[alipitch]

For all five classes of attacks, the paper states that the root cause & mitigation is "Strict Identifier Verification".

  6.2 Root Cause & Mitigation
  6.2.1 Strict Identifier Verification
  The root cause of all of the attacks identified in the preceding sections is failure to verify ownership of the claimed identifier.

[alipitch]

"Strict Identifier Verification" look kind of like CWE-304.

CWE-304: Missing Critical Step in Authentication <https://cwe.mitre.org/data/definitions/304.html>

Looking at the CWE-304 wording, this does not look like the right CWE, but OWASP ASVP 2.2.2 points to this CWE.

OWASP ASVP 2.2.2 <https://github.com/OWASP/ASVS/blob/v4.0.3_release/4.0/en/0x1...>

  2.2.2
  Verify that the use of weak authenticators (such as SMS and email) is limited to secondary verification and transaction approval and not as a replacement for more secure authentication methods. Verify that stronger methods are offered before weak methods, users are aware of the risks, or that proper measures are in place to limit the risks of account compromise.
  CWE-304