Communications of the ACM
Two-Factor Authentication Bypassed in Simple Attacks
Researchers at VU University Amsterdam have demonstrated practical attacks against Android and iOS devices.
Credit: Shell Spawner
VU University Amsterdam researchers have demonstrated practical attacks against both Android and iOS devices, showing how a man-in-the-browser (MitB) attack can be elevated to bypass two-factor authentication (2FA) mechanisms.
The increased usage of smartphones and people's tendency to keep applications synchronized across multiple devices makes phone-based 2FA useless, according to the researchers. The synchronization of apps means once an attacker can access a user's computer, the smartphone can be compromised to bypass the security mechanism.
Since 2FA relies on the idea of segmentation to protect against attacks and malware, the process of integrating apps among multiple platforms is negating its benefits and exposing users. In addition, because of synchronization, once a victim's computer has been breached, the attacker can engage in MitB attacks and perform illegal operations 2FA should have prevented.
"By exploiting certain 2FA synchronization vulnerabilities, we show that mobile phone 2FA as used by many online services for secure authentication, including financial institutions, can be easily bypassed," the researchers warn.
They demonstrated the attack by leveraging Google Play's remote app installation feature, which enabled them to install a specifically designed vulnerable app on the victim's Android devices.
The iOS attack was designed around a new OS X feature that enables users to synchronize their short-messaging-services messages between the iPhone and Mac computer.
From Security Week
View Full Article
Abstracts Copyright © 2016 Information Inc., Bethesda, Maryland, USA
No entries found