In this case the code is generated within the Google Authenticator app on your device itself, rather than being sent to you. You can instead use app-based one-time codes, such as through Google Authenticator. We also recommend you limit the use of SMS as a 2FA method if you can. And make sure you’re using a well-crafted password. There are a number of security programs that will let you do this. First check your password to see if it’s compromised. To remain protected online, you should check whether your initial line of defence is secure. The threat is even more real when the attacker is a trusted individual (e.g., a family member) with access to the victim’s smartphone. It simply requires insight into how these specific apps work and how to intelligently use them (along with social engineering) to target a victim. More importantly, this attack doesn’t need high-end technical capabilities. After this they can remotely receive all communications sent to the victim’s phone, including one-time codes used for 2FA.Īlthough multiple conditions must be fulfilled for the aforementioned attack to work, it still demonstrates the fragile nature of SMS-based 2FA methods. Once the app is installed, the attacker can apply simple social engineering techniques to convince the user to enable the permissions required for the app to function properly.įor example, they may pretend to be calling from a legitimate service provider to persuade the user to enable the permissions. Using a password manager is an effective way to make your first line of authentication - your username/password login - more secure. This is a realistic scenario since it’s common for users to use the same credentials across a variety of services. Specifically, attackers can leverage a compromised email/password combination connected to a Google account (such as to nefariously install a readily-available message mirroring app on a victim’s smartphone via Google Play. Our experiments revealed a malicious actor can remotely access a user’s SMS-based 2FA with little effort, through the use of a popular app (name and type withheld for security reasons) designed to synchronise user’s notifications across different devices. If an attacker has access to your credentials and manages to log into your Google Play account on a laptop (although you will receive a prompt), they can then install any app they’d like automatically onto your smartphone. One particular attack exploits a feature provided on the Google Play Store to automatically install apps from the web to your android device.ĭue to syncing services, if a hacker manages to compromise your Google login credentials on their own device, they can then install a message mirroring app directly onto your smartphone. In addition to these existing vulnerabilities, our team have found additional vulnerabilities in SMS-based 2FA. So in the case of Modlishka, it will intercept communication between a genuine service and a victim and will track and record the victims’s interactions with the service, including any login credentials they may use). This facilitates communication between the victim and a service being impersonated. SMS-based one-time codes are also shown to be compromised through readily available tools such as Modlishka by leveraging a technique called reverse proxy. SIM swapping involves an attacker convincing a victims’s mobile service provider they themselves are the victim, and then requesting the victim’s phone number be switched to a device of their choice. This is because SMS is renowned for having infamously poor security, leaving it open to a host of different attacks.įor example, SIM swapping has been demonstrated as a way to circumvent 2FA. Major vendors such as Microsoft have urged users to abandon 2FA solutions that leverage SMS and voice calls. Yet many critical online services in Australia still use SMS-based one-time codes, including myGov and the Big 4 banks: ANZ, Commonwealth Bank, NAB and Westpac.Ī computer can guess more than 100,000,000,000 passwords per second. Partnersĭeakin University provides funding as a member of The Conversation AU. Robin Doss does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment. The work has been supported by the Cyber Security Research Centre Limited whose activities are partially funded by the Australian Government’s Cooperative Research Centres Programme. Research Director, Centre for Cyber Security Research and Innovation, Deakin University Research Fellow, Centre for Cyber Security Research and Innovation, Deakin UniversityĬyberCRC Research Fellow, Centre for Cyber Security Research and Innovation (CSRI), Deakin University
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |