论文信息 - Design and Evaluation of Enumeration Attacks on Package Tracking Systems

Design and Evaluation of Enumeration Attacks on Package Tracking Systems

Most shipping companies provide a package tracking system where customers can easily track their package delivery status when the package is being shipped. However, we present a security problem called enumeration attacks against package tracking systems in which attackers can collect customers’ personal data illegally through the systems. We specifically examine the security of the package tracking websites of the top five popular shipping companies (Korea Post, CJ Logistics, Lotte Logistics, Logen, and Hanjin Shipping) in South Korea and found that enumeration attacks can be easily implemented with package tracking numbers or phone numbers. To show potential risks of enumeration attacks on the package tracking system, we automatically collected package tracking records from those websites through our attack tool. We gathered 1,398,112, 2,614,839, 797,676, 1,590,933, and 163,452 package delivery records from the websites of Korea Post, CJ Logistics, Lotte Logistics, Logen and Hanjin Shipping, respectively, during 6 months. Using those records, we uncover 4,420,214 names, 2,527,205 phone numbers, and 4,467,329 addresses. To prevent such enumeration attacks, we also suggest four practical defense approaches.

[1] Hyoungshick Kim,et al. Design and analysis of enumeration attacks on finding friends with phone numbers: A case study with KakaoTalk , 2015, Comput. Secur..

[2] Christopher Krügel,et al. Abusing Social Networks for Automated User Profiling , 2010, RAID.

[3] Ponnurangam Kumaraguru,et al. Exploiting Phone Numbers and Cross-Application Features in Targeted Mobile Attacks , 2016, SPSM@CCS.

[4] Hyoungshick Kim,et al. Hello, Facebook! Here Is the Stalkers' Paradise!: Design and Analysis of Enumeration Attack Using Phone Numbers on Facebook , 2017, ISPEC.

[5] James T. Curran,et al. Fortuna: Cryptographically Secure Pseudo-Random Number Generation In Software And Hardware , 2006 .

[6] Jason Hong,et al. The state of phishing attacks , 2012, Commun. ACM.

[7] John Langford,et al. CAPTCHA: Using Hard AI Problems for Security , 2003, EUROCRYPT.

[8] Edgar R. Weippl,et al. Guess Who's Texting You? Evaluating the Security of Smartphone Messaging Applications , 2012, NDSS.

[9] Paul C. van Oorschot,et al. Revisiting Defenses against Large-Scale Online Password Guessing Attacks , 2012, IEEE Transactions on Dependable and Secure Computing.

[10] Hyoungshick Kim,et al. I’ve Got Your Packages: Harvesting Customers’ Delivery Order Information using Package Tracking Number Enumeration Attacks , 2020, WWW.