Design and Evaluation of Enumeration Attacks on Package Tracking Systems

Abstract

Most shipping companies provide a package tracking system where customers can easily track their package delivery status when the package is being shipped. However, we present a security problem called enumeration attacks against package tracking systems in which attackers can collect customers’ personal data illegally through the systems. We specifically examine the security of the package tracking websites of the top five popular shipping companies (Korea Post, CJ Logistics, Lotte Logistics, Logen, and Hanjin Shipping) in South Korea and found that enumeration attacks can be easily implemented with package tracking numbers or phone numbers. To show potential risks of enumeration attacks on the package tracking system, we automatically collected package tracking records from those websites through our attack tool. We gathered 1,398,112, 2,614,839, 797,676, 1,590,933, and 163,452 package delivery records from the websites of Korea Post, CJ Logistics, Lotte Logistics, Logen and Hanjin Shipping, respectively, during 6 months. Using those records, we uncover 4,420,214 names, 2,527,205 phone numbers, and 4,467,329 addresses. To prevent such enumeration attacks, we also suggest four practical defense approaches. © 2020, Springer Nature Switzerland AG.