Skip to main content
SpringerLink
Log in

How Anywhere Computing Just Killed Your Phone-Based Two-Factor Authentication

  • Conference paper
  • First Online:
Financial Cryptography and Data Security (FC 2016)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 9603))

Included in the following conference series:

Abstract

Exponential growth in smartphone usage combined with recent advances in mobile technology is causing a shift in (mobile) app behavior: application vendors no longer restrict their apps to a single platform, but rather add synchronization options that allow users to conveniently switch from mobile to PC or vice versa in order to access their services. This process of integrating apps among multiple platforms essentially removes the gap between them. Current, state of the art, mobile phone-based two-factor authentication (2FA) mechanisms, however, heavily rely on the existence of such separation. They are used in a variety of segments (such as consumer online banking services or enterprise secure remote access) to protect against malware. For example, with 2FA in place, attackers should no longer be able to use their PC-based malware to instantiate fraudulent banking transactions.

In this paper, we analyze the security implications of diminishing gaps between platforms and show that the ongoing integration and desire for increased usability results in violation of key principles for mobile phone 2FA. As a result, we identify a new class of vulnerabilities dubbed 2FA synchronization vulnerabilities. To support our findings, we present practical attacks against Android and iOS that illustrate how a Man-in-the-Browser attack can be elevated to intercept One-Time Passwords sent to the mobile phone and thus bypass the chain of 2FA mechanisms as used by many financial services.

R.K. Konoth and V. van der Veen—Equal contribution joint first authors.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    http://twofactorauth.org.

  2. 2.

    https://youtu.be/k1v_rQgS0d8.

References

  1. Android intents with Chrome. https://developer.chrome.com/multidevice/android/intents

  2. Find a lost phone. http://www.windowsphone.com/en-us/how-to/wp8/settings-and-personalization/find-a-lost-phone

  3. Get SMS broadcast with text body without Jailbreak BUT private frameworks in IOS. http://stackoverflow.com/questions/26642770/get-sms-broadcast-with-text-body-without-jailbreak-but-private-frameworks-in-ios

  4. How do I set up Sync on my computer? http://support.mozilla.org/kb/how-do-i-set-sync-my-computer

  5. iCloud: Erase your device. https://support.apple.com/kb/PH2701

  6. Mobile/tablet operating system market share. https://www.netmarketshare.com/operating-system-market-share.aspx?qprid=8&qpcustomd=1

  7. Remotely ring, lock or erase a lost device. https://support.google.com/accounts/answer/6160500

  8. Sync tabs across devices. http://support.google.com/chrome/answer/2591582

  9. Use Continuity to connect your iPhone, iPad, iPod touch, and Mac. http://support.apple.com/HT204681

  10. Aloul, F., Zahidi, S., Hajj, W.E.: Two factor authentication using mobile phones. In: Proceedings on the International Conference on Computer Systems and Applications (AICCA) (2009)

    Google Scholar 

  11. Bosman, E., Bos, H.: Framing signals - a return to portable shellcode. In: Proceedings of the Symposium on Security and Privacy (S&P) (2014)

    Google Scholar 

  12. Boutin, J.I.: The evolution of webinjects, September 2014

    Google Scholar 

  13. Buescher, A., Leder, F., Siebert, T.: Banksafe information stealer detection inside the web browser. In: Proceedings on the International Conference on Recent Advances in Intrusion Detection (RAID) (2011)

    Google Scholar 

  14. Caballero, J., Grier, C., Kreibich, C., Paxson, V.: Measuring pay-per-install: the commoditization of malware distribution. In: Proceedings of the USENIX Security Symposium (USENIX Sec) (2011)

    Google Scholar 

  15. Chytry, F.: Apps on Google Play Pose As Games and Infect Millions of Users with Adware, February 2015

    Google Scholar 

  16. Dmitrienko, A., Liebchen, C., Rossow, C., Sadeghi, A.-R.: On the (In)security of mobile two-factor authentication. In: Christin, N., Safavi-Naini, R. (eds.) FC 2014. LNCS, vol. 8437, pp. 365–383. Springer, Heidelberg (2014). doi:10.1007/978-3-662-45472-5_24

    Google Scholar 

  17. eMarketer: Smartphone Users Worldwide Will Total 1.75 Billion in 2014, January 2014

    Google Scholar 

  18. Evers, J.: Virus makes leap from PC to PDA, Feburary 2006

    Google Scholar 

  19. Target, E.: 2014 Mobile Behavior Report, February 2014

    Google Scholar 

  20. Federal Financial Institutions Examination Council: Authentication in an Internet Banking Environment (2005)

    Google Scholar 

  21. Gühring, P.: Concepts against Man-in-the-Browser Attacks, September 2006

    Google Scholar 

  22. inazaruk: “Activating” Android applications, December 2011

    Google Scholar 

  23. Kawamoto, D.: Cell phone virus tries leaping to PCs, September 2005

    Google Scholar 

  24. Kharouni, L.: Automating Online Banking Fraud (2012)

    Google Scholar 

  25. Krishnan, R., Kumar, R.: Securing user input as a defense against MitB. In: Proceedings of the International Conference on Interdisciplinary Advances in Applied Computing (ICONIAAC) (2014)

    Google Scholar 

  26. Lockheimer, H.: Android and Security, February 2012

    Google Scholar 

  27. Mulliner, C., Borgaonkar, R., Stewin, P., Seifert, J.-P.: SMS-based one-time passwords: attacks and defense. In: Rieck, K., Stewin, P., Seifert, J.-P. (eds.) DIMVA 2013. LNCS, vol. 7967, pp. 150–159. Springer, Heidelberg (2013). doi:10.1007/978-3-642-39235-1_9

    Chapter  Google Scholar 

  28. Neugschwandtner, M., Lindorfer, M., Platzer, C.: A view to a kill: webview exploitation. In: Proceedings of the USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET) (2013)

    Google Scholar 

  29. Oberheide, J., Miller, C.: Dissecting the Android Bouncer, June 2012

    Google Scholar 

  30. Poeplau, S., Fratantonio, Y., Bianchi, A., Kruegel, C., Vigna, G.: Execute this! Analyzing unsafe and malicious dynamic code loading in android applications. In: Proceedings of the Network and Distributed System Security Symposium (NDSS) (2014)

    Google Scholar 

  31. Rafael Fedler, M.K., Schutte, J.: An antivirus API for android malware recognition. In: Proceedings of Malicious and Unwanted Software: “The Americas” (MALWARE), 2013 8th International Conference (2013)

    Google Scholar 

  32. Sams, B.: Microsoft confirms Edge will sync passwords, bookmarks, tabs, and more. http://www.neowin.net/news/microsoft-confirms-edge-will-sync-passwords-bookmarks-tabs-and-more

  33. Schartner, P., Bürger, S.: Attacking mTAN-Applications like e-Banking and mobile Signatures. Technical report, Univeristy of Klagenfurt (2011)

    Google Scholar 

  34. Sood, A.K., Enbody, R.J., Bansal, R.: The art of stealing banking information – form grabbing on fire, November 2011

    Google Scholar 

  35. Statista: Global smartphone sales to end users 2007–2014 (2015)

    Google Scholar 

  36. Wang, T., Lu, K., Lu, L., Chung, S., Lee, W.: Jekyll on iOS: when benign apps become evil. In: Proceedings of the USENIX Security Symposium (USENIX Sec) (2013)

    Google Scholar 

  37. Wang, Z., Stavrou, A.: Exploiting smart-phone USB connectivity for fun and profit. In: Proceedings of the Computer Security Applications Conference (ACSAC) (2010)

    Google Scholar 

  38. Wyke, J.: What is Zeus? Sophos, May 2011

    Google Scholar 

Download references

Acknowledgements

We would like to thank the anonymous reviewers for their valuable comments and input to improve the paper. This work was supported by the MALPAY project and by the Netherlands Organisation for Scientific Research through grants NWO 639.023.309 VICI “Dowsing” and NWO CSI-DHS 628.001.021.

Author information

Authors and Affiliations

  1. Vrije Universiteit, Amsterdam, The Netherlands

    Radhesh Krishnan Konoth, Victor van der Veen & Herbert Bos

Authors
  1. Radhesh Krishnan Konoth
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Victor van der Veen
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Herbert Bos
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Radhesh Krishnan Konoth .

Editor information

Editors and Affiliations

  1. Technical University Munich, Garching, Germany

    Jens Grossklags

  2. Department of Electrical Engineering-ESAT, KU Leuven, Leuven, Belgium

    Bart Preneel

Rights and permissions

Reprints and permissions

Copyright information

© 2017 International Financial Cryptography Association

About this paper

Cite this paper

Konoth, R.K., van der Veen, V., Bos, H. (2017). How Anywhere Computing Just Killed Your Phone-Based Two-Factor Authentication. In: Grossklags, J., Preneel, B. (eds) Financial Cryptography and Data Security. FC 2016. Lecture Notes in Computer Science(), vol 9603. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-54970-4_24

Download citation

  • DOI: https://doi.org/10.1007/978-3-662-54970-4_24

  • Published:

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-662-54969-8

  • Online ISBN: 978-3-662-54970-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation