Mind your SMSes: Mitigating social engineering in second factor authentication

SMS-based second factor authentication is a cornerstone for many service providers, ranging from email service providers and social networks to financial institutions and online marketplaces. Attackers have not been slow to capitalize on the vulnerabilities of this mechanism by using social engineering techniques to coerce users to forward authentication codes. We demonstrate one social engineering attack for which we experimentally obtained a 50% success rate against Google's SMS-based authentication. At the heart of the problem is the messaging associated with the authentication code, and how this must not have been developed with security against social engineering in mind. Pursuing a top-down methodology, we generate alternative messages and experimentally test these against an array of social engineering attempts. Our most robust messaging approach reduces the success of the most effective social engineering attack to 8%, or a sixth of its success against Google's standard second factor verification code messages.

[1]  J. Paul Frantz,et al.  The Ability of two lay groups to Judge Product Warning Effectiveness , 1993 .

[2]  Frank Stajano,et al.  Technology and Practice of Passwords , 2014, Lecture Notes in Computer Science.

[3]  Yada Zhu,et al.  Social Phishing , 2018, Encyclopedia of Social Network Analysis and Mining. 2nd Ed..

[4]  Ravishankar Borgaonkar,et al.  Weaponizing Femtocells: The Effect of Rogue Devices on Mobile Telecommunications , 2012, NDSS.

[5]  Alex Biryukov,et al.  Real Time Cryptanalysis of A5/1 on a PC , 2000, FSE.

[6]  Mustaque Ahamad,et al.  Phoneypot: Data-driven Understanding of Telephony Threats , 2015, NDSS.

[7]  R. Sharpe On the importance of being Earnest , 1995 .

[8]  Ponnurangam Kumaraguru,et al.  Abusing Phone Numbers and Cross-Application Features for Crafting Targeted Attacks , 2015, ArXiv.

[9]  Sunny Consolvo,et al.  Improving SSL Warnings: Comprehension and Adherence , 2015, CHI.

[10]  Adrienne Porter Felt,et al.  Alice in Warningland: A Large-Scale Field Study of Browser Security Warning Effectiveness , 2013, USENIX Security Symposium.

[11]  Sebastian Kurowski Using a whatsapp vulnerability for profiling individuals , 2014, Open Identity Summit.

[12]  Sunny Consolvo,et al.  Your Reputation Precedes You: History, Reputation, and the Chrome Malware Warning , 2014, SOUPS.

[13]  Ponnurangam Kumaraguru,et al.  Who falls for phish?: a demographic analysis of phishing susceptibility and effectiveness of interventions , 2010, CHI.

[14]  Patrick Stewin,et al.  Elektrotechnik und Informatik SMS-based One-Time Passwords : Attacks and Defense , 2014 .

[15]  Markus Jakobsson,et al.  Designing ethical phishing experiments: a study of (ROT13) rOnl query features , 2006, WWW '06.

[17]  K. Hogan The psychology of persuasion , 1996 .

[18]  Edgar R. Weippl,et al.  IMSI-catch me if you can: IMSI-catcher-catchers , 2014, ACSAC.

[19]  Mark J. Nigrini,et al.  I've Got Your Number , 1999 .

[20]  Kenneth R. Laughery,et al.  Behavioral Effectiveness of Warnings , 1985 .

[21]  Stephen L. Young,et al.  Assessing the Effects of Adding Messages to Warning Labels , 2000 .

[22]  Lorrie Faith Cranor,et al.  Harder to Ignore? Revisiting Pop-Up Fatigue and Approaches to Prevent It , 2014, SOUPS.

[23]  Serge Egelman,et al.  The Importance of Being Earnest [In Security Warnings] , 2013, Financial Cryptography.

[24]  J. Csapó,et al.  Psychology of persuasion , 2010 .

[25]  Somayeh Salimi,et al.  New attacks on UMTS network access , 2009, 2009 Wireless Telecommunications Symposium.

[26]  Lorrie Faith Cranor,et al.  Your attention please: designing security-decision UIs to make genuine risks harder to ignore , 2013, SOUPS.

[27]  Rick Wash,et al.  Out of the Loop: How Automated Software Updates Cause Unintended Security Consequences , 2014, SOUPS.

[28]  Sunny Consolvo,et al.  Experimenting at scale with google chrome's SSL warning , 2014, CHI.

[29]  Markus Jakobsson,et al.  Designing ethical phishing experiments , 2007, IEEE Technology and Society Magazine.

[30]  Debin Gao,et al.  MobiPot: Understanding Mobile Telephony Threats with Honeycards , 2016, AsiaCCS.

[31]  Ahmad-Reza Sadeghi,et al.  On the (In)Security of Mobile Two-Factor Authentication , 2014, Financial Cryptography.

[32]  Lorrie Faith Cranor,et al.  You've been warned: an empirical study of the effectiveness of web browser phishing warnings , 2008, CHI.

[33]  Konrad Rieck,et al.  Detection of Intrusions and Malware, and Vulnerability Assessment , 2013, Lecture Notes in Computer Science.

[34]  S. Breznitz Cry Wolf: The Psychology of False Alarms , 1984 .

[35]  Nasir D. Memon,et al.  Verification Code Forwarding Attack (Short Paper) , 2015, PASSWORDS.

[36]  InduShobha N. Chengalur-Smith,et al.  An overview of social engineering malware: Trends, tactics, and implications , 2010 .

[37]  David A. Wagner,et al.  Are You Ready to Lock? , 2014, CCS.

[38]  Lorrie Faith Cranor,et al.  Protecting people from phishing: the design and evaluation of an embedded training email system , 2007, CHI.

[39]  Alex Biryukov,et al.  Fast Software Encryption: 14th International Workshop, FSE 2007, Luxembourg, Luxembourg, March 26-28, 2007, Revised Selected Papers , 2007, FSE 2007.

[40]  Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security , 2014, CCS.

[41]  D. Modic Willing to be scammed : how self-control impacts Internet scam compliance , 2012 .

[42]  Herbert Bos,et al.  How Anywhere Computing Just Killed Your Phone-Based Two-Factor Authentication , 2016, Financial Cryptography.

[43]  Ahmad-Reza Sadeghi Financial Cryptography and Data Security , 2013, Lecture Notes in Computer Science.

[44]  Tonya L Smith-Jackson,et al.  Research-based guidelines for warning design and evaluation. , 2002, Applied ergonomics.

[45]  Lorrie Faith Cranor,et al.  Lessons from a real world evaluation of anti-phishing training , 2008, 2008 eCrime Researchers Summit.

[46]  Lorrie Faith Cranor,et al.  A Framework for Reasoning About the Human in the Loop , 2008, UPSEC.

[47]  Markus Jakobsson,et al.  Understanding Social Engineering Based Scams , 2016, Springer New York.

[48]  Adi Shamir,et al.  A Practical-Time Related-Key Attack on the KASUMI Cryptosystem Used in GSM and 3G Telephony , 2010, Journal of Cryptology.

[49]  Lorrie Faith Cranor,et al.  Crying Wolf: An Empirical Study of SSL Warning Effectiveness , 2009, USENIX Security Symposium.

[50]  Eli Biham,et al.  Instant Ciphertext-Only Cryptanalysis of GSM Encrypted Communication , 2003, Journal of Cryptology.