An Empirical Study of Wireless Carrier Authentication for SIM Swaps

Authors: 

Kevin Lee, Benjamin Kaiser, Jonathan Mayer, and Arvind Narayanan, Princeton University

Abstract: 

We examined the authentication procedures used by five prepaid wireless carriers when a customer attempted to change their SIM card. These procedures are an important line of defense against attackers who seek to hijack victims’ phone numbers by posing as the victim and calling the carrier to request that service be transferred to a SIM card the attacker possesses. We found that all five carriers used insecure authentication challenges that could be easily subverted by attackers. We also found that attackers generally only needed to target the most vulnerable authentication challenges, because the rest could be bypassed. Authentication of SIM swap requests presents a classic usability-security trade-off, with carriers underemphasizing security. In an anecdotal evaluation of postpaid accounts at three carriers, presented in Appendix A, we also found—very tentatively—that some carriers may have implemented stronger authentication for postpaid accounts than for prepaid accounts.

To quantify the downstream effects of these vulnerabilities, we reverse-engineered the authentication policies of over 140 websites that offer phone-based authentication. We rated the level of vulnerability of users of each website to a SIM swap attack, and have released our findings as an annotated dataset on issms2fasecure.com. Notably, we found 17 websites on which user accounts can be compromised based on a SIM swap alone, i.e., without a password compromise. We encountered failures in vulnerability disclosure processes that resulted in these vulnerabilities remaining unfixed by nine of the 17 companies despite our responsible disclosure. Finally, we analyzed enterprise MFA solutions from three vendors, finding that two of them give users inadequate control over the security-usability tradeoff.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

BibTeX
@inproceedings {255644,
author = {Kevin Lee and Benjamin Kaiser and Jonathan Mayer and Arvind Narayanan},
title = {An Empirical Study of Wireless Carrier Authentication for {SIM} Swaps},
booktitle = {Sixteenth Symposium on Usable Privacy and Security (SOUPS 2020)},
year = {2020},
isbn = {978-1-939133-16-8},
pages = {61--79},
url = {https://www.usenix.org/conference/soups2020/presentation/lee},
publisher = {USENIX Association},
month = aug
}

Presentation Video