SMS Goes Nuclear: Fortifying SMS-Based MFA in Online Account Ecosystem Weizhao Jin∗§, Xiaoyu Ji∗§, Ruiwen He∗, Zhou Zhuang∗, Wenyuan Xu∗ and Yuan Tiany ∗Zhejiang University yUniversity of Virginia Email: [email protected], fxji,rwhe97,zhuangzhou,[email protected], [email protected] Abstract—With the rapid growth of online services, the number of online accounts proliferates. The security of a Direct Attack Unsuccessfully single user account no longer depends merely on its own Missing Key Info service provider but also the accounts on other service platforms (We refer to this online account environment Attack Attack Successfully Weak as Online Account Ecosystem). In this paper, we first Websites uncover the vulnerability of Online Account Ecosystem, Supply which stems from the defective multi-factor authentication Obtain Key Info (MFA), specifically the ones with SMS-based verification, and dependencies among accounts on different platforms. We propose Chain Reaction Attack that exploits the weak- est point in Online Account Ecosystem and can ultimately Fig. 1. Potential Online Account Ecosystem Vulnerability compromise the most secure platform. Furthermore, we design and implement ActFort, a systematic approach that exposes this vulnerability the most, namely, the to detect the vulnerability of Online Account Ecosystem notorious insecure SMS-based authentication [4]. by analyzing the authentication credential factors and sensitive personal information as well as evaluating the Although SMS-based Authentication Code (SMS dependency relationships among online accounts. We eval- Code) simplifies the authentication procedure and uate our system on hundreds of representative online makes users free from forgetting the passwords, it may services listed in Alexa in diversified fields. Based on lead to a fatal threat to account security and user the analysis from ActFort, we provide several pragmatic privacy that has been studied by many researchers. insights into the current Online Account Ecosystem and propose several feasible countermeasures including the Several attacks have been conducted to steal SMS Code online account exposed information protection mechanism from the cellphones directly by cellphone trojans [5] and the built-in authentication to fortify the security of and phishing link [6]. Moreover, some researches show Online Account Ecosystem. that the communication between smartphones and base I. INTRODUCTION stations can be eavesdropped and decrypted using pro- tocol weaknesses [7]–[9]. On the basis of the previous With the rich information and functionalities as- researches, in our Chain Reaction Attack, we imple- sociated with online accounts, the security of online mented the passive SMS Code sniffing attack and the accounts is increasingly critical. Recently, there are more covert active SMS Code MitM attack to show the several appalling user privacy scandals and severe data vulnerability of the SMS-based authentication. Fig. 1 breach incidents [1], [2] associated with online accounts illustrates the scenario that attackers may fail to intrude covered by the media. The Multi-factor Authentication a highly secure online payment platform directly but (MFA) [3] proposed for strengthening an individual will succeed indirectly by hacking other less secure account seems like a viable solution. However, this arXiv:2104.08651v2 [cs.CR] 19 Jul 2021 online accounts and collecting personal information solution is still far from being a solid protection due from them to gain access to the online payment platform to its limitation to a single account of a single service. eventually. The common wisdom has yet to realize the fact that different online accounts of one single user are highly In this paper, we first leverage the main vulnera- coupled with each other. This could potentially form bilities of Online Account Ecosystem and demonstrate an fragile Online Account Ecosystem. The bottleneck Chain Reaction Attacks on several real online payment of the security of the ecosystem resides at the weakest platforms. Then, we design and implement ActFort, a nodes within it, which can be characterized as lacking systematic framework to formulate and analyze the vul- secure authentication steps and exposing much sensitive nerabilities of the Online Account Ecosystem regrading personal information. In practice, there is one factor account dependency. By analyzing hundreds of main- stream websites, we summarize some important insights §Co-first authors existing in the current Online Account Ecosystem. 1 We summarized our contributions as follows: achieves the ultimate goal of attacking a highly-secure • We uncovered the essential security problem of On- account by compromising less-secure service accounts line Account Ecosystem which stems from the inse- first, collecting information in those accounts, and uti- cure SMS-based Authentication and interconnected lizing the information gathered as credentials to take dependencies of the online accounts. control of sequential accounts. The real-world Chain Reaction Attacks will be demonstrated in Chapter V. • We provided a novel perspective of online account The goal of the attacker is to gain the control security that the security of one single service de- of victims’ accounts. We categorized our attacks into pends on the ecosystem and its ”neighbours”. This two: perspective can be extended to other attack surfaces beyond SMS Code. • Random Attack. The attacker aims to attack arbi- trary victims nearby and has no knowledge about • We proposed and evaluated the ActFort on hundreds the victims in advance. In practice, the attack can of representative online services and demonstrated the be conducted in the airports or the railway stations Chain Reaction Attack on real online accounts. which have a large flow of people and are easy for • We provided some insights into the whole ecosystem the attacker to hide and escape. based on the measurement results. • Targeted Attack. The attacker aims to attack the Ethics. Throughout this study, we have ensured that all target victim and has some knowledge about the of our experiments meet community ethical standards. victim in advance (e.g. the home address and the First, We performed the attack experiments carefully cellphone number). and did not affect any other users. We only used our own In our threat model, the attack has no access to the cellphones and Internet accounts as targets. Second, we internal software/hardware of the victim’s cellphone did not collect or obtain the personal information of any or computer. In addition, we assume the attacker can users; our small set of users only provided us with their stay in the same cell in the communication network. cellphone number. Our attacks did not interact with their The scope of the attack is limited to scenarios where accounts in any ways that would reveal any additional the attacker is near the victim (within a distance of information about them. hundreds of meters) because the attacker needs to either II. THREAT OVERVIEW intercept the SMS Code in the same cell or hijack the Most of the online account services adopt SMS Code victim’s cellphone to complete a MitM attack. Although as one of the credential factors in its login or password the attacker can remotely conduct phishing attacks to reset step for two reasons: accessibility [10], [11] and lure victims to give away SMS Codes using social convenience [12], [13]. In practice, the SMS-based engineering methods like phishing emails, this type of authentication can be mainly divided into 2 types, only attack is less stealthy and requires victims’ response. SMS Code or SMS Code with other credential factors III. SYSTEM DESIGN (e.g. legal name and citizen ID). Unfortunately, accord- ing to our research, both authentication methods are A. System Overview unsafe under certain circumstances. The fundamental In this part, we will illustrate the design and imple- cause of the loophole is the reciprocal transformation mentation of ActFort in details. To better analyze depen- of sensitive personal information and authentication dency vulnerabilities in Online Account Ecosystem and credential factors among various accounts. explore feasible Chain Reaction Attacks, we have de- It is worth noting that although we use SMS Code as signed and implemented ActFort, a systematic approach our initial attack surface here, our attack can easily be to examine the potential risks of online accounts as extended to other factors as the major vulnerable point well as generate the transformation dependency graphs such as email authentication codes. The key idea of our of current online services. The flowchart of ActFort work is to investigate account vulnerability introduced is mainly simplified into the Authentication Process, by dependencies among accounts on different platforms. Personal Information Collection, Dependency Graph Chain Reaction Attack. As described in the previous Generation and Strategy Output. section, online accounts are still vulnerable to attacks The Authentication Process is designed for examining even with the secure setup of multiple factor authenti- the registration requirements and conditions, analyzing cation. Chain Reaction Attack is an attack strategy that the needed credential factors, excavating the vulnerable exploits the dependency among accounts from different password reset path and determining the binding rela- online services and leverage the credentials and account tionship for authentication. personal information to conduct a series of attacks.