Is SMS 2FA Secure?

No.

An Empirical Study of Wireless Carrier Authentication for SIM Swaps

  • We examined the authentication procedures used by five prepaid wireless carriers when a customer attempts to change their SIM card, or SIM swap.
  • We found that all five carriers use insecure authentication challenges that can easily be subverted by attackers.
  • We reverse-engineered the authentication policies of over 140 websites that offer SMS-based authentication, and rated the vulnerability level of users of each website to a SIM swap attack.
  • We found 17 websites on which user accounts can be compromised based on a SIM swap alone.

Paper/Data

A draft of our paper can be downloaded here.

We provide an interactive dataset of our MFA analysis at over 140 websites here.

Responses

  • In January 2020, T-Mobile informed us that after reviewing our research, it has discontinued the use of call logs for customer authentication.

Contact

We are computer science researchers affiliated with the Center for Information Technology Policy at Princeton University.

Kevin Lee kvnl@cs.princeton.edu
Ben Kaiser bkaiser@princeton.edu
Jonathan Mayer jonathan.mayer@princeton.edu
Arvind Narayanan arvindn@cs.princeton.edu