Skip to main content
SpringerLink
Log in

Verification Code Forwarding Attack (Short Paper)

  • Conference paper
Technology and Practice of Passwords (PASSWORDS 2015)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 9551))

Included in the following conference series:

Abstract

Major Internet service providers deploy SMS-based verification mechanisms to fortify the security of users’ accounts for critical actions such as password reset and logging in from a new computer. In this paper, we describe a new type of phishing attack where an attacker triggers the delivery of a verification code from a service provider to a user and lures the user to forward the code to him so that he can bypass the SMS verification process. We call this a Verification Code Forwarding Attack (VCFA). The attacker can use VCFA to reset a password of a user’s account or to get access to a 2-factor enabled account which he already knows its password (e.g., through leaked databases). We attribute the success of this attack to the lack of an effective and usable means for users to verify the service provider, the lack of context for the message sent, and an assumption about users’ understanding of the authentication process. To show the susceptibility of the users to such an attack, we conducted an experiment with 20 mobile phone users and found that more than 25 % of users were vulnerable against this type of attack. A semi-structured interview with the subjects of the experiment and a survey of 100 subjects on Amazon Mechanical Turk were done to explore possible causes for the success of this type of attack. We also discuss possible remediation.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 34.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 44.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Bankinfosecurity. Malware bypasses 2-factor authentication. http://www.bankinfosecurity.com/malware-bypasses-2-factor-authentication-a-7090/op-1. Accessed 25 August 2015

  2. Bonneau, J.: The gawker hack: how a million passwords were lost. https://www.lightbluetouchpaper.org/2010/12/15/the-gawker-hack-how-a-million-passwords-were-lost/. Accessed 25 August 2015

  3. Bonneau, J.: The science of guessing: analyzing an anonymized corpus of 70 million passwords. In: SP, pp. 538–552. IEEE (2012)

    Google Scholar 

  4. Citizenlab: London calling: Two-factor authentication phishing from Iran. https://citizenlab.org/2015/08/iran_two_factor_phishing/. Accessed 25 August 2015

  5. Das, A., Bonneau, J., Caesar, M., Borisov, N., Wang, X.: The tangled web of password reuse. In: NDSS (2014)

    Google Scholar 

  6. Dhamija, R., Tygar, J.D., Hearst, M.: Why phishing works. In: CHI, pp. 581–590. ACM (2006)

    Google Scholar 

  7. Dmitrienko, A., Liebchen, C., Rossow, C., Sadeghi, A.-R.: On the (In) security of mobile two-factor authentication. In: Christin, N., Safavi-Naini, R. (eds.) FC 2014. LNCS, vol. 8437, pp. 365–383. Springer, Heidelberg (2014)

    Google Scholar 

  8. Ives, B., Walsh, K.R., Schneider, H.: The domino effect of password reuse. Commun. ACM 47(4), 75–78 (2004)

    Article  Google Scholar 

  9. Jagatic, T.N., Johnson, N.A., Jakobsson, M., Menczer, F.: Social phishing. Commun. ACM 50(10), 94–100 (2007)

    Article  Google Scholar 

  10. Jakobsson, M., Myers, S.: Phishing and Countermeasures: Understanding the Increasing Problem of Electronic Identity Theft. Wiley, New York (2006)

    Book  Google Scholar 

  11. Jakobsson, M., Tsow, A., Shah, A., Blevis, E., Lim, Y.: What instills trust? a qualitative study of phishing. In: Dietrich, S., Dhamija, R. (eds.) FC 2007 and USEC 2007. LNCS, vol. 4886, pp. 356–361. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  12. Kirk, J.: Dating site eHarmony confirms password breach. http://www.computerworld.com/article/2504089/security0/dating-site-eharmony-confirms-password-breach.html. Accessed 25 August 2015

  13. Perlroth, N.: Hackers find way to outwit tough security at banking sites. http://bits.blogs.nytimes.com/2014/07/22/hackers-find-way-to-outwit-tough-security-at-banking-sites. Accessed 20 July 2015

  14. Schneier, B.: Two-factor authentication: too little, too late. Commun. ACM 48(4), 136 (2005)

    Article  Google Scholar 

  15. Wu, M., Miller, R.C., Garfinkel, S.L.: Do security toolbars actually prevent phishing attacks? In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, pp. 601–610. ACM (2006)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. New York University School of Engineering, New York, USA

    Hossein Siadati, Toan Nguyen & Nasir Memon

Authors
  1. Hossein Siadati
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Toan Nguyen
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Nasir Memon
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Toan Nguyen .

Editor information

Editors and Affiliations

  1. University of Cambridge, Cambridge, UK

    Frank Stajano

  2. Norwegian University of Science and Technology, Trondheim, Norway

    Stig F. Mjølsnes

  3. University of Cambridge, Cambridge, UK

    Graeme Jenkinson

  4. God Praksis AS, Fyllingsdalen, Norway

    Per Thorsheim

Rights and permissions

Reprints and permissions

Copyright information

© 2016 Springer International Publishing Switzerland

About this paper

Cite this paper

Siadati, H., Nguyen, T., Memon, N. (2016). Verification Code Forwarding Attack (Short Paper). In: Stajano, F., Mjølsnes, S.F., Jenkinson, G., Thorsheim, P. (eds) Technology and Practice of Passwords. PASSWORDS 2015. Lecture Notes in Computer Science(), vol 9551. Springer, Cham. https://doi.org/10.1007/978-3-319-29938-9_5

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-29938-9_5

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-29937-2

  • Online ISBN: 978-3-319-29938-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation