Security Analysis of SMS as a Second Factor of Authentication

Despite their popularity and ease of use, SMS-based authentication tokens are arguably one of the least secure forms of two-factor authentication. This does not imply, however, that it is an invalid method for securing an online account. The current security landscape is very different from that of two decades ago. Regardless of the critical nature of an online account or the individual who owns it, using a second form of authentication should always be the default option, regardless of the method chosen. In the wake of a large number of leaks and other intrusions, there are many username and password combinations out there in the wrong hands that make password spraying attacks cheap and easy to accomplish.

[1]  Nen-Fu Huang,et al.  CAMEL evolution and PPS evaluation , 2001, IEEE Intelligent Network 2001 Workshop. IN 2001 Conference Record (Cat. No.01TH8566).

[2]  Mat Honan 29. How Apple and Amazon Security Flaws Led to My Epic Hacking , 2013 .

[3]  Vuk Marojevic,et al.  Security and Protocol Exploit Analysis of the 5G Specifications , 2018, IEEE Access.

[4]  Jean-Pierre Seifert,et al.  Let Me Answer That for You: Exploiting Broadcast Information in Cellular Networks , 2013, USENIX Security Symposium.

[5]  Elisa Bertino,et al.  5GReasoner: A Property-Directed Security and Privacy Analysis Framework for 5G Cellular Network Protocol , 2019, CCS.

[6]  Dennis Guster,et al.  Weak Password Security: An Empirical Study , 2008, Inf. Secur. J. A Glob. Perspect..

[7]  Travis Earl Russell,et al.  Signaling System #7 , 1995 .

[8]  Yongdae Kim,et al.  Location Leaks on the GSM Air Interface , 2011 .

[9]  M. Angela Sasse,et al.  The true cost of unusable password policies: password use in the wild , 2010, CHI.

[10]  Roger Piqueras Jover,et al.  LTE security, protocol exploits and location tracking experimentation with low-cost software radio , 2016, ArXiv.

[11]  Nicholas Hopper,et al.  Location leaks over the GSM air interface , 2012, NDSS.

[12]  Ben Kaiser,et al.  An Empirical Study of Wireless Carrier Authentication for SIM Swaps , 2020, SOUPS @ USENIX Security Symposium.

[13]  Valtteri Niemi,et al.  Practical Attacks Against Privacy and Availability in 4G/LTE Mobile Communication Systems , 2015, NDSS.