sending out an sms
play

Sending out an SMS : Characterizing the Security of the SMS - PowerPoint PPT Presentation

Dec 15, 2023 •258 likes •404 views

Sending out an SMS : Characterizing the Security of the SMS Ecosystem with Public Gateways Bradley Reaves , Nolen Scaife, Dave Tian, Logan Blue, Patrick Traynor, Kevin R. B. Butler Florida Institute of Cyber Security (FICS) SMS Ecosystem Cell

  1. Sending out an SMS : Characterizing the Security of the SMS Ecosystem with Public Gateways Bradley Reaves , Nolen Scaife, Dave Tian, Logan Blue, Patrick Traynor, Kevin R. B. Butler Florida Institute of Cyber Security (FICS)

  2. SMS Ecosystem Cell Network Cell Network Key Key Encrypted Encrypted Core Core Core Core Not Encrypted Not Encrypted ESME Over Internet Over Internet Gateway Cloud SMSC SMSC SMSC SMSC Web Services ESME VOIP ESME Gateway Carrier Reseller VOIP OTT Carrier Services ESME Web ESME Reseller Services Reseller SMS is no longer a simple isolated channel It has a broad attack surface What is lost when a part of the ecosystem is compromised? Florida Institute of Cyber Security (FICS) 2

  3. Public Gateway • Data: 380k+ messages collected from 8 public gateways in 28 countries over 14 months • These websites advertise themselves as a way to avoid spam or unwanted callers • We’ll divide our analyses into uses and abuses Florida Institute of Cyber Security (FICS) 3

  4. Ethics The paper features an extensive ethics discussion • The bulk of this data is sent to gateways by institutions, but the data also includes personal messages and PII • This is already public data, and it is clear to users that this data will always be public 
 • We cannot and do not attempt to deanonymize, track, identify, exploit, or otherwise use the personal information of any users and we systematically exclude personal messages Florida Institute of Cyber Security (FICS) 4

  5. OTP / Verification Codes LINE No Leading 0’s First two digits WeChat rand()<<4 mod10000 Talk2 ? Final two digits Florida Institute of Cyber Security (FICS) 5

  6. OTP / Verification Codes Service Uniform? p-value Effect Size (w) Effect? Mean Code Google 7 0.000 0.721 Large 547948 Google 7 0.000 0.793 Large 558380 Instagram 7 0.000 0.622 Large 503172 Instagram 7 0.000 0.574 Large 498365 Instagram 7 0.000 0.600 Large 497936 Jamba 7 0.000 6.009 Large 4719 LINE 7 0.000 0.595 Large 5476 LINE 7 0.000 0.519 Large 5530 LINE 7 0.000 0.530 Large 5442 χ -squared test for Microsoft 7 0.000 2.929 Large 357494 Odnoklassniki 7 0.000 0.675 Large 433997 Origin 7 0.000 0.512 Large 502627 random distribution QQ 7 0.000 0.522 Large 505555 SMSGlobal 7 0.000 0.500 Large 5540 of PINs Talk2 7 0.000 1.327 Large 5732 Telegram 7 0.000 0.478 Medium 54961 Viber 7 0.000 8.138 Large 112075 WeChat 7 0.000 0.664 Large 4989 Alibaba X 0.988 548652 Backslash X 0.325 556223 Baidu X 0.015 505165 BeeTalk X 0.595 544719 Circle X 0.080 506514 Gett X 0.461 5512 Google X 0.917 501623 Hushmail X 0.527 503161 LINE X 0.698 5511 13 Services fail to send a Origin X 0.086 500739 RunAbove X 0.427 494697 random code each message Skout X 0.004 5492 Tuenti X 0.981 5010 Weibo X 0.395 512458 WhatsApp X 0.022 543563 Florida Institute of Cyber Security (FICS) 6

  7. Misuse : PII in SMS Password Resets Usernames and Passwords Names and Addresses Credit Card Numbers All sent over a channel believed to be secure Florida Institute of Cyber Security (FICS) 7

  8. Abuse : Spam and Phishing • ~1% of messages were spam • We identified one long-running SMS phishing campaign • Malicious SMS activity is a real but relatively small phenomenon Fig. 7: The page delivered to the user after following a link Bradley Reaves, Dave Tian, Logan Blue, Patrick Traynor, and Kevin R. B. Butler “Detecting SMS spam in the age of legitimate bulk messaging” to appear at WiSec July 2016 Florida Institute of Cyber Security (FICS) 8

  9. Phone Verified Accounts Florida Institute of Cyber Security (FICS) 9

  10. Abuse : Geo-Fencing • Messages to numbers in countries are often viewed outside of those Number Locations countries . • Shortened URL services provide country-level statistics. URL Clicks Florida Institute for Cyber Security (FICS) 10

  11. Abuse : Phone Verified Accounts • Many of these gateways advertise as a Peak Sharpness means of evading PVA Lifetime Midpoint systems. • Skew and kurtosis calculations show rapid use when numbers are Early Late introduced, followed by Activity Peak rapid decline. Florida Institute for Cyber Security (FICS) 11

  12. 
 Phone Verified Accounts Thomas et al. (CCS ’14) suggested 3 defenses: 1. Have users reverify often • Our numbers have a median life of 20 days 2. Block numbers in low-reputation carriers • Most of our numbers are in reputable carriers 3. Block similar numbers • ~40% of numbers were similar, but only in mobile carriers PVA Evasion is hard to detect or prevent Florida Institute of Cyber Security (FICS) 12

  13. Takeaways • Online gateways give us insight into how SMS is used and abused in the modern SMS ecosystem • Organizations regularly use SMS as a secure channel for sensitive information despite risks of compromise • Gateway data provides insights into spam, phishing, and phone verified account fraud Florida Institute of Cyber Security (FICS) 13

  14. Florida Institute of Cyber Security (FICS) 14

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Sending a Mass Email 4 Keys to Sending a Successful Mailing 1.

Sending a Mass Email 4 Keys to Sending a Successful Mailing 1.

Title Sending a Mass Email 4 Keys to Sending a Successful Mailing 1. Narrow your audience 2. Create a Good Email 3. Test &amp; Send 4. Clean list &amp;

392 views • 21 slides
Experimental Twin-Field Quantum Key Distribution Through Sending-or-Not-Sending Yang Liu Jinan

Experimental Twin-Field Quantum Key Distribution Through Sending-or-Not-Sending Yang Liu Jinan

Experimental Twin-Field Quantum Key Distribution Through Sending-or-Not-Sending Yang Liu Jinan Institute of Quantum Technology (JIQT) University of Science and Technology of China (USTC) QCRYPT 2020 Twin-Field QKD (TF-QKD) Proposed in 2018,

841 views • 45 slides
React Native HTTP/Fetch Sending data 1 Sending data to web server Two methods GET

React Native HTTP/Fetch Sending data 1 Sending data to web server Two methods GET

React Native HTTP/Fetch Sending data 1 Sending data to web server Two methods GET requests include all required data in the URL. POST requests supply additional data from the client (browser) to the server in the message body.

749 views • 20 slides
New CIM00012 germplasm exchange project Five years: 07/2008 to 06/2013 Sending only

New CIM00012 germplasm exchange project Five years: 07/2008 to 06/2013 Sending only

New CIM00012 germplasm exchange project Five years: 07/2008 to 06/2013 Sending only SAWYT and ESWYT candidates to limit numbers Sending breeder selections (one year every two), rotation CIMMYT/ICARDA Still sends ~ 50 primaries

324 views • 11 slides
Network layer transport segment from sending to receiving host application on sending side

Network layer transport segment from sending to receiving host application on sending side

Network layer transport segment from sending to receiving host application on sending side encapsulates transport network segments into datagrams data link network physical network data link network on rcving side, delivers

371 views • 7 slides
ABU Dhabi Dialogue among the Asian Labour Sending and

ABU Dhabi Dialogue among the Asian Labour Sending and

ABU Dhabi Dialogue among the Asian Labour Sending and Receiving Countries The document is a flow chart of the presentation on Recruitment, which

1.08k views • 14 slides
Migration Control General Theme Migration control policies often depend on perceptions of

Migration Control General Theme Migration control policies often depend on perceptions of

Migration Control General Theme Migration control policies often depend on perceptions of migrants rather than empirical data When Mexico sends its people, theyre not sending their best. Theyre not sending you. Theyre not sending

472 views • 20 slides
MBA Who and what is Navitas? Navitas has over 30 yeas of experience sending international

MBA Who and what is Navitas? Navitas has over 30 yeas of experience sending international

MBA Who and what is Navitas? Navitas has over 30 yeas of experience sending international students form numerous countries around the world to attend top quality institutions. Navitas is considered a leading global education provider that

659 views • 19 slides
Hidden$Terminals$ Nodes$A$and$C$are$hidden$terminals$when$sending$to$B$

Hidden$Terminals$ Nodes$A$and$C$are$hidden$terminals$when$sending$to$B$

Hidden$Terminals$ Nodes$A$and$C$are$hidden$terminals$when$sending$to$B$ Cant$hear$each$other$(to$coordinate)$yet$collide$at$B$ We$want$to$avoid$the$inefficiency$of$collisions $ CSE$461$University$of$Washington$ 53$

463 views • 31 slides
CRYPTOGRAPHY What is Cryptography? Sending/receiving information privately Changing around

CRYPTOGRAPHY What is Cryptography? Sending/receiving information privately Changing around

CRYPTOGRAPHY What is Cryptography? Sending/receiving information privately Changing around a message so that no one else can understand it except for you and your recipient Keep personal info and sensitive data safe History First

561 views • 27 slides
Popular Communication Operations - One-one sending/one-all broadcasting - All-all broadcasting P

Popular Communication Operations - One-one sending/one-all broadcasting - All-all broadcasting P

CS140, 2014 II-1 Popular Communication Operations - One-one sending/one-all broadcasting - All-all broadcasting P 0 P 1 P 2 P 0 P 2 P 1 - Accumulation (or gather) P 0 . . . P 2 P n P 1 - Reduction I nitially : V 0 V 1 . . . V p

385 views • 6 slides
Sending balls instead of cows: Sport as a form of development aid. What I intend to do in this

Sending balls instead of cows: Sport as a form of development aid. What I intend to do in this

Paper presented at the Annual Meeting of the British (European) Philosophy of Sport Association, 2008. Emily Ryall, University of Gloucestershire, UK. Sending balls instead of cows: Sport as a form of development aid. What I intend to do in

398 views • 11 slides
Cast of Characters Alice and Bob Applied Cryptography Week 1 Alice and Bob are always sending

Cast of Characters Alice and Bob Applied Cryptography Week 1 Alice and Bob are always sending

Cast of Characters Alice and Bob Applied Cryptography Week 1 Alice and Bob are always sending secret messages to Basic Tools and Protocols each other. Eve Frank Beatrous Eve is always listening in (Eavesdropping) on Alices and Bobs

245 views • 7 slides
Blockchain Laurent Haug laurent.haug@gmail.com I need Sent! Sending money. Thank you! some

Blockchain Laurent Haug laurent.haug@gmail.com I need Sent! Sending money. Thank you! some

Blockchain Laurent Haug laurent.haug@gmail.com I need Sent! Sending money. Thank you! some now Adapted from https://thenextweb.com/contributors/2017/11/01/ultimate-3500-word-plain-english-guide-blockchain/ Is there a way to maintain the

753 views • 17 slides
IPJukebox A New Way for Sending Spending and Saving Money New Jersey IPJukebox Executive Team

IPJukebox A New Way for Sending Spending and Saving Money New Jersey IPJukebox Executive Team

IPJukebox A New Way for Sending Spending and Saving Money New Jersey IPJukebox Executive Team Ed Konchalski CEO/Founder Connecting people, places and things; building networks businesses can bank on for over 35 years Anna Monteiro Jon

746 views • 15 slides
Automatic Job Submission Simon Albright Three classes: SSHConnection Handles sending and

Automatic Job Submission Simon Albright Three classes: SSHConnection Handles sending and

Automatic Job Submission Simon Albright Three classes: SSHConnection Handles sending and receiving data, monitoring job status etc Remote_Optimise Handles itteration over variables, manipulation of .py scripts etc

238 views • 7 slides
AGENCY SAFETY PLAN PRESENTATION TO GCTD BOARD OF DIRECTORS June 3, 2020 PUBLIC TRANSPORTATION

AGENCY SAFETY PLAN PRESENTATION TO GCTD BOARD OF DIRECTORS June 3, 2020 PUBLIC TRANSPORTATION

AGENCY SAFETY PLAN PRESENTATION TO GCTD BOARD OF DIRECTORS June 3, 2020 PUBLIC TRANSPORTATION AGENCY SAFETY PLAN FOR BUS TRANSIT Roles and Responsibilities: Organizational Chart Champion for safety and Steven P. Brown TBD GM Accountable

617 views • 15 slides
THE RCS BUSINESS OPPORTUNITY CATHERINE MAGUIRE, OPERATOR ENGAGEMENT MANAGER - GSMA GSMA

THE RCS BUSINESS OPPORTUNITY CATHERINE MAGUIRE, OPERATOR ENGAGEMENT MANAGER - GSMA GSMA

THE RCS BUSINESS OPPORTUNITY CATHERINE MAGUIRE, OPERATOR ENGAGEMENT MANAGER - GSMA GSMA Antitrust Policy Anti-trust law prohibits agreements (written or implicit) between competitors which may negatively impact consumers or

1.09k views • 13 slides
FTA Safety Program: Rulemaking Update and Transit Agency SMS Implementation February 27, 2017

FTA Safety Program: Rulemaking Update and Transit Agency SMS Implementation February 27, 2017

FTA Safety Program: Rulemaking Update and Transit Agency SMS Implementation February 27, 2017 Candace Key Attorney Acting Director, Office of System Safety Overview Safety Rules Implementing a Safety Management System FTA Safety

715 views • 28 slides
Mobile Web Survey Design: Scrolling versus Paging, SMS versus E-mail Invitations DC-AAPOR &amp;

Mobile Web Survey Design: Scrolling versus Paging, SMS versus E-mail Invitations DC-AAPOR &amp;

Mobile Web Survey Design: Scrolling versus Paging, SMS versus E-mail Invitations DC-AAPOR &amp; WSS Summer Conference Preview/Review 2014 Aigul Mavletova, NRU Higher School of Economics, Russia Mick P. Couper, Survey Research Center, University

569 views • 27 slides
Workshop Forecast Presented by APRAST Co-Chairs APRAST/8 Aim of Workshop Forecast APRAST

Workshop Forecast Presented by APRAST Co-Chairs APRAST/8 Aim of Workshop Forecast APRAST

International Civil Aviation Organization WP/13 Agenda Item 5 Workshop Forecast Presented by APRAST Co-Chairs APRAST/8 Aim of Workshop Forecast APRAST Co-Chairs propose a forecast of workshops for the next three years, which is developed

181 views • 6 slides
Evolutionary Search Knowledge Reservoir Set of possible solutions Gleaning a reservoir of

Evolutionary Search Knowledge Reservoir Set of possible solutions Gleaning a reservoir of

global maximum local maxima local maxima Evolutionary Search Knowledge Reservoir Set of possible solutions Gleaning a reservoir of knowledge om interactions ith the environment. Selection Fitness dependent number of o

483 views • 8 slides
Matsya Systems Next generation Underwater Ship Hull Cleaning Customer Pain Points Biofouling

Matsya Systems Next generation Underwater Ship Hull Cleaning Customer Pain Points Biofouling

Matsya Systems Next generation Underwater Ship Hull Cleaning Customer Pain Points Biofouling occurs on ships, despite advances like anti-biofouling paint Causes increase in fuel consumption by 5-10% (mild growth) 10-25% (within 4-6 months)

1.19k views • 63 slides
D Answer Answer D .003 m/s D .003 m/s [This object is a pull tab] Slide 4 / 38 Slide 4

D Answer Answer D .003 m/s D .003 m/s [This object is a pull tab] Slide 4 / 38 Slide 4

Slide 1 / 38 Slide 2 / 38 New Jersey Center for Teaching and Learning Progressive Science Initiative Forces &amp; Motion This material is made freely available at www.njctl.org and is intended for the non-commercial use of students and

494 views • 13 slides

More recommend