been updated in years.
Read 3 tweets
Profile picture
Arvind Narayanan
@random_walker
It's the age of dark patterns. In a new paper, we show how they emerged from three decades-long trends, highlight what's new and why it's deeply problematic, and exhort designers to do better.
dl.acm.org/doi/pdf/10.114… by @aruneshmathur, @ineffablicious, Mihir Kshirsagar, and me.
Manipulative sales practices have been around forever. But the online environment is different. In particular, user interfaces that optimize clicks using A/B testing and machine learning may gravitate toward deception even if that's not the designer's intent!
A big part of the answer to "where did dark patterns come from?" is growth hacking. It's a community filled with ingenuity but unfortunately didn't draw clear ethical lines. dl.acm.org/doi/pdf/10.114…
Read 4 tweets
Profile picture
Arvind Narayanan
@random_walker
This is like the unrealistic movie trope we all chuckle at in which a few badasses in their 70s have to come out of retirement to save the world because a long-forgotten horror has resurfaced and they're the only ones who know anything about it.
Turns out New Jersey's system for processing unemployment claims runs on COBOL and has fallen down under the load josephsteinberg.com/covid-19-respo…

Much of the world runs on COBOL and we never hear about it unless something breaks.
All joking aside, this is just a matter of supply and demand. It'll be much easier to find Cobalt programmers if you don't nickel-and-dime them.

(I'll show myself out.)
Read 3 tweets

Embed code for your website

×
Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!