SMS Goes Nuclear: Fortifying SMS-Based MFA in Online Account Ecosystem

TL;DR

This paper uncovers vulnerabilities in SMS-based multi-factor authentication within the online account ecosystem, demonstrating how dependencies can lead to widespread account compromises, and proposes a systematic detection and mitigation approach.

Contribution

It introduces ActFort, a novel system for detecting vulnerabilities in online account dependencies and proposes countermeasures to strengthen SMS-based MFA security.

Findings

Identified systemic vulnerabilities in SMS-based MFA

Demonstrated the feasibility of Chain Reaction Attacks

Proposed effective countermeasures for ecosystem security

Abstract

With the rapid growth of online services, the number of online accounts proliferates. The security of a single user account no longer depends merely on its own service provider but also the accounts on other service platforms(We refer to this online account environment as Online Account Ecosystem). In this paper, we first uncover the vulnerability of Online Account Ecosystem, which stems from the defective multi-factor authentication (MFA), specifically the ones with SMS-based verification, and dependencies among accounts on different platforms. We propose Chain Reaction Attack that exploits the weakest point in Online Account Ecosystem and can ultimately compromise the most secure platform. Furthermore, we design and implement ActFort, a systematic approach to detect the vulnerability of Online Account Ecosystem by analyzing the authentication credential factors and sensitive personal information as well as evaluating the dependency relationships among online accounts. We evaluate our system on hundreds of representative online services listed in Alexa in diversified fields. Based on the analysis from ActFort, we provide several pragmatic insights into the current Online Account Ecosystem and propose several feasible countermeasures including the online account exposed information protection mechanism and the built-in authentication to fortify the security of Online Account Ecosystem.