Two-step verification is often lauded as one of the most effective computer security tactics used by online service providers to protect their user’s identity in case of forgotten passwords. The process is simple really—click “forgot password,” or sign on from an unfamiliar IP address, and the site sends an SMS text message to the registered phone number on the account containing a verification code that resets the password or facilitates a safe log-in.
Two-step authentic verification cannot ordinarily be cracked without malicious actors working behind the scenes in both channels, one influencing the one-time passcode generation and the other manipulating the channel through which it is received. But now, one team figured out a much more practical way of doing so: social engineering.
Nasir Memon, Professor of Computer Science and Engineering at the New York University Tandon School of Engineering, and doctoral students Hossein Siadati and Toan Nguyen, demonstrated that the best way to trick users into sharing their verification code is to simply ask them.
The team tested their theory by creating a scenario in which a hacker, possessing only the target’s phone number, attempts to log into a user’s account and claims to have forgotten the password, thereby triggering the two-factor SMS text. Ordinarily, persons receiving the text would dismiss it if they did not trigger the verification, but the team discovered that if the hacker immediately followed-up with a separate text asking the users “to confirm that the phone is linked to the online account” by forwarding the verification link, then 25 percent of users would fall for this.
Their findings were presented at the International conference on password security at the University of Cambridge in December 2015. The team followed-up the 20 mobile phone users tested in the initial batch to understand how they perceived the attack and why their forwarded the verification code. It was revealed the sample group did not assume that two-step verification could be compromised, nor did they notice that the two SMS messages came from different sources. They also added that they often check their email from public computers in libraries or labs, so verification requests are such a common aspect of their usual online use that they didn’t think twice about verifying their identity.
Assuming the attack was magnified on a larger scale and the odds were less favorable than one-in-four, but one-in-fifty, then a significant number of people remain affected nevertheless. Dubbed “Verification Code Forwarding Attack,” the ease of misdirection such a tech-savvy group as those who were studied inspired Memon and his team to further study this kind of social engineering.
“Because this kind of attack doesn't require victims to click phishing links or enter sensitive information, like an account or Social Security number, it's easy to understand how it could be very effective,” said Memon. “Users are only being asked to forward a random string of numbers that have no real meaning.” Nor is it easy to confirm the source of the email to understand its authenticity.
In that case, are there any possible solutions? Yes, suggests Memon, explaining that businesses and online service providers may be able to stave off some attacks if they begin appending each SMS text to include a warning about forwarding verification codes and if the phone numbers used by each business becomes standardized.
Source: Phys.org
Advertisement
Learn more about Electronic Products Magazine
