Abstract
Exponential growth in smartphone usage combined with recent advances in mobile technology is causing a shift in (mobile) app behavior: application vendors no longer restrict their apps to a single platform, but rather add synchronization options that allow users to conveniently switch from mobile to PC or vice versa in order to access their services. This process of integrating apps among multiple platforms essentially removes the gap between them. Current, state of the art, mobile phone-based two-factor authentication (2FA) mechanisms, however, heavily rely on the existence of such separation. They are used in a variety of segments (such as consumer online banking services or enterprise secure remote access) to protect against malware. For example, with 2FA in place, attackers should no longer be able to use their PC-based malware to instantiate fraudulent banking transactions.
In this paper, we analyze the security implications of diminishing gaps between platforms and show that the ongoing integration and desire for increased usability results in violation of key principles for mobile phone 2FA. As a result, we identify a new class of vulnerabilities dubbed 2FA synchronization vulnerabilities. To support our findings, we present practical attacks against Android and iOS that illustrate how a Man-in-the-Browser attack can be elevated to intercept One-Time Passwords sent to the mobile phone and thus bypass the chain of 2FA mechanisms as used by many financial services.
R.K. Konoth and V. van der Veen—Equal contribution joint first authors.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
References
Android intents with Chrome. https://developer.chrome.com/multidevice/android/intents
Find a lost phone. http://www.windowsphone.com/en-us/how-to/wp8/settings-and-personalization/find-a-lost-phone
Get SMS broadcast with text body without Jailbreak BUT private frameworks in IOS. http://stackoverflow.com/questions/26642770/get-sms-broadcast-with-text-body-without-jailbreak-but-private-frameworks-in-ios
How do I set up Sync on my computer? http://support.mozilla.org/kb/how-do-i-set-sync-my-computer
iCloud: Erase your device. https://support.apple.com/kb/PH2701
Mobile/tablet operating system market share. https://www.netmarketshare.com/operating-system-market-share.aspx?qprid=8&qpcustomd=1
Remotely ring, lock or erase a lost device. https://support.google.com/accounts/answer/6160500
Sync tabs across devices. http://support.google.com/chrome/answer/2591582
Use Continuity to connect your iPhone, iPad, iPod touch, and Mac. http://support.apple.com/HT204681
Aloul, F., Zahidi, S., Hajj, W.E.: Two factor authentication using mobile phones. In: Proceedings on the International Conference on Computer Systems and Applications (AICCA) (2009)
Bosman, E., Bos, H.: Framing signals - a return to portable shellcode. In: Proceedings of the Symposium on Security and Privacy (S&P) (2014)
Boutin, J.I.: The evolution of webinjects, September 2014
Buescher, A., Leder, F., Siebert, T.: Banksafe information stealer detection inside the web browser. In: Proceedings on the International Conference on Recent Advances in Intrusion Detection (RAID) (2011)
Caballero, J., Grier, C., Kreibich, C., Paxson, V.: Measuring pay-per-install: the commoditization of malware distribution. In: Proceedings of the USENIX Security Symposium (USENIX Sec) (2011)
Chytry, F.: Apps on Google Play Pose As Games and Infect Millions of Users with Adware, February 2015
Dmitrienko, A., Liebchen, C., Rossow, C., Sadeghi, A.-R.: On the (In)security of mobile two-factor authentication. In: Christin, N., Safavi-Naini, R. (eds.) FC 2014. LNCS, vol. 8437, pp. 365–383. Springer, Heidelberg (2014). doi:10.1007/978-3-662-45472-5_24
eMarketer: Smartphone Users Worldwide Will Total 1.75 Billion in 2014, January 2014
Evers, J.: Virus makes leap from PC to PDA, Feburary 2006
Target, E.: 2014 Mobile Behavior Report, February 2014
Federal Financial Institutions Examination Council: Authentication in an Internet Banking Environment (2005)
Gühring, P.: Concepts against Man-in-the-Browser Attacks, September 2006
inazaruk: “Activating” Android applications, December 2011
Kawamoto, D.: Cell phone virus tries leaping to PCs, September 2005
Kharouni, L.: Automating Online Banking Fraud (2012)
Krishnan, R., Kumar, R.: Securing user input as a defense against MitB. In: Proceedings of the International Conference on Interdisciplinary Advances in Applied Computing (ICONIAAC) (2014)
Lockheimer, H.: Android and Security, February 2012
Mulliner, C., Borgaonkar, R., Stewin, P., Seifert, J.-P.: SMS-based one-time passwords: attacks and defense. In: Rieck, K., Stewin, P., Seifert, J.-P. (eds.) DIMVA 2013. LNCS, vol. 7967, pp. 150–159. Springer, Heidelberg (2013). doi:10.1007/978-3-642-39235-1_9
Neugschwandtner, M., Lindorfer, M., Platzer, C.: A view to a kill: webview exploitation. In: Proceedings of the USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET) (2013)
Oberheide, J., Miller, C.: Dissecting the Android Bouncer, June 2012
Poeplau, S., Fratantonio, Y., Bianchi, A., Kruegel, C., Vigna, G.: Execute this! Analyzing unsafe and malicious dynamic code loading in android applications. In: Proceedings of the Network and Distributed System Security Symposium (NDSS) (2014)
Rafael Fedler, M.K., Schutte, J.: An antivirus API for android malware recognition. In: Proceedings of Malicious and Unwanted Software: “The Americas” (MALWARE), 2013 8th International Conference (2013)
Sams, B.: Microsoft confirms Edge will sync passwords, bookmarks, tabs, and more. http://www.neowin.net/news/microsoft-confirms-edge-will-sync-passwords-bookmarks-tabs-and-more
Schartner, P., Bürger, S.: Attacking mTAN-Applications like e-Banking and mobile Signatures. Technical report, Univeristy of Klagenfurt (2011)
Sood, A.K., Enbody, R.J., Bansal, R.: The art of stealing banking information – form grabbing on fire, November 2011
Statista: Global smartphone sales to end users 2007–2014 (2015)
Wang, T., Lu, K., Lu, L., Chung, S., Lee, W.: Jekyll on iOS: when benign apps become evil. In: Proceedings of the USENIX Security Symposium (USENIX Sec) (2013)
Wang, Z., Stavrou, A.: Exploiting smart-phone USB connectivity for fun and profit. In: Proceedings of the Computer Security Applications Conference (ACSAC) (2010)
Wyke, J.: What is Zeus? Sophos, May 2011
Acknowledgements
We would like to thank the anonymous reviewers for their valuable comments and input to improve the paper. This work was supported by the MALPAY project and by the Netherlands Organisation for Scientific Research through grants NWO 639.023.309 VICI “Dowsing” and NWO CSI-DHS 628.001.021.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 International Financial Cryptography Association
About this paper
Cite this paper
Konoth, R.K., van der Veen, V., Bos, H. (2017). How Anywhere Computing Just Killed Your Phone-Based Two-Factor Authentication. In: Grossklags, J., Preneel, B. (eds) Financial Cryptography and Data Security. FC 2016. Lecture Notes in Computer Science(), vol 9603. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-54970-4_24
Download citation
DOI: https://doi.org/10.1007/978-3-662-54970-4_24
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-662-54969-8
Online ISBN: 978-3-662-54970-4
eBook Packages: Computer ScienceComputer Science (R0)