|
@
random_walker
Princeton, NJ
|
|
Princeton prof. I use Twitter to share my research & commentary on surveillance capitalism, infosec, cryptocurrencies, AI ethics, tech policy, & academic life.
|
|
|
9.509
Tweetovi
|
188
Pratim
|
66.267
Osobe koje vas prate
|
| Tweetovi |
|
Arvind Narayanan
@random_walker
|
23. sij |
|
Sounds like the NYT syndicated this AP story by @josephpisani and published it after stripping out the two links — to your paper and to ours😬 apnews.com/5ae387ca1b93c9…
Thanks NYT.
|
||
|
|
||
|
Arvind Narayanan
@random_walker
|
23. sij |
|
There's a story going around about cheating in a Kaggle contest, so I wanted to share a paper about the time I teamed up with @ElaineRShi and @bipr to cheat in a Kaggle contest—with the permission of the organizers!—to prove a point about de-anonymization: arxiv.org/pdf/1102.4374.…
|
||
|
|
||
|
Arvind Narayanan
@random_walker
|
18. sij |
|
Sure, see here sts-program.mit.edu/event/arthur-m…
|
||
|
|
||
|
Arvind Narayanan
@random_walker
|
17. sij |
|
Thanks for the tweet. Given that the other three authors @kvn_l33, @bkaiser93, and @jonathanmayer are also Princeton scholars, I'm surprised that you chose to mention only me. Also, your characterization that I led the study is incorrect.
|
||
|
|
||
| Arvind Narayanan proslijedio/la je tweet | ||
|
Catalina Goanta
@CatalinaGoanta
|
12. sij |
|
@ATT is already facing a number of lawsuits for its negligence in #simswap attacks. One employee was a prolific sim swapper and would charge $4,300 for a stint, according to a court case filed in October, to be heard in California ➡️punitive damages as a private remedy twitter.com/random_walker/…
|
||
|
|
||
|
Arvind Narayanan
@random_walker
|
12. sij |
|
Sure thing.
|
||
|
|
||
|
Arvind Narayanan
@random_walker
|
11. sij |
|
We primarily tested prepaid accounts. It's possible that postpaid accounts have better protection. But there are 80 million prepaid accounts in the U.S. and this would be yet another way in which lower-income people are more vulnerable to security threats. isSMS2FAsecure.com twitter.com/random_walker/…
|
||
|
|
||
| Arvind Narayanan proslijedio/la je tweet | ||
|
Ron Wyden
@RonWyden
|
10. sij |
|
Consumers are at the mercy of wireless carriers when it comes to being protected against SIM swaps. It’s time for the FCC to step up and protect consumers by holding carriers accountable when their systems fail to protect against SIM swapping. twitter.com/random_walker/…
|
||
|
|
||
|
Arvind Narayanan
@random_walker
|
10. sij |
|
We did a very limited test of postpaid accounts (one attempt per carrier). See Appendix A / Table 4. Two carriers had more stringent procedures, but one did not. issms2fasecure.com/assets/sim_swa…
|
||
|
|
||
|
Arvind Narayanan
@random_walker
|
10. sij |
|
Until the carriers fix these problems, you’re at risk of a SIM swap. But you can protect yourself right now. Take a few minutes to check all your online accounts. Make sure 2-factor authentication is enabled, and it’s a secure option such as an authenticator app, and not SMS.
|
||
|
|
||
|
Arvind Narayanan
@random_walker
|
10. sij |
|
In the craziest twist, we had *just* completed our initial analysis and knew the weaknesses of my carrier’s authentication protocol, and so I was able to use that info to talk the rep into handing me back my own account.
|
||
|
|
||
|
Arvind Narayanan
@random_walker
|
10. sij |
|
When I called customer service, I was in for a shock. They were not able to authenticate me (despite apparently having no problem authenticating the attacker). In particular, their system for emailing me a one-time password failed but they insisted the problem was on my end.
|
||
|
|
||
|
Arvind Narayanan
@random_walker
|
10. sij |
|
The reason the attacker didn’t manage to ruin my life is that I was on baby duty that night with a newborn who was keeping me awake. My wife was extremely confused when I woke her up, handed her a crying baby, and said I had to go take care of an emergency.😂
|
||
|
|
||
|
Arvind Narayanan
@random_walker
|
10. sij |
|
While we were doing this research, it got personal for me. Around midnight on a Saturday, I got the dreaded text saying my service was being transferred to a new SIM. Smart move by the attacker—they counted on having the rest of the night to get into my online accounts.
|
||
|
|
||
|
Arvind Narayanan
@random_walker
|
10. sij |
|
My guess is that in most of these cases the website operators don’t realize how insecure their configuration is. We’ve redacted the names of these websites for now and have begun notifying them. Unfortunately, some of these websites have billions of users each.
|
||
|
|
||
|
Arvind Narayanan
@random_walker
|
10. sij |
|
We have a number of concerning findings but the most problematic is that there are 17 websites that simultaneously allow SMS both for password recovery and as the second factor for authentication. Given the ease of SIM swaps, that’s zero-factor auth, not two-factor auth.
|
||
|
|
||
|
Arvind Narayanan
@random_walker
|
10. sij |
|
How bad is it to fall victim to a SIM swap? After studying the carriers, we looked at popular websites that use SMS as an authentication factor. We tested 145 websites in total, using the handy database at twofactorauth.org as a starting point.
|
||
|
|
||
|
Arvind Narayanan
@random_walker
|
10. sij |
|
|
||
|
Arvind Narayanan
@random_walker
|
10. sij |
|
Particularly worrying: we didn’t see any indication that carriers were responding to authentication red flags. Failing a series of challenges just led to more challenges. Some customer service representatives even gave us hints. And some just… forgot to authenticate the caller.
|
||
|
|
||
|
Arvind Narayanan
@random_walker
|
10. sij |
|
Authentication with account payment history was also insecure. We found that an attacker could purchase a small refill card, apply it to the victim’s account without authentication, and then use the amount and timing of the refill to carry out a SIM swap attack!
|
||
|
|
||