Is SMS 2FA secure?

No.

An Empirical Study of Wireless Carrier Authentication for SIM Swaps

Presented at SOUPS 2020
  • We examined the authentication procedures used by five prepaid wireless carriers when a customer attempts to change their SIM card, or SIM swap.
  • We found that all five carriers use insecure authentication challenges that can easily be subverted by attackers.
  • We reverse-engineered the authentication policies of over 140 websites that offer SMS-based authentication, and rated the vulnerability level of users of each website to a SIM swap attack.
  • We found 17 websites on which user accounts can be compromised based on a SIM swap alone. After over 60 days since our disclosure, nine of these websites remain vulnerable in their default configuration.

Paper/Data

Read the paper (final version) » Slides » Video »

Please see the list of revisions here.

We provide an interactive dataset of our MFA analysis at over 140 websites here.

Responses

  • In January 2020, T-Mobile informed us that after reviewing our research, it had discontinued the use of call logs for customer authentication.
  • In January 2020, Adobe and Online.net informed us that after reviewing our vulnerability disclosures, they have implemented fixes to to prevent user accounts from compromise based on a SIM swap alone.
  • In February 2020, eBay and Snapchat informed us that after reviewing our vulnerability disclosures, they have implemented fixes to to prevent user accounts from compromise based on a SIM swap alone.
  • Nine websites remain vulnerable in their default configuration: AOL, Amazon, Finnair, Gaijin Entertainment, Mailchimp, Paypal, Venmo, WordPress.com, and Yahoo. These websites either failed to respond to us, did not understand our vulnerability report, or stated that they won't fix the issue.
  • Three websites fixed the issue without notifying us: Blizzard, Microsoft, and Taxact. We re-examined these websites in March 2020.

Revisions

Update (June 20, 2020): We have updated the paper to incorporate suggestions received during our submission to the Sixteenth Symposium on Usable Privacy and Security (SOUPS 2020), including discussion on the ethical considerations of our method. We thank the anonymous SOUPS reviewers for their feedback and guidance throughout the editing process! The updated paper is contentwise identical to the SOUPS version. The previous version can be found here.

Update (March 25, 2020): We have updated our annotated dataset with responses 60 days after our disclosure. Our paper draft has also been updated to include website names and disclosure responses. The previous version can be found here.

Citation

@inproceedings{lee2020empirical,
	title={An Empirical Study of Wireless Carrier Authentication for $\{$SIM$\}$ Swaps},
	author={Lee, Kevin and Kaiser, Benjamin and Mayer, Jonathan and Narayanan, Arvind},
	booktitle={Sixteenth Symposium on Usable Privacy and Security ($\{$SOUPS$\}$ 2020)},
	pages={61--79},
	url = {https://www.usenix.org/conference/soups2020/presentation/lee},
	year={2020}
}

Contact

We are computer science researchers affiliated with the Center for Information Technology Policy at Princeton University.

Kevin Lee kvnl@cs.princeton.edu
Ben Kaiser bkaiser@princeton.edu
Jonathan Mayer jonathan.mayer@princeton.edu
Arvind Narayanan arvindn@cs.princeton.edu