An Empirical Study of Wireless Carrier Authentication for SIM Swaps

Presented at SOUPS 2020

We examined the authentication procedures used by five prepaid wireless carriers when a customer attempts to change their SIM card, or SIM swap.
We found that all five carriers use insecure authentication challenges that can easily be subverted by attackers.
We reverse-engineered the authentication policies of over 140 websites that offer SMS-based authentication, and rated the vulnerability level of users of each website to a SIM swap attack.
We found 17 websites on which user accounts can be compromised based on a SIM swap alone. After over 60 days since our disclosure, nine of these websites remain vulnerable in their default configuration.

Responses

In January 2020, T-Mobile informed us that after reviewing our research, it had discontinued the use of call logs for customer authentication.
In January 2020, Adobe and Online.net informed us that after reviewing our vulnerability disclosures, they have implemented fixes to to prevent user accounts from compromise based on a SIM swap alone.
In February 2020, eBay and Snapchat informed us that after reviewing our vulnerability disclosures, they have implemented fixes to to prevent user accounts from compromise based on a SIM swap alone.
Nine websites remain vulnerable in their default configuration: AOL, Amazon, Finnair, Gaijin Entertainment, Mailchimp, Paypal, Venmo, WordPress.com, and Yahoo. These websites either failed to respond to us, did not understand our vulnerability report, or stated that they won't fix the issue.
Three websites fixed the issue without notifying us: Blizzard, Microsoft, and Taxact. We re-examined these websites in March 2020.

Proposed FCC rules influenced by this study

In September 2021, the Federal Communications Commission launched a formal rulemaking process to protect consumers from SIM swap and number portability attacks. Acting Chair Rosenworcel specifically cited our research as a justification:

By all accounts, including a big, recent Princeton University study, this type of fraud is growing. . . . It's important we do this now. The Princeton University study I mentioned found that four out of five SIM swap attempts in the United States are successful. We can help fix this. I look forward to the record that develops and putting an end to this cyber fraud.

In response to the Notice of Proposed Rulemaking, we provided recommendations for refining and strengthening the Commission's proposed rules in November 2021. Our agency comments can be found here.

Revisions

Update (June 20, 2020): We have updated the paper to incorporate suggestions received during our submission to the Sixteenth Symposium on Usable Privacy and Security (SOUPS 2020), including discussion on the ethical considerations of our method. We thank the anonymous SOUPS reviewers for their feedback and guidance throughout the editing process. The post-print will be contentwise identical to the SOUPS (publisher) version. The March 2020 pre-print can be found here.

Update (March 25, 2020): We have updated our annotated dataset with responses 60 days after our disclosure. Our paper draft has also been updated to include website names and disclosure responses. The original pre-print can be found here.

Citation

@inproceedings{lee2020empirical,
	title = {An Empirical Study of Wireless Carrier Authentication for {SIM} Swaps},
	author = {Lee, Kevin and Kaiser, Benjamin and Mayer, Jonathan and Narayanan, Arvind},
	booktitle = {Sixteenth Symposium on Usable Privacy and Security (SOUPS 2020)},
	year = {2020},
	isbn = {978-1-939133-16-8},
	pages = {61--79},
	url = {https://www.usenix.org/conference/soups2020/presentation/lee},
	publisher = {USENIX Association},
	month = aug,
}

Kevin Lee	`kvnl@cs.princeton.edu`
Ben Kaiser	`bkaiser@princeton.edu`
Jonathan Mayer	`jonathan.mayer@princeton.edu`
Arvind Narayanan	`arvindn@cs.princeton.edu`

Is SMS 2FA secure?

No.