Abstract
Most shipping companies provide a package tracking system where customers can easily track their package delivery status when the package is being shipped. However, we present a security problem called enumeration attacks against package tracking systems in which attackers can collect customers’ personal data illegally through the systems. We specifically examine the security of the package tracking websites of the top five popular shipping companies (Korea Post, CJ Logistics, Lotte Logistics, Logen, and Hanjin Shipping) in South Korea and found that enumeration attacks can be easily implemented with package tracking numbers or phone numbers. To show potential risks of enumeration attacks on the package tracking system, we automatically collected package tracking records from those websites through our attack tool. We gathered 1,398,112, 2,614,839, 797,676, 1,590,933, and 163,452 package delivery records from the websites of Korea Post, CJ Logistics, Lotte Logistics, Logen and Hanjin Shipping, respectively, during 6 months. Using those records, we uncover 4,420,214 names, 2,527,205 phone numbers, and 4,467,329 addresses. To prevent such enumeration attacks, we also suggest four practical defense approaches.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
We denote \(\varDelta PTN(i)\) for all i in the collected PTNs as \(\varDelta PTN\).
- 2.
We believe that Hanjin Shipping would use a DDoS mitigation solution at the network level rather than the policy of “maximum failed attempts allowed” at the web application level because we cannot access the website itself when we queried multiple times within a short time interval.
- 3.
We surmise that PTNs may contain some meaningful information (e.g., location and time) about package delivery records because they have a well-formatted structure.
References
FedEx Data Breach (2018). https://www.informationsecuritybuzz.com/expert-comments/fedex-data-breach/. Accessed 14 Oct 2019
USPS Site Exposed Data on 60 Million Users (2018). https://krebsonsecurity.com/2018/11/usps-site-exposed-data-on-60-million-users/. Accessed 14 Oct 2019
DHL global (2019). http://www.dhl.com/en.html. Accessed 14 Oct 2019
Fedex (2019). https://www.fedex.com. Accessed 14 Oct 2019
UPS (2019). https://www.ups.com. Accessed 14 Oct 2019
Alsaleh, M., Mannan, M., van Oorschot, P.C.: Revisiting defenses against large-scale online password guessing attacks. IEEE Trans. Dependable Secure Comput. 9, 128–141 (2012)
Balduzzi, M., Platzer, C., Holz, T., Kirda, E., Balzarotti, D., Kruegel, C.: Abusing social networks for automated user profiling. In: Jha, S., Sommer, R., Kreibich, C. (eds.) RAID 2010. LNCS, vol. 6307, pp. 422–441. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-15512-3_22
Gupta, S., Gupta, P., Ahamad, M., Kumaraguru, P.: Exploiting phone numbers and cross-application features in targeted mobile attacks. In: Proceedings of the 6th Workshop on Security and Privacy in Smartphones and Mobile Devices (2016)
Hong, J.: The state of phishing attacks. Commun. ACM 55(1), 74–81 (2012)
Kim, E., Park, K., Kim, H., Song, J.: Design and analysis of enumeration attacks on finding friends with phone numbers: a case study with kakaotalk. Comput. Secur. 52, 267–275 (2015)
Kim, J., Kim, K., Cho, J., Kim, H., Schrittwieser, S.: Hello, Facebook! here is the stalkers’ paradise!: design and analysis of enumeration attack using phone numbers on Facebook. In: Proceedings of the 13th International Conference on Information Security Practice and Experience (2017)
McEvoy, R., Curran, J., Cotter, P., Murphy, C.: Fortuna: cryptographically secure pseudo-random number generation in software and hardware (2006)
Palmer, D.: Phishing attack: students’ personal information stolen in university data breach (2019). https://www.zdnet.com/article/phishing-attack-students-personal-information-stolen-in-university-data-breach/. Accessed 30 Dec 2019
Schrittwieser, S., et al.: Guess who’s texting you? Evaluating the security of smartphone messaging applications. In: Proceedings of the 19th Annual Symposium on Network and Distributed System Security (2012)
Woo, S., Jang, H., Ji, W., Kim, H.: I’ve got your packages: harvesting customers’ delivery order information using package tracking number enumeration attacks. In: Proceedings of The Web Conference (WWW 2020) (2020)
von Ahn, L., Blum, M., Hopper, N.J., Langford, J.: CAPTCHA: using hard AI problems for security. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 294–311. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-39200-9_18
Acknowledgement
This work was supported in part by the NRF of Korea (NRF-2019R1C1C1007118), the ITRC Support Program (IITP-2019- 2015-0-00403), and the ICT R&D Programs (No. 2017-0-00545).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Jang, H., Ji, W., Woo, S.S., Kim, H. (2020). Design and Evaluation of Enumeration Attacks on Package Tracking Systems. In: Liu, J., Cui, H. (eds) Information Security and Privacy. ACISP 2020. Lecture Notes in Computer Science(), vol 12248. Springer, Cham. https://doi.org/10.1007/978-3-030-55304-3_28
Download citation
DOI: https://doi.org/10.1007/978-3-030-55304-3_28
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-55303-6
Online ISBN: 978-3-030-55304-3
eBook Packages: Computer ScienceComputer Science (R0)