Sending Out an SMS: Characterizing the Security of the SMS Ecosystem with Public Gateways

Text messages sent via the Short Message Service (SMS) have revolutionized interpersonal communication. Recent years have also seen this service become a critical component of the security infrastructure, assisting with tasks including identity verification and second-factor authentication. At the same time, this messaging infrastructure has become dramatically more open and connected to public networks than ever before. However, the implications of this openness, the security practices of benign services, and the malicious misuse of this ecosystem are not well understood. In this paper, we provide the first longitudinal study to answer these questions, analyzing nearly 400,000 text messages sent to public online SMS gateways over the course of 14 months. From this data, we are able to identify not only a range of services sending extremely sensitive plaintext data and implementing low entropy solutions for one-use codes, but also offer insights into the prevalence of SMS spam and behaviors indicating that public gateways are primarily used for evading account creation policies that require verified phone numbers. This latter finding has significant implications for research combatting phone-verified account fraud and demonstrates that such evasion will continue to be difficult to detect and prevent.

[1]  Security of mobile TAN on smartphones A risk analysis for the iOS and Android smartphone platforms , 2012 .

[2]  Thomas F. La Porta,et al.  Exploiting open functionality in SMS-capable cellular networks , 2005, CCS '05.

[3]  Patrick Traynor,et al.  Mo(bile) Money, Mo(bile) Problems , 2017, ACM Trans. Priv. Secur..

[4]  Adi Shamir,et al.  A Practical-Time Related-Key Attack on the KASUMI Cryptosystem Used in GSM and 3G Telephony , 2010, CRYPTO.

[5]  Thomas F. La Porta,et al.  Security for Telecommunications Networks , 2008, Advances in Information Security.

[6]  Rolf Haenni,et al.  Attacking the Verification Code Mechanism in the Norwegian Internet Voting System , 2013, VoteID.

[7]  Patrick D. McDaniel,et al.  On Attack Causality in Internet-Connected Cellular Networks , 2007, USENIX Security Symposium.

[8]  T. Grance,et al.  SP 800-122. Guide to Protecting the Confidentiality of Personally Identifiable Information (PII) , 2010 .

[9]  Micah Sherr,et al.  $100,000 prize jackpot. call now!: identifying the pertinent features of SMS spam , 2012, SIGIR '12.

[10]  Delbert Dueck,et al.  Clustering by Passing Messages Between Data Points , 2007, Science.

[11]  Christopher Krügel,et al.  Framing Dependencies Introduced by Underground Commoditization , 2015, WEIS.

[12]  Wassim El-Hajj,et al.  Two factor authentication using mobile phones , 2009, 2009 IEEE/ACS International Conference on Computer Systems and Applications.

[13]  Patrick Traynor Characterizing the Security Implications of Third-Party Emergency Alert Systems over Cellular Text Messaging Services , 2012, IEEE Transactions on Mobile Computing.

[14]  Eli Biham,et al.  Instant Ciphertext-Only Cryptanalysis of GSM Encrypted Communication , 2003, Journal of Cryptology.

[15]  Chris Kanich,et al.  Spamalytics: an empirical analysis of spam marketing conversion , 2009, CACM.

[16]  Nan Jiang,et al.  Greystar : Fast and Accurate Detection of SMS Spam Numbers in Large Cellular Networks using Grey Phone Space , 2013 .

[17]  Ann E. Skudlark Characterizing SMS spam in a large cellular network via mining victim spam reports , 2014 .

[18]  Prateek Saxena,et al.  The curse of 140 characters: evaluating the efficacy of SMS spam detection on android , 2013, SPSM '13.

[19]  Vern Paxson,et al.  Trafficking Fraudulent Accounts: The Role of the Underground Market in Twitter Spam and Abuse , 2013, USENIX Security Symposium.

[20]  Patrick Stewin,et al.  Elektrotechnik und Informatik SMS-based One-Time Passwords : Attacks and Defense , 2014 .

[21]  Chris Kanich,et al.  Show Me the Money: Characterizing Spam-advertised Revenue , 2011, USENIX Security Symposium.

[22]  Mat Honan 29. How Apple and Amazon Security Flaws Led to My Epic Hacking , 2013 .

[23]  Jan-Erik Lothe Eide SMS One-Time Passwords, Security in Two-Factor Authentication , 2015 .

[24]  Dimitri do B. DeFigueiredo,et al.  The Case for Mobile Two-Factor Authentication , 2011, IEEE Security & Privacy.

[25]  Stefan Savage,et al.  Manufacturing compromise: the emergence of exploit-as-a-service , 2012, CCS.

[26]  Bruce Schneier,et al.  Two-factor authentication: too little, too late , 2005, CACM.

[27]  Wenke Lee,et al.  The Core of the Matter: Analyzing Malicious Traffic in Cellular Carriers , 2013, NDSS.

[28]  Lynne Milgram,et al.  The International Organization for Standardization (ISO) , 1999 .

[29]  Diomidis Spinellis,et al.  The Athens Affair , 2007, IEEE Spectrum.

[30]  Adi Shamir,et al.  A Practical-Time Related-Key Attack on the KASUMI Cryptosystem Used in GSM and 3G Telephony , 2010, Journal of Cryptology.

[31]  Ravishankar Borgaonkar,et al.  Weaponizing Femtocells: The Effect of Rogue Devices on Mobile Telecommunications , 2012, NDSS.

[32]  Alex Biryukov,et al.  Real Time Cryptanalysis of A5/1 on a PC , 2000, FSE.

[33]  Dawn Xiaodong Song,et al.  Insights from the Inside: A View of Botnet Management from Infiltration , 2010, LEET.

[34]  Roger Piqueras Jover,et al.  Crime scene investigation: SMS spam data analysis , 2012, IMC '12.

[35]  Edgar R. Weippl,et al.  IMSI-catch me if you can: IMSI-catcher-catchers , 2014, ACSAC.

[36]  Steve Hanna,et al.  A survey of mobile malware in the wild , 2011, SPSM '11.

[37]  Yvo Desmedt,et al.  How to Attack Two-Factor Authentication Internet Banking , 2013, Financial Cryptography.

[38]  Ahmad-Reza Sadeghi,et al.  On the (In)Security of Mobile Two-Factor Authentication , 2014, Financial Cryptography.

[39]  Christopher Krügel,et al.  Your botnet is my botnet: analysis of a botnet takeover , 2009, CCS.

[40]  Damon McCoy,et al.  Dialing Back Abuse on Phone Verified Accounts , 2014, CCS.

[41]  Somayeh Salimi,et al.  New attacks on UMTS network access , 2009, 2009 Wireless Telecommunications Symposium.

[42]  Herbert Bos,et al.  How Anywhere Computing Just Killed Your Phone-Based Two-Factor Authentication , 2016, Financial Cryptography.

[43]  Yajin Zhou,et al.  Dissecting Android Malware: Characterization and Evolution , 2012, 2012 IEEE Symposium on Security and Privacy.

[44]  Sarah Jane Delany,et al.  SMS spam filtering: Methods and data , 2012, Expert Syst. Appl..