Telephones remain a trusted platform for bootstrapping and conducting some of our most sensitive exchanges. From banking to taxes, wide swathes of industry and government rely on telephony as a secure fall-back when attempting to confirm the veracity of a transaction. In spite of this, authentication is poorly managed between disparate telephony systems, and in the general case it is impossible to be certain of the identity of the entity at the other end of a call. In this talk, we will investigate the rise of three classes of attacks that are the direct result of such poorly placed trust. I begin with an investigation of the ways in which phone numbers are being used as strong authenticators for Internet-based systems (i.e., phone verified account fraud). I will then discuss how associating call origins with specific users is difficult even for providers (i.e., simboxing). Lastly, I show how the lack of secure metadata leads to attacks on users (i.e., Caller-ID spoofing). We discuss how our research group is attempting to solve each of these problems, and the challenges that remain ahead.
Patrick Traynor is an Associate Professor in the Department of Computer and Information Science and Engineering (CISE) at the University of Florida. His research focuses on the security of mobile systems, with a concentration on telecommunications infrastructure and mobile devices. His research has uncovered critical vulnerabilities in cellular networks, made the first characterization of mobile malware in provider networks and offers a robust approach to detecting and combatting Caller-ID scams. He is also interested in Internet security and the systems challenges of applied cryptography. He received a CAREER Award from the National Science Foundation in 2010 and was named a Sloan Fellow in 2014.
Professor Traynor earned his Ph.D. and M.S. in Computer Science and Engineering from the Pennsylvania State University in 2008 and 2004, respectively, and my B.S. in Computer Science from the University of Richmond in 2002. After promotion and tenure in the School of Computer Science at Georgia Tech, he joined the University of Florida in 2014 as part of the UFRising Preeminence Hiring Program. He is the co-director of the Florida Institute for Cybersecurity (FICS) and am also a co-founder of Pindrop Security.