Tweets
- Tweets, current page.
- Tweets & replies
- Media
You blocked @random_walker
Are you sure you want to view these Tweets? Viewing Tweets won't unblock @random_walker
-
Pinned Tweet
When we watch TV, our TVs watch us back and track our habits. This practice has exploded recently since it hasn’t faced much public scrutiny. But in the last few days, not one but *three* papers have dropped that uncover the extent of tracking on TVs. Let me tell you about them.
Show this threadThanks. Twitter will use this to make your timeline better. UndoUndo -
There's a story going around about cheating in a Kaggle contest, so I wanted to share a paper about the time I teamed up with
@ElaineRShi and@bipr to cheat in a Kaggle contest—with the permission of the organizers!—to prove a point about de-anonymization: https://arxiv.org/pdf/1102.4374.pdf …Thanks. Twitter will use this to make your timeline better. UndoUndo -
Arvind Narayanan Retweeted
@ATT is already facing a number of lawsuits for its negligence in#simswap attacks. One employee was a prolific sim swapper and would charge $4,300 for a stint, according to a court case filed in October, to be heard in California
punitive damages as a private remedyhttps://twitter.com/random_walker/status/1215689116253290501 …Show this threadThanks. Twitter will use this to make your timeline better. UndoUndo -
We primarily tested prepaid accounts. It's possible that postpaid accounts have better protection. But there are 80 million prepaid accounts in the U.S. and this would be yet another way in which lower-income people are more vulnerable to security threats. http://isSMS2FAsecure.com https://twitter.com/random_walker/status/1215689116253290501 …
Thanks. Twitter will use this to make your timeline better. UndoUndo -
Arvind Narayanan Retweeted
Consumers are at the mercy of wireless carriers when it comes to being protected against SIM swaps. It’s time for the FCC to step up and protect consumers by holding carriers accountable when their systems fail to protect against SIM swapping.https://twitter.com/random_walker/status/1215689116253290501 …
Show this threadThanks. Twitter will use this to make your timeline better. UndoUndo -
Until the carriers fix these problems, you’re at risk of a SIM swap. But you can protect yourself right now. Take a few minutes to check all your online accounts. Make sure 2-factor authentication is enabled, and it’s a secure option such as an authenticator app, and not SMS.
Show this threadThanks. Twitter will use this to make your timeline better. UndoUndo -
In the craziest twist, we had *just* completed our initial analysis and knew the weaknesses of my carrier’s authentication protocol, and so I was able to use that info to talk the rep into handing me back my own account.
Show this threadThanks. Twitter will use this to make your timeline better. UndoUndo -
When I called customer service, I was in for a shock. They were not able to authenticate me (despite apparently having no problem authenticating the attacker). In particular, their system for emailing me a one-time password failed but they insisted the problem was on my end.
Show this threadThanks. Twitter will use this to make your timeline better. UndoUndo -
The reason the attacker didn’t manage to ruin my life is that I was on baby duty that night with a newborn who was keeping me awake. My wife was extremely confused when I woke her up, handed her a crying baby, and said I had to go take care of an emergency.
Show this threadThanks. Twitter will use this to make your timeline better. UndoUndo -
While we were doing this research, it got personal for me. Around midnight on a Saturday, I got the dreaded text saying my service was being transferred to a new SIM. Smart move by the attacker—they counted on having the rest of the night to get into my online accounts.
Show this threadThanks. Twitter will use this to make your timeline better. UndoUndo -
My guess is that in most of these cases the website operators don’t realize how insecure their configuration is. We’ve redacted the names of these websites for now and have begun notifying them. Unfortunately, some of these websites have billions of users each.
Show this threadThanks. Twitter will use this to make your timeline better. UndoUndo -
We have a number of concerning findings but the most problematic is that there are 17 websites that simultaneously allow SMS both for password recovery and as the second factor for authentication. Given the ease of SIM swaps, that’s zero-factor auth, not two-factor auth.
Show this threadThanks. Twitter will use this to make your timeline better. UndoUndo -
How bad is it to fall victim to a SIM swap? After studying the carriers, we looked at popular websites that use SMS as an authentication factor. We tested 145 websites in total, using the handy database at http://twofactorauth.org as a starting point.
Show this threadThanks. Twitter will use this to make your timeline better. UndoUndo -
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Particularly worrying: we didn’t see any indication that carriers were responding to authentication red flags. Failing a series of challenges just led to more challenges. Some customer service representatives even gave us hints. And some just… forgot to authenticate the caller.
Show this threadThanks. Twitter will use this to make your timeline better. UndoUndo -
Authentication with account payment history was also insecure. We found that an attacker could purchase a small refill card, apply it to the victim’s account without authentication, and then use the amount and timing of the refill to carry out a SIM swap attack!
Show this threadThanks. Twitter will use this to make your timeline better. UndoUndo -
One unusual finding: some carriers ask about recent calls the subscriber made, reasoning that an attacker can’t know this. But attackers can easily trick the victim into placing a call. *Inbound* calls were sometimes sufficient too—and obviously the attacker can call the victim.
Show this threadThanks. Twitter will use this to make your timeline better. UndoUndo -
Unfortunately, all five carriers used authentication methods that are considered insecure in the computer security community. Taken together, these findings help explain why SIM swaps have been such a persistent problem. More details in our paper: https://www.issms2fasecure.com/assets/sim_swaps-01-10-2020.pdf …pic.twitter.com/2Qo6SHX9Rc
Show this threadThanks. Twitter will use this to make your timeline better. UndoUndo -
We tested 5 major U.S. wireless carriers. For each carrier, we created 10 prepaid accounts and attempted a SIM swap on each account. We used prepaid because it’s easier to appear to be 10 different customers, which allowed us to test the consistency of carrier procedures.
Show this threadThanks. Twitter will use this to make your timeline better. UndoUndo -
This study needed a mix of creativity, grunt work, and knowledge of the industry. All credit to
@PrincetonCITP PhD students@kvn_l33 and@bkaiser93, as well as my faculty colleague@jonathanmayer (who previously worked at the@FCC on wireless carrier security).Show this threadThanks. Twitter will use this to make your timeline better. UndoUndo -
SIM swap attacks are low-tech but devastating: the attacker calls your carrier, pretends to be you, and asks to transfer service to a new SIM—one that the attacker controls. That’s bad enough, but hundreds of websites use SMS for 2-factor auth, putting your accounts at risk.
Show this threadThanks. Twitter will use this to make your timeline better. UndoUndo
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.