• PDF / 567,288 Bytes
• 17 Pages / 439.37 x 666.142 pts Page_size
• 13 Downloads / 222 Views

DOWNLOAD

REPORT

Abstract. Many organizations require users to provide a phone number for verification when registering an account. Simultaneously, because of the convenience and security of SMS-based two-factor authentication, many organizations adopt this method to enable users to log in their accounts. On the other hand, many web service platforms provide a mass of disposable phone numbers for receiving SMS messages. The original intention of these platforms is to provide user privacy protection services; however, people know very little about the threat that this service poses to the organization’s security. In this paper, we collected data from 9 disposable phone platforms with high traffic in China. These data include 4,669 phone numbers and 30 million messages. These phone numbers come from 44 countries, and most of the phone number carriers are mobile virtual network operators in China. To the best of our knowledge, this is the first paper that discloses the OTA (Online Travel Agency) accounts registered by disposable phone numbers, which would leak a large number of passenger information. Furthermore, we discovered that cybercriminals use temporary OTA accounts to carry out airline seat spinning attacks. Among the organizations we surveyed, only 47% of the organizations’ security mechanisms can detect accounts that registered with disposable numbers. Our findings indicate that disposable phone numbers pose potential threats to cybersecurity, and new solutions are needed to address the threat.

Keywords: Disposable phone number spinning attack

1

· Privacy leak · Airline seat

Introduction

SMS (short message service) is a text messaging service component of most telephone, Internet, and mobile device systems [1]. SMS-based two-factor authentication (2FA) is a security verification procedure, which is triggered when a user logs in a website, software or application. Although SMS-based 2FA suffers This work is supported by National Major Science and Technology Projects of China (Grant No. 2018YFB1800202, 2017YFB0803001, 2018YFB0804703) and National Natural Science Foundation of China (Grant No. 61571144, U1836117). c Springer Nature Singapore Pte Ltd. 2020  G. Xu et al. (Eds.): FCS 2020, CCIS 1286, pp. 491–507, 2020. https://doi.org/10.1007/978-981-15-9739-8_37

492

Y. Cheng et al.

from some security concerns, it is still adopted by many organizations because it is convenient for users to log into their accounts. Simultaneously, people are often required to provide phone numbers for identity verification when registering accounts. Data security and privacy leaks occur every year, such as Facebook security breach exposes accounts of 50 million users [2]. These cases lead people to pay more attention to personal account security and privacy protection. At the same time, there are many free SMS service platforms on the Internet. These platforms can provide people with phone numbers that can receive SMS messages. These phone numbers are called temporary phone numbers, or disposable phone numbers. People do not need a mobile phone;

Recommend Documents

Nuclear Threats and Security Challenges

190 113 6MB

Security Games with Insider Threats

181 84 32MB

Threats to Global Water Security

180 81 37MB

Insider Threats in Cyber Security

197 70 2MB

Emerging Threats to Energy Security and Stability

194 107 2MB

Cyber Threats to Information Security in the Digital Economy

171 19 55MB

Information Security Practices Emerging Threats and Perspectives

173 56 3MB

Security Threats and Public Perception Digital Russia and the Ukrain

144 36 4MB

Survey on the Security Threats in IoT System

148 112 23MB

Mobile Phone Security and Forensics A Practical Approach

233 13 5MB

New Threats and New Actors in International Security

222 89 1MB

New Security Threats and Crises in Africa Regional and International

219 89 392KB