Mind Your SMSes: Mitigating Social Engineering in Second Factor Authentication

  • Hossein Siadati
  • Toan Nguyen
  • Payas Gupta
  • Markus Jakobsson
  • Nasir Memon


SMS-based second factor authentication is a cornerstone for many service providers, ranging from email service providers and social networks to financial institutions and online marketplaces. Attackers have not been slow to capitalize on the vulnerabilities of this mechanism by using social engineering techniques to coerce users to forward authentication codes. We demonstrate one social engineering attack for which we experimentally obtained a 50% success rate against Google’s SMS-based authentication. At the heart of the problem is the messaging associated with the authentication code, and how this must not have been developed with security against social engineering in mind. Pursuing a top-down methodology, we generate alternative messages and experimentally test these against an array of social engineering attempts. Our most robust messaging approach reduces the success of the most effective social engineering attack to 8%, or a sixth of its success against Google’s standard second factor verification code messages.


  1. 1.
    S. Abraham, I. Chengalur-Smith, An overview of social engineering malware: trends, tactics, and implications. Technol. Soc. 32(3), 183–196 (2010)CrossRefGoogle Scholar
  2. 2.
    Z. Ahmadian, S. Salimi, A. Salahi, New attacks on UMTS network access, in Wireless Telecommunications Symposium, 2009. WTS 2009 (IEEE, Piscataway, 2009), pp. 1–6Google Scholar
  3. 3.
    D. Akhawe, A.P. Felt, Alice in Warningland: a large-scale field study of browser security warning effectiveness, in Usenix Security (2013), pp. 257–272Google Scholar
  4. 4.
    H. Almuhimedi, A.P. Felt, R.W. Reeder, S. Consolvo, Your reputation precedes you: history, reputation, and the chrome malware warning, in Proceedings of the Symposium on Usable Privacy and Security, SOUPS (2014), pp. 113–128Google Scholar
  5. 5.
    M. Balduzzi, P. Gupta, L. Gu, D. Gao, M. Ahamad, Mobipot: understanding mobile telephony threats with honeycards, in Proceedings of the 11th ACM SIGSAC Symposium on Information, Computer and Communications Security, ASIA CCS ’16, New York (2016) ACM.Google Scholar
  6. 6.
    E. Barkan, E. Biham, N. Keller, Instant ciphertext-only cryptanalysis of GSM encrypted communication. J. Cryptol. 21(3), 392–429 (2008)MathSciNetCrossRefGoogle Scholar
  7. 7.
    A. Biryukov, A. Shamir, D. Wagner, Real time cryptanalysis of A5/1 on a PC, in Fast Software Encryption (Springer, Berlin, 2000), pp. 1–18zbMATHGoogle Scholar
  8. 8.
    C. Bravo-Lillo, L. Cranor, S. Komanduri, S. Schechter, M. Sleeper, Harder to ignore? Revisiting pop-up fatigue and approaches to prevent it, in Tenth Symposium on Usable Privacy and Security (SOUPS 2014) (2014), pp. 105–111Google Scholar
  9. 9.
    C. Bravo-Lillo, S. Komanduri, L.F. Cranor, R.W. Reeder, M. Sleeper, J. Downs, S. Schechter, Your attention please: designing security-decision UIS to make genuine risks harder to ignore, in Proceedings of the Ninth Symposium on Usable Privacy and Security (ACM, New York, 2013), p. 6Google Scholar
  10. 10.
    R.B. Cialdini, The Psychology of Persuasion (Quill William Morrow, New York, 1984)Google Scholar
  11. 11.
  12. 12.
    A. Dabrowski, N. Pianta, T. Klepp, M. Mulazzani, E. Weippl, IMSI-catch me if you can: IMSI-catcher-catchers, In Proceedings of the 30th Annual Computer Security Applications Conference, ACSAC’14 (ACM, New York, 2014), pp. 246–255Google Scholar
  13. 13.
    A. Dmitrienko, C. Liebchen, C. Rossow, A.-R. Sadeghi, On the (in) security of mobile two-factor authentication, In Financial Cryptography and Data Security (Springer, Berlin, 2014), pp. 365–383Google Scholar
  14. 14.
    O. Dunkelman, N. Keller, A. Shamir, A practical-time related-key attack on the KASUMI cryptosystem used in GSM and 3G telephony. J. Cryptol. 27(4), 824–849 (2014)MathSciNetCrossRefGoogle Scholar
  15. 15.
    S. Egelman, L.F. Cranor, J. Hong, You’ve been warned: an empirical study of the effectiveness of web browser phishing warnings, in Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (ACM, New York, 2008), pp. 1065–1074Google Scholar
  16. 16.
    S. Egelman, S. Schechter, The importance of being earnest [in security warnings], in Financial Cryptography and Data Security (Springer, Berlin, 2013), pp. 52–59CrossRefGoogle Scholar
  17. 17.
    A.P. Felt, A. Ainslie, R.W. Reeder, S. Consolvo, S. Thyagaraja, A. Bettes, H. Harris, J. Grimes, Improving SSL warnings: comprehension and adherence, in Proceedings of the 33rd Annual ACM Conference on Human Factors in Computing Systems (ACM, New York, 2015), pp. 2893–2902Google Scholar
  18. 18.
    A.P. Felt, R.W. Reeder, H. Almuhimedi, S. Consolvo, Experimenting at scale with Google chrome’s SSL warning, in Proceedings of the 32nd Annual ACM conference on Human Factors in Computing Systems (ACM, New York, 2014), pp. 2667–2670Google Scholar
  19. 19.
    P. Finn, M. Jakobsson, Designing ethical phishing experiments. IEEE Tech. Soc. Mag. 26(1), 46–58 (2007)CrossRefGoogle Scholar
  20. 20.
    N. Golde, K. Redon, R. Borgaonkar, Weaponizing femtocells: the effect of rogue devices on mobile telecommunications. in NDSS (2012)Google Scholar
  21. 21.
    S. Gupta, P. Gupta, M. Ahamad, P. Kumaraguru, Abusing phone numbers and cross-application features for crafting targeted attacks (2015). arXiv preprint arXiv:1512.07330Google Scholar
  22. 22.
    T. Hunt, Pwned websites list. Accessed 22 May 2016
  23. 23.
    ic3, Internet Crime Complaint Center (IC3) (2015). Accessed 5 May 2016
  24. 24.
    T.N. Jagatic, N.A. Johnson, M. Jakobsson, F. Menczer, Social phishing. Commun. ACM 50(10), 94–100 (2007)CrossRefGoogle Scholar
  25. 25.
    M. Jakobsson (ed.), Understanding Social Engineering Based Scams (Springer, Berlin, 2016). ISBN: 978-1-4939-6457-4Google Scholar
  26. 26.
    M. Jakobsson, J. Ratkiewicz, Designing ethical phishing experiments: a study of (ROT13) rOnl query features, in Proceedings of the 15th international conference on World Wide Web (ACM, New York, 2006), pp. 513–522Google Scholar
  27. 27.
    Kaspersky. Asacub android Trojan: From information stealing to financial fraud (2016). Accessed 22 May 2016
  28. 28.
    E. Kim, K. Park, H. Kim, J. Song, I’ve got your number, in Information Security Applications (Springer, Berlin, 2014), pp. 55–67CrossRefGoogle Scholar
  29. 29.
    R.K. Konoth, V. van der Veen, H. Bos, How anywhere computing just killed your phone-based two-factor authentication, in International Conference on Financial Cryptography and Data Security (Springer, Berlin, 2016)Google Scholar
  30. 30.
    krebsonsecurity, Attackers hit weak spots in 2-factor authentication (2012). Accessed 22 May 2016
  31. 31.
    P. Kumaraguru, Y. Rhee, A. Acquisti, L.F. Cranor, J. Hong, E. Nunge, Protecting people from phishing: the design and evaluation of an embedded training email system, in Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (ACM, Berlin, 2007), pp. 905–914Google Scholar
  32. 32.
    S. Kurowski, Using a whatsapp vulnerability for profiling individuals, in Open Identity Summit, GI-Edition-Lecture Notes in Informatics (LNI)-Proceedings, vol. 237 (2014), pp. 140–146Google Scholar
  33. 33.
    latimes, Anthem hack exposes data on 80 million; experts warn of identity theft (2015). Accessed 22 May 2016
  34. 34.
  35. 35.
    J.M. Miller, J.P. Frantz, B.W. Main, The ability of two lay groups to judge product warning effectiveness, in Proceedings of the Human Factors and Ergonomics Society Annual Meeting, vol. 37 (SAGE Publications, Thousand Oaks, 1993), pp. 989–993Google Scholar
  36. 36.
    D. Modic, Willing to be scammed: how self-control impacts internet scam compliance (2012)Google Scholar
  37. 37.
  38. 38.
    C. Mulliner, R. Borgaonkar, P. Stewin, J.-P. Seifert, SMS-based one-time passwords: attacks and defense, in Detection of Intrusions and Malware, and Vulnerability Assessment (Springer, Berlin, 2013), pp. 150–159Google Scholar
  39. 39.
    T. Register, Reg probe bombshell: How we HACKED mobile voicemail without a PIN. Accessed 22 May 2016
  40. 40.
    J. Scott Railton, K. Kleemola, London calling: two-factor authentication phishing from Iran (2015). Accessed 22 May 2016
  41. 41.
    S.N. Security, How phone hacking worked and how to make sure you’re not a victim. Accessed 22 May 2016
  42. 42.
    S. Shah, How I bypassed 2-Factor-Authentication on Google, Facebook, Yahoo, LinkedIn, and many others. Accessed 22 May 2016
  43. 43.
    S. Sheng, M. Holbrook, P. Kumaraguru, L.F. Cranor, J. Downs, Who falls for phish? A demographic analysis of phishing susceptibility and effectiveness of interventions, in Proceedings of the SIGCHI Conference on Human Factors in Computing Systems. (ACM, 2010), pp. 373–382Google Scholar
  44. 44.
    H. Siadati, T. Nguyen, N. Memon, Proceedings of the Technology and Practice of Passwords: Ninth International Conference, PASSWORDS 2015, Cambridge, December 7–9, 2015, chapter Verification Code Forwarding Attack (Springer, Cham, 2016), pp. 65–71Google Scholar
  45. 45.
    J. Sunshine, S. Egelman, H. Almuhimedi, N. Atri, L.F. Cranor, Crying wolf: an empirical study of SSL warning effectiveness, in USENIX Security Symposium (2009), pp. 399–416Google Scholar
  46. 46.
    Symantec, Android.ackposts (2012). Accessed: 22 May 2016
  47. 47.
    Symantec, Password recovery scam tricks users into handing over email account access (2015). Accessed 22 May 2016
  48. 48.
    Versprite, Android infostealer—godwon—analysis. Accessed 22 May 2016
  49. 49.
    R. Wash, E.J. Rader, K. Vaniea, M. Rizor, Out of the loop: How automated software updates cause unintended security consequences, in Proceedings of the Symposium on Usable Privacy and Security, SOUPS (2014), pp. 89–104Google Scholar
  50. 50.
    M.S. Wogalter, V.C. Conzola, T.L. Smith-Jackson, Research-based guidelines for warning design and evaluation. Appl. Ergon. 33(3), 219–230 (2002)CrossRefGoogle Scholar
  51. 51.
    M.S. Wogalter, G.A. Fontenelle, K.R. Laughery, Behavioral effectiveness of warnings, in Proceedings of the Human Factors Society Annual Meeting, vol. 29, no. 7 (SAGE Publications, Los Angeles, 1985), pp. 679–683Google Scholar

Copyright information

© The Author(s), under exclusive license to Springer Nature Switzerland AG 2020

Authors and Affiliations

  • Hossein Siadati
    • 1
  • Toan Nguyen
    • 2
  • Payas Gupta
    • 3
  • Markus Jakobsson
    • 4
  • Nasir Memon
    • 5
  1. 1.Google LLCInfrastructure and CloudNew YorkUSA
  2. 2.Department of Security R& Inc.San FranciscoUSA
  3. 3.PindropAtlantaUSA
  4. 4.ZapFraud Inc.Portola ValleyUSA
  5. 5.New York UniversityComputer Science and EngineeringBrooklynUSA

Personalised recommendations