research-article

Mind your SMSes

Authors:

Hossein Siadati,

Markus Jakobsson,

Nasir MemonAuthors Info & Claims

Computers and Security, Volume 65, Issue C

Pages 14 - 28

https://doi.org/10.1016/j.cose.2016.09.009

Published: 01 March 2017 Publication History

Abstract

SMS-based second factor authentication is a cornerstone for many service providers, ranging from email service providers and social networks to financial institutions and online marketplaces. Attackers have not been slow to capitalize on the vulnerabilities of this mechanism by using social engineering techniques to coerce users to forward authentication codes. We demonstrate one social engineering attack for which we experimentally obtained a 50% success rate against Google's SMS-based authentication. At the heart of the problem is the messaging associated with the authentication code, and how this must not have been developed with security against social engineering in mind. Pursuing a top-down methodology, we generate alternative messages and experimentally test these against an array of social engineering attempts. Our most robust messaging approach reduces the success of the most effective social engineering attack to 8%, or a sixth of its success against Google's standard second factor verification code messages.

References

[1]

S. Abraham, I. Chengalur-Smith, An overview of social engineering malware: trends, tactics, and implications, Technol Soc, 32 (2010) 183-196.

[2]

Z. Ahmadian, S. Salimi, A. Salahi, New attacks on UMTS network access, 2009.

[3]

D. Akhawe, A.P. Felt, Alice in warningland: a large-scale field study of browser security warning effectiveness, 2013.

[4]

H. Almuhimedi, A.P. Felt, R.W. Reeder, S. Consolvo, Your reputation precedes you: history, reputation, and the chrome malware warning, 2014.

[5]

M. Balduzzi, P. Gupta, L. Gu, D. Gao, M. Ahamad, MobiPot: Understanding mobile telephony threats with honeycards, 2016.

[6]

E. Barkan, E. Biham, N. Keller, Instant Ciphertext-only cryptanalysis of GSM encrypted communication, J Cryptol, 21 (2008) 392-429.

Digital Library

[7]

A. Biryukov, A. Shamir, D. Wagner, Fast software encryption, in: Real time cryptanalysis of a5/1 on a PC, Springer, 2000, pp. 1-18.

Digital Library

[8]

C. Bravo-Lillo, S. Komanduri, L.F. Cranor, R.W. Reeder, M. Sleeper, J. Downs, Your attention please: designing security-decision UIs to make genuine risks harder to ignore, 2013.

[9]

C. Bravo-Lillo, L. Cranor, S. Komanduri, S. Schechter, M. Sleeper, Harder to ignore? Revisiting pop-up fatigue and approaches to prevent it, 2014.

[10]

S. Breznitz, Cry wolf: the psychology of false alarms, Psychology Press, 2013.

[11]

R.B. Cialdini, The psychology of persuasion, Quill William Morrow, New York, 1984.

[12]

Craigslist, . https://newyork.craigslist.org

[13]

L.F. Cranor, A framework for reasoning about the human in the loop, 2008.

[14]

A. Dabrowski, N. Pianta, T. Klepp, M. Mulazzani, E. Weippl, IMSI-catch me if you can: IMSI-catcher-catchers, 2014.

[15]

A. Dmitrienko, C. Liebchen, C. Rossow, A.-R. Sadeghi, Financial cryptography and data security, in: On the (in) security of mobile two-factor authentication, Springer, 2014, pp. 365-383.

[16]

O. Dunkelman, N. Keller, A. Shamir, A practical-time related-key attack on the KASUMI cryptosystem used in GSM and 3G telephony, J Cryptol, 27 (2014) 824-849.

Digital Library

[17]

S. Egelman, S. Schechter, Financial cryptography and data security, in: The importance of being earnest {in security warnings}, Springer, 2013, pp. 52-59.

[18]

S. Egelman, L.F. Cranor, J. Hong, You've been warned: an empirical study of the effectiveness of web browser phishing warnings, 2008.

[19]

S. Egelman, S. Jain, R.S. Portnoff, K. Liao, S. Consolvo, D. Wagner, Are you ready to lock?, 2014.

[20]

A.P. Felt, R.W. Reeder, H. Almuhimedi, S. Consolvo, Experimenting at scale with Google chrome's SSL warning, 2014.

[21]

A.P. Felt, A. Ainslie, R.W. Reeder, S. Consolvo, S. Thyagaraja, A. Bettes, Improving SSL warnings: comprehension and adherence, 2015.

[22]

P. Finn, M. Jakobsson, Designing ethical phishing experiments, IEEE Technol Soc Magazine, 26 (2007) 46-58.

[23]

J.P. Frantz, T.P. Rhoades, S.L. Young, J.A. Schiller, Proceedings of the human factors and ergonomics society annual meeting, in: Assessing the effects of adding messages to warning labels, vol. 44, SAGE Publications, 2000, pp. 818-821.

[24]

N. Golde, K. Redon, R. Borgaonkar, Weaponizing femtocells: the effect of rogue devices on mobile telecommunications, 2012.

[25]

S.E. Griffin, C.C. Rackley, Vishing, 2008.

[26]

P. Gupta, M. Ahamad, J. Curtis, V. Balasubramaniyan, A. Bobotek, M3AAWG telephony honeypots: benefits and deployment options, 2014.

[27]

P. Gupta, B. Srinivasan, V. Balasubramaniyan, M. Ahamad, Phoneypot: data-driven understanding of telephony threats, 2015.

[28]

S. Gupta, P. Gupta, M. Ahamad, P. Kumaraguru, Abusing phone numbers and cross-application features for crafting targeted attacks, 2015.

[29]

T. Hunt, Pwned websites list. https://haveibeenpwned.com/PwnedWebsites

[30]

ic3, Internet crime complaint center(ic3). http://www.ic3.gov/media/2015.aspx

[31]

T.N. Jagatic, N.A. Johnson, M. Jakobsson, F. Menczer, Social phishing, Commun ACM, 50 (2007) 94-100.

Digital Library

[32]

Understanding social engineering based scams, in: Understanding social engineering based scams, 2016.

[33]

M. Jakobsson, J. Ratkiewicz, Designing ethical phishing experiments: a study of (ROT13) rOnl query features, 2006.

[34]

Kaspersky, Asacub android Trojan: from information stealing to financial fraud. http://www.kaspersky.com/about/news/virus/2016/Asacub-Android-Trojan-From-Information-Stealing-to-Financial-Fraud

[35]

E. Kim, K. Park, H. Kim, J. Song, Information security applications, in: I've got your number, Springer, 2014, pp. 55-67.

[36]

R.K. Konoth, V. van der Veen, H. Bos, How anywhere computing just killed your phone-based two-factor authentication, 2016.

[37]

B. Krebs, Attackers hit weak spots in 2-factor authentication. http://krebsonsecurity.com/2012/06/attackers-target-weak-spots-in-2-factor-authentication/

[38]

P. Kumaraguru, Y. Rhee, A. Acquisti, L.F. Cranor, J. Hong, E. Nunge, Protecting people from phishing: the design and evaluation of an embedded training email system, 2007.

[39]

P. Kumaraguru, S. Sheng, A. Acquisti, L.F. Cranor, J. Hong, Lessons from a real world evaluation of anti-phishing training, 2008.

[40]

S. Kurowski, Using a whatsapp vulnerability for profiling individuals, 2014.

[41]

L.A. Times, Anthem hack exposes data on 80 million; experts warn of identity theft. http://www.latimes.com/business/la-fi-anthem-hacked-20150204-story.html#page=1

[42]

J.M. Miller, J.P. Frantz, B.W. Main, Proceedings of the human factors and ergonomics society annual meeting, in: The ability of two lay groups to judge product warning effectiveness, vol. 37, SAGE Publications, 1993, pp. 989-993.

[43]

D. Modic, Willing to be scammed: How self-control impacts internet scam compliance, 2012.

[44]

Mturk, . https://www.mturk.com

[45]

C. Mulliner, R. Borgaonkar, P. Stewin, J.-P. Seifert, Detection of intrusions and malware, and vulnerability assessment, in: SMS-based one-time passwords: attacks and defense, Springer, 2013, pp. 150-159.

Digital Library

[46]

J. Scott Railton, K. Kleemola, London calling: two-factor authentication phishing from Iran. https://citizenlab.org/2015/08/iran_two_factor_phishing/

[47]

S. Shah, How I bypassed 2-factor-authentication on Google, Facebook, Yahoo, LinkedIn, and many others. https://shubh.am/how-i-bypassed-2-factor-authentication-on-google-yahoo-linkedin-and-many-others/

[48]

S. Sheng, M. Holbrook, P. Kumaraguru, L.F. Cranor, J. Downs, Who falls for phish? A demographic analysis of phishing susceptibility and effectiveness of interventions, 2010.

[49]

H. Siadati, T. Nguyen, N. Memon, Technology and Practice of Passwords: 9th International Conference, 2016.

[50]

Sophos Naked Security, How phone hacking worked and how to make sure you're not a victim. https://nakedsecurity.sophos.com/2011/07/08/how-phone-hacking-worked/

[51]

J. Sunshine, S. Egelman, H. Almuhimedi, N. Atri, L.F. Cranor, USENIX security symposium, in: Crying wolf: an empirical study of SSL warning effectiveness, 2009, pp. 399-416.

Digital Library

[52]

Symantec, Android.Ackposts. https://www.symantec.com/security_response/writeup.jsp?docid=2012-072302-3943-99

[53]

Symantec, Password recovery scam tricks users into handing over email account access. http://www.symantec.com/connect/blogs/password-recovery-scam-tricks-users-handing-over-email-account-access

[54]

The Register, Reg probe bombshell: How we HACKED mobile voicemail without a PIN. http://www.theregister.co.uk/2014/04/24/voicemail_still_easy_to_hack/

[55]

Trend Micro, Finding holes: operation Emmental. http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-finding-holes-operation-emmental.pdf

[56]

Versprite, Android infostealer godwon - analysis. http://versprite.com/og/android-infostealer-godwon-analysis/

[57]

R. Wash, E.J. Rader, K. Vaniea, M. Rizor, Out of the loop: how automated software updates cause unintended security consequences, 2014.

[58]

M.S. Wogalter, G.A. Fontenelle, K.R. Laughery, Behavioral effectiveness of warnings, Proc Human Factors Ergon Soc Annual Meeting, 29 (1985) 679-683.

[59]

M.S. Wogalter, V.C. Conzola, T.L. Smith-Jackson, Research-based guidelines for warning design and evaluation, Appl Ergon, 33 (2002) 219-230.

Cited By

Angelogianni APolitis IXenakis C(2024)How many FIDO protocols are needed? Analysing the technology, security and complianceACM Computing Surveys10.1145/365466156:8(1-51)Online publication date: 26-Apr-2024
https://dl.acm.org/doi/10.1145/3654661
Zaeifi MKalantari FOest ASun ZAhn GShoshitaishvili YBao TWang RDoupé AVilela JSchulmann HLi N(2024)Nothing Personal: Understanding the Spread and Use of Personally Identifiable Information in the Financial EcosystemProceedings of the Fourteenth ACM Conference on Data and Application Security and Privacy10.1145/3626232.3653266(55-65)Online publication date: 19-Jun-2024
https://dl.acm.org/doi/10.1145/3626232.3653266
Yasin AFatima RJiangBin ZAfzal WRaza S(2024)Can serious gaming tactics bolster spear-phishing and phishing resilience? Information and Software Technology10.1016/j.infsof.2024.107426170:COnline publication date: 1-Jun-2024
https://dl.acm.org/doi/10.1016/j.infsof.2024.107426
Show More Cited By

Index Terms

Mind your SMSes
1. Security and privacy
2. Social and professional topics
  1. Computing / technology policy
    1. Computer crime

Index terms have been assigned to the content through auto-classification.

Recommendations

Demonstrating Spoofability of an Originating Number when Sending an SMS using SMPP
The short message service (SMS), a service for exchanging texts via mobile networks, has become a universal means of communication. SMS is a mechanism for sending a text message to a specific mobile phone number. Its protocol enables the sender to specify ...
Friend-in-the-Middle Attacks: Exploiting Social Networking Sites for Spam

Friend-in-the-middle attacks on social networking sites can be used to harvest social data in an automated fashion. Attackers can then exploit this data for large-scale attacks using context-aware spam and social phishing. The authors prove the ...
New Security Threats Caused by IMS-based SMS Service in 4G LTE Networks
CCS '16: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security

SMS (Short Messaging Service) is a text messaging service for mobile users to exchange short text messages. It is also widely used to provide SMS-powered services (e.g., mobile banking). With the rapid deployment of all-IP 4G mobile networks, the ...

Comments

Information & Contributors

Information

Published In

cover image Computers and Security

Computers and Security Volume 65, Issue C

March 2017

432 pages

ISSN:0167-4048

Issue’s Table of Contents

Copyright © Elsevier Ltd.

Publisher

Elsevier Advanced Technology Publications

United Kingdom

Publication History

Published: 01 March 2017

Author Tags

Qualifiers

Research-article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

11
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 30 Aug 2024

Other Metrics

View Author Metrics

Citations

Cited By

Angelogianni APolitis IXenakis C(2024)How many FIDO protocols are needed? Analysing the technology, security and complianceACM Computing Surveys10.1145/365466156:8(1-51)Online publication date: 26-Apr-2024
https://dl.acm.org/doi/10.1145/3654661
Zaeifi MKalantari FOest ASun ZAhn GShoshitaishvili YBao TWang RDoupé AVilela JSchulmann HLi N(2024)Nothing Personal: Understanding the Spread and Use of Personally Identifiable Information in the Financial EcosystemProceedings of the Fourteenth ACM Conference on Data and Application Security and Privacy10.1145/3626232.3653266(55-65)Online publication date: 19-Jun-2024
https://dl.acm.org/doi/10.1145/3626232.3653266
Yasin AFatima RJiangBin ZAfzal WRaza S(2024)Can serious gaming tactics bolster spear-phishing and phishing resilience? Information and Software Technology10.1016/j.infsof.2024.107426170:COnline publication date: 1-Jun-2024
https://dl.acm.org/doi/10.1016/j.infsof.2024.107426
Geers ADing AGañán CParkin S(2023)Lessons in Prevention and Cure: A User Study of Recovery from Flubot Smartphone MalwareProceedings of the 2023 European Symposium on Usable Security10.1145/3617072.3617109(126-142)Online publication date: 16-Oct-2023
https://dl.acm.org/doi/10.1145/3617072.3617109
Amft SHöltervennhoff SHuaman NKrause ASimko LAcar YFahl SMeng WJensen CCremers CKirda E(2023)"We've Disabled MFA for You": An Evaluation of the Security and Usability of Multi-Factor Authentication Recovery DeploymentsProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security10.1145/3576915.3623180(3138-3152)Online publication date: 15-Nov-2023
https://dl.acm.org/doi/10.1145/3576915.3623180
Jarrah MKaradsheh LAlryalat HAlqatawna JAlhawari S(2022)The Impact of Social Engineer Attack Phases on Improved Security CountermeasuresInternational Journal of Digital Crime and Forensics10.4018/IJDCF.28676214:1(1-26)Online publication date: 13-May-2022
https://dl.acm.org/doi/10.4018/IJDCF.286762
McDonald ASugatan CGuberek TSchaub FKitamura YQuigley AIsbister KIgarashi TBjørn PDrucker S(2021)The Annoying, the Disturbing, and the Weird: Challenges with Phone Numbers as Identifiers and Phone Number RecyclingProceedings of the 2021 CHI Conference on Human Factors in Computing Systems10.1145/3411764.3445085(1-14)Online publication date: 6-May-2021
https://dl.acm.org/doi/10.1145/3411764.3445085
Kumar RKishore SLu HPrakash ACapkun SRoesner F(2020)Security analysis of unified payments interface and payment apps in indiaProceedings of the 29th USENIX Conference on Security Symposium10.5555/3489212.3489297(1499-1516)Online publication date: 12-Aug-2020
https://dl.acm.org/doi/10.5555/3489212.3489297
Fatima RYasin ALiu LWang J(2019)How persuasive is a phishing email? A phishing game for phishing awarenessJournal of Computer Security10.3233/JCS-18125327:6(581-612)Online publication date: 1-Jan-2019
https://dl.acm.org/doi/10.3233/JCS-181253
Doerfler PThomas KMarincenko MRanieri JJiang YMoscicki AMcCoy D(2019)Evaluating Login Challenges as aDefense Against Account TakeoverThe World Wide Web Conference10.1145/3308558.3313481(372-382)Online publication date: 13-May-2019
https://dl.acm.org/doi/10.1145/3308558.3313481
Show More Cited By

View Options

View options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Issue’s Table of Contents