SMS Goes Nuclear: Fortifying SMS-Based MFA in Online Account Ecosystem. (arXiv:2104.08651v2 [cs.CR] UPDATED)

With the rapid growth of online services, the number of online accounts
proliferates. The security of a single user account no longer depends merely on
its own service provider but also the accounts on other service platforms(We
refer to this online account environment as Online Account Ecosystem). In this
paper, we first uncover the vulnerability of Online Account Ecosystem, which
stems from the defective multi-factor authentication (MFA), specifically the
ones with SMS-based verification, and dependencies among accounts on different
platforms. We propose Chain Reaction Attack that exploits the weakest point in
Online Account Ecosystem and can ultimately compromise the most secure
platform. Furthermore, we design and implement ActFort, a systematic approach
to detect the vulnerability of Online Account Ecosystem by analyzing the
authentication credential factors and sensitive personal information as well as
evaluating the dependency relationships among online accounts. We evaluate our
system on hundreds of representative online services listed in Alexa in
diversified fields. Based on the analysis from ActFort, we provide several
pragmatic insights into the current Online Account Ecosystem and propose
several feasible countermeasures including the online account exposed
information protection mechanism and the built-in authentication to fortify the
security of Online Account Ecosystem.

SMS Goes Nuclear: Fortifying SMS-Based MFA in Online Account Ecosystem. (arXiv:2104.08651v2 [cs.CR] UPDATED)

With the rapid growth of online services, the number of online accounts
proliferates. The security of a single user account no longer depends merely on
its own service provider but also the accounts on other service platforms(We
refer to this online account environment as Online Account Ecosystem). In this
paper, we first uncover the vulnerability of Online Account Ecosystem, which
stems from the defective multi-factor authentication (MFA), specifically the
ones with SMS-based verification, and dependencies among accounts on different
platforms. We propose Chain Reaction Attack that exploits the weakest point in
Online Account Ecosystem and can ultimately compromise the most secure
platform. Furthermore, we design and implement ActFort, a systematic approach
to detect the vulnerability of Online Account Ecosystem by analyzing the
authentication credential factors and sensitive personal information as well as
evaluating the dependency relationships among online accounts. We evaluate our
system on hundreds of representative online services listed in Alexa in
diversified fields. Based on the analysis from ActFort, we provide several
pragmatic insights into the current Online Account Ecosystem and propose
several feasible countermeasures including the online account exposed
information protection mechanism and the built-in authentication to fortify the
security of Online Account Ecosystem.