Arvind NarayananVerified account

@random_walker

Princeton prof. I use Twitter to share my research & commentary on surveillance capitalism, infosec, cryptocurrencies, AI ethics, tech policy, & academic life.

Joined December 2007

Tweets

You blocked @random_walker

Are you sure you want to view these Tweets? Viewing Tweets won't unblock @random_walker

  1. Pinned Tweet

    When we watch TV, our TVs watch us back and track our habits. This practice has exploded recently since it hasn’t faced much public scrutiny. But in the last few days, not one but *three* papers have dropped that uncover the extent of tracking on TVs. Let me tell you about them.

    Show this thread
    Undo
  2. There's a story going around about cheating in a Kaggle contest, so I wanted to share a paper about the time I teamed up with and to cheat in a Kaggle contest—with the permission of the organizers!—to prove a point about de-anonymization:

    Undo
  3. Retweeted
    Jan 12

    is already facing a number of lawsuits for its negligence in attacks. One employee was a prolific sim swapper and would charge $4,300 for a stint, according to a court case filed in October, to be heard in California ➡️punitive damages as a private remedy

    Show this thread
    Undo
  4. We primarily tested prepaid accounts. It's possible that postpaid accounts have better protection. But there are 80 million prepaid accounts in the U.S. and this would be yet another way in which lower-income people are more vulnerable to security threats.

    Undo
  5. Retweeted
    Jan 10

    Consumers are at the mercy of wireless carriers when it comes to being protected against SIM swaps. It’s time for the FCC to step up and protect consumers by holding carriers accountable when their systems fail to protect against SIM swapping.

    Show this thread
    Undo
  6. Until the carriers fix these problems, you’re at risk of a SIM swap. But you can protect yourself right now. Take a few minutes to check all your online accounts. Make sure 2-factor authentication is enabled, and it’s a secure option such as an authenticator app, and not SMS.

    Show this thread
    Undo
  7. In the craziest twist, we had *just* completed our initial analysis and knew the weaknesses of my carrier’s authentication protocol, and so I was able to use that info to talk the rep into handing me back my own account.

    Show this thread
    Undo
  8. When I called customer service, I was in for a shock. They were not able to authenticate me (despite apparently having no problem authenticating the attacker). In particular, their system for emailing me a one-time password failed but they insisted the problem was on my end.

    Show this thread
    Undo
  9. The reason the attacker didn’t manage to ruin my life is that I was on baby duty that night with a newborn who was keeping me awake. My wife was extremely confused when I woke her up, handed her a crying baby, and said I had to go take care of an emergency.😂

    Show this thread
    Undo
  10. While we were doing this research, it got personal for me. Around midnight on a Saturday, I got the dreaded text saying my service was being transferred to a new SIM. Smart move by the attacker—they counted on having the rest of the night to get into my online accounts.

    Show this thread
    Undo
  11. My guess is that in most of these cases the website operators don’t realize how insecure their configuration is. We’ve redacted the names of these websites for now and have begun notifying them. Unfortunately, some of these websites have billions of users each.

    Show this thread
    Undo
  12. We have a number of concerning findings but the most problematic is that there are 17 websites that simultaneously allow SMS both for password recovery and as the second factor for authentication. Given the ease of SIM swaps, that’s zero-factor auth, not two-factor auth.

    Show this thread
    Undo
  13. How bad is it to fall victim to a SIM swap? After studying the carriers, we looked at popular websites that use SMS as an authentication factor. We tested 145 websites in total, using the handy database at as a starting point.

    Show this thread
    Undo
  14. We notified the carriers initially in July and gave a detailed presentation to the carriers and (the wireless trade association) in September. To its credit, recently informed us that, in response to our research, it no longer uses call logs for authentication.

    Show this thread
    Undo
  15. Particularly worrying: we didn’t see any indication that carriers were responding to authentication red flags. Failing a series of challenges just led to more challenges. Some customer service representatives even gave us hints. And some just… forgot to authenticate the caller.

    Show this thread
    Undo
  16. Authentication with account payment history was also insecure. We found that an attacker could purchase a small refill card, apply it to the victim’s account without authentication, and then use the amount and timing of the refill to carry out a SIM swap attack!

    Show this thread
    Undo
  17. One unusual finding: some carriers ask about recent calls the subscriber made, reasoning that an attacker can’t know this. But attackers can easily trick the victim into placing a call. *Inbound* calls were sometimes sufficient too—and obviously the attacker can call the victim.

    Show this thread
    Undo
  18. Unfortunately, all five carriers used authentication methods that are considered insecure in the computer security community. Taken together, these findings help explain why SIM swaps have been such a persistent problem. More details in our paper:

    Show this thread
    Undo
  19. We tested 5 major U.S. wireless carriers. For each carrier, we created 10 prepaid accounts and attempted a SIM swap on each account. We used prepaid because it’s easier to appear to be 10 different customers, which allowed us to test the consistency of carrier procedures.

    Show this thread
    Undo
  20. This study needed a mix of creativity, grunt work, and knowledge of the industry. All credit to PhD students and , as well as my faculty colleague (who previously worked at the on wireless carrier security).

    Show this thread
    Undo
  21. SIM swap attacks are low-tech but devastating: the attacker calls your carrier, pretends to be you, and asks to transfer service to a new SIM—one that the attacker controls. That’s bad enough, but hundreds of websites use SMS for 2-factor auth, putting your accounts at risk.

    Show this thread
    Undo

Loading seems to be taking a while.

Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.

    You may also like

    ·