research-article

Free access

Security analysis of SMS as a second factor of authentication

Author:

Roger Piqueras JoverAuthors Info & Claims

Communications of the ACM, Volume 63, Issue 12

Pages 46 - 52

https://doi.org/10.1145/3424260

Published: 17 November 2020 Publication History

All formats PDF

Abstract

The challenges of multifactor authentication based on SMS, including cellular security deficiencies, SS7 exploits, and SIM swapping.

References

[1]

Alfonsi, S. Hacking your phone. CBS News, 2016; https://www.cbsnews.com/video/hacking-your-phone/.

Google Scholar

[2]

Cimpanu, C. Newer Diameter telephony protocol just as vulnerable as SS7. Bleeping Computer, 2018; https://www.bleepingcomputer.com/news/security/newer-diameter-telephony-protocol-just-as-vulnerable-as-ss7/.

Google Scholar

[3]

Coonce, S. The most expensive lesson of my life: details of SIM port hack. Medium, 2019; https://medium.com/coinmonks/the-most-expensive-lesson-of-my-life-details-of-sim-port-hack-35de11517124.

Google Scholar

[4]

Cox, J. Hackers are breaking directly into telecom companies to take over customer phone numbers. Motherboard Tech by Vice, 2020; https://www.vice.com/en_us/article/5dmbjx/how-hackers-are-breaking-into-att-tmobile-sprint-to-sim-swap-yeh.

Google Scholar

[5]

Engel, T. SS7: Locate. track. manipulate. 31st Chaos Communication Congress, 2014.

Google Scholar

[6]

Golde, N., Redon, K., Seifert, J.-P. 2013. Let me answer that for you: exploiting broadcast information in cellular networks. In Proceedings of the 22^nd Usenix Security Symp. 33-48; https://www.usenix.org/system/files/conference/usenixsecurity13/sec13-paper_golde.pdf.

Google Scholar

[7]

Greenberg, A. The SIM swap fix that the U.S. isn't using. Wired, 2019; https://www.wired.com/story/sim-swap-fix-carriers-banks/.

Google Scholar

[8]

Honan, M. How Apple and Amazon security flaws led to my epic hacking. Wired, 2012; https://www.wired.com/2012/08/apple-amazon-mat-honan-hacking/.

Google Scholar

[9]

Hunt, T. Beyond passwords: 2FA, U2F and Google Advanced Protection, 2018; https://www.troyhunt.com/beyond-passwords-2fa-u2f-and-google-advanced-protection/.

Google Scholar

[10]

Hunt, T. Have I been pwned, 2020; https://haveibeenpwned.com/.

Google Scholar

[11]

Hussain, S. R., Echeverria, M., Karim, I., Chowdhury, O., Bertino, E. 5GReasoner: a property-directed security and privacy analysis framework for 5G cellular network protocol. In Proceedings of the ACM SIGSAC Conf. Computer and Communications Security, 2019; 669--684; https://dl.acm.org/doi/abs/10.1145/3319535.3354263.

Crossref

Google Scholar

[12]

Inglesant, P.G., Sasse, M.A. The true cost of unusable password policies: password use in the wild. In Proceedings of the SIGCHI Conf. Human Factors in Computing Systems, 2010; 383--392; https://dl.acm.org/doi/10.1145/1753326.1753384.

Crossref

Google Scholar

[13]

Jover, R.P. LTE security and protocol exploits. ShmooCon 2016 Proceedings; https://shmoo.gitbook.io/2016-shmoocon-proceedings/bring_it_on/05_lte_security_and_protocol_exploits.

Google Scholar

[14]

Jover, R.P. LTE security, protocol exploits and location tracking experimentation with low-cost software radio. CoRR, 2016, abs/1607.05171; https://arxiv.org/abs/1607.05171.

Google Scholar

[15]

Jover, R.P. 5G protocol vulnerabilities and exploits. ShmooCon 2020; http://rogerpiquerasjover.net/5G_ShmooCon_FINAL.pdf.

Google Scholar

[16]

Jover, R.P., Marojevic, V. Security and protocol exploit analysis of the 5G specifications. IEEE Access, 2019; https://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=8641117.

Google Scholar

[17]

Kune, D.F., Koelndorfer, J., Hopper, N., Kim, Y. Location leaks on the GSM air interface. In Proceedings of the 19^th Annual Network and Distributed System Security Symp., 2012; https://www-users.cs.umn.edu/~hoppernj/celluloc.pdf.

Google Scholar

[18]

Lee, K., Kaiser, B., Mayer, J., Narayanan, A. An empirical study of wireless carrier authentication for SIM swaps. In Proceedings of the 16^th Symp. Usable Privacy and Security; https://www.ieee-security.org/TC/SPW2020/ConPro/papers/lee-conpro20.pdf.

Google Scholar

[19]

Liu, C.-H., Chang, Y.-C., Huang, N.-F., Ling, Y.-L., Jan, H.-J. CAMEL evolution and PPS evaluation. IEEE Intelligent Network 2001 Workshop, 9-13. IEEE; https://ieeexplore.ieee.org/document/915288.

Google Scholar

[20]

Mitre Corporation. Exploit SS7 to redirect phone calls/SMS. MITRE ATT&CK Framework; https://attack.mitre.org/techniques/T1449/.

Google Scholar

[21]

New York State Department of Consumer Protection. ATT SIM-card switch scam; https://www.dos.ny.gov/consumerprotection/scams/att-sim.html.

Google Scholar

[22]

Nohl, K. Breaking GSM phone privacy. Black Hat USA; https://srlabs.de/wp-content/uploads/2010/07/100729.Breaking.GSM_.Privacy.BlackHat1-1.pdf.

Google Scholar

[23]

Nohl, K., Munaut, S. Wideband GSM sniffing. In Proceedings of the 27^th Chaos Communication Congress; https://fahrplan.events.ccc.de/congress/2010/Fahrplan/events/4208.en.html.

Google Scholar

[24]

Perez, D., Pico, J. A practical attack against GPRS/EDGE/UMTS/HSPA mobile data communications. Black Hat DC, 2011; https://media.blackhat.com/bh-dc-11/Perez-Pico/BlackHat_DC_2011_Perez-Pico_Mobile_Attacks-wp.pdf.

Google Scholar

[25]

Russell, T. 2002. Signaling System# 7, 2 (2002). McGraw-Hill, New York, NY.

Google Scholar

[26]

Shaik, A., Borgaonkar, R. New vulnerabilities in 5G networks. Black Hat 2019; https://i.blackhat.com/USA-19/Wednesday/us-19-Shaik-New-Vulnerabilities-In-5G-Networks-wp.pdf.

Google Scholar

[27]

Shaik, A., Borgaonkar, R., Asokan, N., Niemi, V., Seifert, J.-P. Practical attacks against privacy and availability in 4G/LTE mobile communication systems. In Proceedings of the 23^rd Annual Network and Distributed System Security Symp; https://www.ndss-symposium.org/wp-content/uploads/2017/09/06_5-ndss2016-slides_0.pdf.

Google Scholar

[28]

Third Generation Partnership Project (3GPP) Technical Specification Group Services and System Aspects. Security architecture and procedures for 5G system. 3GPP TS 33.501, V1.0.0, 2018; https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=3169.

Google Scholar

[29]

Weber, J.E., Guster, D., Safonov, P., Schmidt, M.B. Weak password security: An empirical study. Information Security J.: A Global Perspective 17, 1 (2008), 45--54; https://dl.acm.org/doi/10.1080/10658980701824432.

Digital Library

Google Scholar

[30]

XKCD. Password strength; https://xkcd.com/936/.

Google Scholar

Cited By

View all

Kaur B(2024)Online Fraud ForensicsInternationalization of Sport Events Through Branding Opportunities10.4018/979-8-3693-4038-7.ch015(269-296)Online publication date: 23-Oct-2024
https://doi.org/10.4018/979-8-3693-4038-7.ch015
Bhavana SDoreen Hephzibah Miriam DRene Robin C(2024)Understanding the Implications of SIM Card Swap Fraud in India: A Comprehensive Study2024 International Conference on Communication, Computing and Internet of Things (IC3IoT)10.1109/IC3IoT60841.2024.10550217(1-8)Online publication date: 17-Apr-2024
https://doi.org/10.1109/IC3IoT60841.2024.10550217
Klivan SHöltervennhoff SHuaman NKrause ASimko LAcar YFahl SMeng WJensen CCremers CKirda E(2023)"We've Disabled MFA for You": An Evaluation of the Security and Usability of Multi-Factor Authentication Recovery DeploymentsProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security10.1145/3576915.3623180(3138-3152)Online publication date: 15-Nov-2023
https://dl.acm.org/doi/10.1145/3576915.3623180
Show More Cited By

Index Terms

Security analysis of SMS as a second factor of authentication
1. Human-centered computing
  1. Ubiquitous and mobile computing
    1. Ubiquitous and mobile devices
      1. Mobile phones
2. Security and privacy
  1. Cryptography
    1. Symmetric cryptography and hash functions
      1. Hash functions and message authentication codes

Recommendations

Security Analysis of SMS as a Second Factor of Authentication: The challenges of multifactor authentication based on SMS, including cellular security deficiencies, SS7 exploits, and SIM swapping
Keys and Identity

Despite their popularity and ease of use, SMS-based authentication tokens are arguably one of the least secure forms of two-factor authentication. This does not imply, however, that it is an invalid method for securing an online account. The current ...
Cryptanalysis and Security Enhancement of Three-Factor Remote User Authentication Scheme for Multi-Server Environment

Recently, Om et al. proposed three-factor remote user authentication protocol using ElGamal cryptosystem and ensured that it is withstands to various kinds of security attacks. But, the authors review carefully Om et al.'s scheme and discover that it ...
Mobile Authentication Scheme Using SMS
SSME '09: Proceedings of the 2009 IITA International Conference on Services Science, Management and Engineering

Identity authentication is the first line of defense in the security application system to access the mobile network resources. However, as the means of attacking become variety, new requirements have been brought forward for the technology of identity ...

Comments

Information & Contributors

Information

Published In

Communications of the ACM Volume 63, Issue 12

December 2020

92 pages

ISSN:0001-0782

EISSN:1557-7317

DOI:10.1145/3437360

Editor:
Andrew A. Chien
Association for Computing Machinery, New York, NY

Issue’s Table of Contents

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 17 November 2020

Published in CACM Volume 63, Issue 12

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Qualifiers

Research-article
Popular
Refereed

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

7
Total Citations
View Citations
10,265
Total Downloads

Downloads (Last 12 months)1,001
Downloads (Last 6 weeks)106

Reflects downloads up to 07 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

View all

Kaur B(2024)Online Fraud ForensicsInternationalization of Sport Events Through Branding Opportunities10.4018/979-8-3693-4038-7.ch015(269-296)Online publication date: 23-Oct-2024
https://doi.org/10.4018/979-8-3693-4038-7.ch015
Bhavana SDoreen Hephzibah Miriam DRene Robin C(2024)Understanding the Implications of SIM Card Swap Fraud in India: A Comprehensive Study2024 International Conference on Communication, Computing and Internet of Things (IC3IoT)10.1109/IC3IoT60841.2024.10550217(1-8)Online publication date: 17-Apr-2024
https://doi.org/10.1109/IC3IoT60841.2024.10550217
Klivan SHöltervennhoff SHuaman NKrause ASimko LAcar YFahl SMeng WJensen CCremers CKirda E(2023)"We've Disabled MFA for You": An Evaluation of the Security and Usability of Multi-Factor Authentication Recovery DeploymentsProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security10.1145/3576915.3623180(3138-3152)Online publication date: 15-Nov-2023
https://dl.acm.org/doi/10.1145/3576915.3623180
Rao SBakas ABoureanu ISchneider SReaves BTippenhauer N(2023)Authenticating Mobile Users to Public Internet Commodity Services Using SIM TechnologyProceedings of the 16th ACM Conference on Security and Privacy in Wireless and Mobile Networks10.1145/3558482.3590181(151-162)Online publication date: 29-May-2023
https://dl.acm.org/doi/10.1145/3558482.3590181
Alanya-Beltran JPadilla-Caballero JSingh DSudhakar AKhalid Ibrahim RAlazzam M(2023)Development of smart grid infrastructure in cybersecurity2023 3rd International Conference on Advance Computing and Innovative Technologies in Engineering (ICACITE)10.1109/ICACITE57410.2023.10182371(2643-2648)Online publication date: 12-May-2023
https://doi.org/10.1109/ICACITE57410.2023.10182371
Catalano CTommasi F(2023)Persistent MobileApp-in-the-Middle (MAitM) attackJournal of Computer Virology and Hacking Techniques10.1007/s11416-023-00484-zOnline publication date: 30-Jun-2023
https://doi.org/10.1007/s11416-023-00484-z
Kruzikova AMatyas VBroz M(2023)Authentication of IT Professionals in the Wild – A SurveySecurity Protocols XXVIII10.1007/978-3-031-43033-6_5(43-56)Online publication date: 27-Mar-2023
https://dl.acm.org/doi/10.1007/978-3-031-43033-6_5

View Options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Digital Edition

View this article in digital edition.

Digital Edition

Magazine Site

View this article on the magazine site (external)

Magazine Site

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Abstract

References

Cited By

Index Terms

Recommendations