Abstract
Two-factor authentication (2FA) schemes aim at strengthening the security of login password-based authentication by deploying secondary authentication tokens. In this context, mobile 2FA schemes require no additional hardware (e.g., a smartcard) to store and handle the secondary authentication token, and hence are considered as a reasonable trade-off between security, usability and costs. They are widely used in online banking and increasingly deployed by Internet service providers. In this paper, we investigate 2FA implementations of several well-known Internet service providers such as Google, Dropbox, Twitter and Facebook. We identify various weaknesses that allow an attacker to easily bypass them, even when the secondary authentication token is not under attacker’s control. We then go a step further and present a more general attack against mobile 2FA schemes. Our attack relies on cross-platform infection that subverts control over both end points (PC and a mobile device) involved in the authentication protocol. We apply this attack in practice and successfully circumvent diverse schemes: SMS-based TAN solutions of four large banks, one instance of a visual TAN scheme, 2FA login verification systems of Google, Dropbox, Twitter and Facebook accounts, and the Google Authenticator app currently used by 32 third-party service providers. Finally, we cluster and analyze hundreds of real-world malicious Android apps that target mobile 2FA schemes and show that banking Trojans already deploy mobile counterparts that steal 2FA credentials like TANs.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
Also by the world’s biggest banks such as Bank of America, Deutsche Bank, Santander in UK, ING in the Netherlands, and ICBC in China.
- 2.
Alternatively, the server can send a secret value to be used in OTP generation on the client side rather than an OTP itself.
- 3.
- 4.
We keep the names of these banks confidential due to responsible disclosure.
- 5.
We stress that we used a publicly available demo version of CrontoSign for our analysis, while commercial versions were not subject of our investigation.
- 6.
References
Google Wallet. http://www.google.com/wallet/how-it-works/index.html
National vulnerability database version 2.2. http://nvd.nist.gov/
Cell phone virus tries leaping to PCs (2005). http://news.cnet.com/Cell-phone-virus-tries-leaping-to-PCs/2100-7349_3-5876664.html?tag=mncol;txt
The security risks of Free Public WiFi (2009). http://searchsecurity.techtarget.com.au/news/2240020802/The-security-risks-of-Free-Public-WiFi
KARMA demo on the CBS early show (2010). http://blog.trailofbits.com/2010/07/21/karma-demo-on-the-cbs-early-show/
New Spitmo banking Trojan attacks Android users (2011). http://www.securitynewsdaily.com/1048-spitmo-banking-trojan-attacks-android-users.html
RSA breach leaks data for hacking securID tokens (2011). http://www.theregister.co.uk/2011/03/18/rsa_breach_leaks_securid_data/
MasterCard PAYPASS (2012). http://www.mastercard.us/paypass.html#/home/
Raiffeisen PhotoTAN (2012). http://www.raiffeisen.ch/web/phototan
RSA SecurID software token cloning: a new how-to (2012). http://arstechnica.com/security/2012/05/rsa-securid-software-token-cloning-attack/
Aloul, F., Zahidi, S., El-Hajj, W.: Two factor authentication using mobile phones. In: IEEE/ACS Computer Systems and Applications, May 2009
Aloul, F., Zahidi, S., ElHajj, W.: Multi factor authentication using mobile phones. Int. J. Math. Comput. Sci. 4, 65–80 (2009)
Alves, T., Felton, D.: TrustZone: integrated hardware and software security. Inf. Q. 3(4), 18–24 (2004)
Azema, J., Fayad, G.: M-Shield mobile security technology: making wireless secure. http://focus.ti.com/pdfs/wtbu/ti_mshield_whitepaper.pdf
Balfanz, D., Felten, E.W.: Hand-held computers can be better smart cards. In: USENIX Security Symposium - Volume 8. USENIX Association (1999)
Castillo, C., McAfee: Android banking Trojans target Italy and Thailand (2013). http://blogs.mcafee.com/mcafee-labs/android-banking-trojans-target-italy-and-thailand/
Castillo, C., McAfee: Phishing attack replaces Android banking apps with malware (2013). http://blogs.mcafee.com/mcafee-labs/phishing-attack-replaces-android-banking-apps-with-malware
Clarke, D., Gassend, B., Kotwal, T., Burnside, M., van Dijk, M., Devadas, S., Rivest, R.L.: The untrusted computer problem and camera-based authentication. In: Mattern, F., Naghshineh, M. (eds.) PERVASIVE 2002. LNCS, vol. 2414, pp. 114–124. Springer, Heidelberg (2002)
Cronto Limited: Commerzbank and Cronto launch secure online banking with photoTAN - World’s first deployment of visual transaction signing mobile solution (2008). http://www.cronto.com/download/Cronto_Commerzbank_photoTAN.pdf
Cronto Limited. CorpBanca and Cronto secure online banking transactions with CrontoSign (2011). http://www.cronto.com/corpbanca-cronto-secure-online-banking-transactions-crontosign.htm
Dmitrienko, A., Liebchen, C., Rossow, C., Sadeghi, A.-R.: On the (in)security of mobile two-factor authentication. Technical Report TUD-CS-2014-0029. CASED (2014). http://www.trust.informatik.tu-darmstadt.de/fileadmin/user_upload/Group_TRUST/PubsPDF/TUD-CS-2014-0029.pdf
Enck, W., Gilbert, P., Chun, B.-G., Cox, L.P., Jung, J., McDaniel, P., Sheth, A.N.: TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones. In: USENIX OSDI (2010)
Evers, J.: Virus makes leap from PC to PDA (2006). http://news.cnet.com/2100-1029_3-6044457.html
Giesecke & Devrient: The Mobile Security Card offers increased security. http://www.gd-sfs.com/the-mobile-security-card/mobile-security-card-se-1--0/
Jerschow, Y.I., Lochert, C., Scheuermann, B., Mauve, M.: CLL: a cryptographic link layer for local area networks. In: Ostrovsky, R., De Prisco, R., Visconti, I. (eds.) SCN 2008. LNCS, vol. 5229, pp. 21–38. Springer, Heidelberg (2008)
Kalige, E., Burkey, D.: Eurograbber: how 36 million euros was stolen via malware. http://www.cs.stevens.edu/spock/Eurograbber_White_Paper.pdf
King, D., Hicks, B., Hicks, M.W., Jaeger, T.: Implicit Flows: Can’t Live with ‘Em, Can’t Live without ‘Em. In: Sekar, R., Pujari, A.K. (eds.) ICISS 2008. LNCS, vol. 5352, pp. 56–70. Springer, Heidelberg (2008)
Mannan, M.S., van Oorschot, P.C.: Using a personal device to strengthen password authentication from an untrusted computer. In: Dietrich, S., Dhamija, R. (eds.) FC 2007 and USEC 2007. LNCS, vol. 4886, pp. 88–103. Springer, Heidelberg (2007)
Mulliner, C., Borgaonkar, R., Stewin, P., Seifert, J.-P.: SMS-based one-time passwords: attacks and defense. In: Rieck, K., Stewin, P., Seifert, J.-P. (eds.) DIMVA 2013. LNCS, vol. 7967, pp. 150–159. Springer, Heidelberg (2013)
Falliere, N.: Exploring Stuxnet’s PLC infection process (2010). http://www.symantec.com/connect/blogs/exploring-stuxnet-s-plc-infection-process
V. News. Teamwork: how the ZitMo Trojan bypasses online banking security (2011). http://www.kaspersky.com/about/news/virus/2011/Teamwork_How_the_ZitMo_Trojan_Bypasses_Online_Banking_Security
Parno, B., Kuo, C., Perrig, A.: Phoolproof phishing prevention. In: Di Crescenzo, G., Rubin, A. (eds.) FC 2006. LNCS, vol. 4107, pp. 1–19. Springer, Heidelberg (2006)
Peikari, C.: Analyzing the crossover virus: the first PC to Windows handheld cross-infector (2006). http://www.informit.com/articles/article.aspx?p=458169
Schartner, P., Bürger, S.: Attacking mTAN-applications like e-banking and mobile signatures. Technical report, University of Klagenfurt (2011)
Sparkasse: Online banking mit chipTAN. https://www.sparkasse-pm.de/privatkunden/banking/chiptan/vorteile/index.php?n=/privatkunden/banking/chiptan/vorteile/
Starnberger, G., Froihofer, L., Goeschka, K.: QR-TAN: secure mobile transaction authentication. In: ARES. IEEE (2009)
Tanenbaum, A.S.: Modern Operating Systems. Prentice Hall Press, Upper Saddle River (2001)
TrendLabs: 3Q 2012 security roundup. Android under siege: popularity comes at a price (2012). http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/reports/rpt-3q-2012-security-roundup-android-under-siege-popularity-comes-at-a- price.pdf
van der Veen, V., dutt-Sharma, N., Cavallaro, L., Bos, H.: Memory errors: the past, the present, and the future. In: Balzarotti, D., Stolfo, S.J., Cova, M. (eds.) RAID 2012. LNCS, vol. 7462, pp. 86–106. Springer, Heidelberg (2012)
Wang, Z., Stavrou, A.: Exploiting smart-phone USB connectivity for fun and profit. In: 26th Annual Computer Security Applications Conference. ACM (2010)
Zhou, Y., Jiang, X.: Dissecting Android malware: characterization and evolution. In: IEEE Symposium on Security and Privacy (2012)
Zhou, Y., Wang, Z., Zhou, W., Jiang, X.: Hey, you, get off of my market: detecting malicious apps in official and alternative Android markets. In: NDSS (2012)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A Graphical Representation of OTPs
We plot a 6-digit OTP by plotting its two halves on the x- and y-axis (1000 dots wide). For example, the OTP “012763” is plotted at x=12 and y=763. Symbols ‘+’ and ‘x’ represent one and two occurrences of the same OTP, respectively. Empty space at the left side of Fig. 1 means that Google OTPs never start with a ‘0’ digit.
B Mobile Malware Clustering Results
Rights and permissions
Copyright information
© 2014 International Financial Cryptography Association
About this paper
Cite this paper
Dmitrienko, A., Liebchen, C., Rossow, C., Sadeghi, AR. (2014). On the (In)Security of Mobile Two-Factor Authentication. In: Christin, N., Safavi-Naini, R. (eds) Financial Cryptography and Data Security. FC 2014. Lecture Notes in Computer Science(), vol 8437. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-45472-5_24
Download citation
DOI: https://doi.org/10.1007/978-3-662-45472-5_24
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-662-45471-8
Online ISBN: 978-3-662-45472-5
eBook Packages: Computer ScienceComputer Science (R0)