Skip to main content
SpringerLink
Log in
Book cover

International Conference on Financial Cryptography and Data Security

FC 2014: Financial Cryptography and Data Security pp 365–383Cite as

On the (In)Security of Mobile Two-Factor Authentication

  • Conference paper
  • First Online:

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 8437))

Abstract

Two-factor authentication (2FA) schemes aim at strengthening the security of login password-based authentication by deploying secondary authentication tokens. In this context, mobile 2FA schemes require no additional hardware (e.g., a smartcard) to store and handle the secondary authentication token, and hence are considered as a reasonable trade-off between security, usability and costs. They are widely used in online banking and increasingly deployed by Internet service providers. In this paper, we investigate 2FA implementations of several well-known Internet service providers such as Google, Dropbox, Twitter and Facebook. We identify various weaknesses that allow an attacker to easily bypass them, even when the secondary authentication token is not under attacker’s control. We then go a step further and present a more general attack against mobile 2FA schemes. Our attack relies on cross-platform infection that subverts control over both end points (PC and a mobile device) involved in the authentication protocol. We apply this attack in practice and successfully circumvent diverse schemes: SMS-based TAN solutions of four large banks, one instance of a visual TAN scheme, 2FA login verification systems of Google, Dropbox, Twitter and Facebook accounts, and the Google Authenticator app currently used by 32 third-party service providers. Finally, we cluster and analyze hundreds of real-world malicious Android apps that target mobile 2FA schemes and show that banking Trojans already deploy mobile counterparts that steal 2FA credentials like TANs.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Notes

  1. 1.

    Also by the world’s biggest banks such as Bank of America, Deutsche Bank, Santander in UK, ING in the Netherlands, and ICBC in China.

  2. 2.

    Alternatively, the server can send a secret value to be used in OTP generation on the client side rather than an OTP itself.

  3. 3.

    http://securityxploded.com/dll-injection-and-hooking.php

  4. 4.

    We keep the names of these banks confidential due to responsible disclosure.

  5. 5.

    We stress that we used a publicly available demo version of CrontoSign for our analysis, while commercial versions were not subject of our investigation.

  6. 6.

    see http://contagiominidump.blogspot.de/.

References

  1. Google Wallet. http://www.google.com/wallet/how-it-works/index.html

  2. National vulnerability database version 2.2. http://nvd.nist.gov/

  3. Cell phone virus tries leaping to PCs (2005). http://news.cnet.com/Cell-phone-virus-tries-leaping-to-PCs/2100-7349_3-5876664.html?tag=mncol;txt

  4. The security risks of Free Public WiFi (2009). http://searchsecurity.techtarget.com.au/news/2240020802/The-security-risks-of-Free-Public-WiFi

  5. KARMA demo on the CBS early show (2010). http://blog.trailofbits.com/2010/07/21/karma-demo-on-the-cbs-early-show/

  6. New Spitmo banking Trojan attacks Android users (2011). http://www.securitynewsdaily.com/1048-spitmo-banking-trojan-attacks-android-users.html

  7. RSA breach leaks data for hacking securID tokens (2011). http://www.theregister.co.uk/2011/03/18/rsa_breach_leaks_securid_data/

  8. MasterCard PAYPASS (2012). http://www.mastercard.us/paypass.html#/home/

  9. Raiffeisen PhotoTAN (2012). http://www.raiffeisen.ch/web/phototan

  10. RSA SecurID software token cloning: a new how-to (2012). http://arstechnica.com/security/2012/05/rsa-securid-software-token-cloning-attack/

  11. Aloul, F., Zahidi, S., El-Hajj, W.: Two factor authentication using mobile phones. In: IEEE/ACS Computer Systems and Applications, May 2009

    Google Scholar 

  12. Aloul, F., Zahidi, S., ElHajj, W.: Multi factor authentication using mobile phones. Int. J. Math. Comput. Sci. 4, 65–80 (2009)

    Google Scholar 

  13. Alves, T., Felton, D.: TrustZone: integrated hardware and software security. Inf. Q. 3(4), 18–24 (2004)

    Google Scholar 

  14. Azema, J., Fayad, G.: M-Shield mobile security technology: making wireless secure. http://focus.ti.com/pdfs/wtbu/ti_mshield_whitepaper.pdf

  15. Balfanz, D., Felten, E.W.: Hand-held computers can be better smart cards. In: USENIX Security Symposium - Volume 8. USENIX Association (1999)

    Google Scholar 

  16. Castillo, C., McAfee: Android banking Trojans target Italy and Thailand (2013). http://blogs.mcafee.com/mcafee-labs/android-banking-trojans-target-italy-and-thailand/

  17. Castillo, C., McAfee: Phishing attack replaces Android banking apps with malware (2013). http://blogs.mcafee.com/mcafee-labs/phishing-attack-replaces-android-banking-apps-with-malware

  18. Clarke, D., Gassend, B., Kotwal, T., Burnside, M., van Dijk, M., Devadas, S., Rivest, R.L.: The untrusted computer problem and camera-based authentication. In: Mattern, F., Naghshineh, M. (eds.) PERVASIVE 2002. LNCS, vol. 2414, pp. 114–124. Springer, Heidelberg (2002)

    Chapter  Google Scholar 

  19. Cronto Limited: Commerzbank and Cronto launch secure online banking with photoTAN - World’s first deployment of visual transaction signing mobile solution (2008). http://www.cronto.com/download/Cronto_Commerzbank_photoTAN.pdf

  20. Cronto Limited. CorpBanca and Cronto secure online banking transactions with CrontoSign (2011). http://www.cronto.com/corpbanca-cronto-secure-online-banking-transactions-crontosign.htm

  21. Dmitrienko, A., Liebchen, C., Rossow, C., Sadeghi, A.-R.: On the (in)security of mobile two-factor authentication. Technical Report TUD-CS-2014-0029. CASED (2014). http://www.trust.informatik.tu-darmstadt.de/fileadmin/user_upload/Group_TRUST/PubsPDF/TUD-CS-2014-0029.pdf

  22. Enck, W., Gilbert, P., Chun, B.-G., Cox, L.P., Jung, J., McDaniel, P., Sheth, A.N.: TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones. In: USENIX OSDI (2010)

    Google Scholar 

  23. Evers, J.: Virus makes leap from PC to PDA (2006). http://news.cnet.com/2100-1029_3-6044457.html

  24. Giesecke & Devrient: The Mobile Security Card offers increased security. http://www.gd-sfs.com/the-mobile-security-card/mobile-security-card-se-1--0/

  25. Jerschow, Y.I., Lochert, C., Scheuermann, B., Mauve, M.: CLL: a cryptographic link layer for local area networks. In: Ostrovsky, R., De Prisco, R., Visconti, I. (eds.) SCN 2008. LNCS, vol. 5229, pp. 21–38. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  26. Kalige, E., Burkey, D.: Eurograbber: how 36 million euros was stolen via malware. http://www.cs.stevens.edu/spock/Eurograbber_White_Paper.pdf

  27. King, D., Hicks, B., Hicks, M.W., Jaeger, T.: Implicit Flows: Can’t Live with ‘Em, Can’t Live without ‘Em. In: Sekar, R., Pujari, A.K. (eds.) ICISS 2008. LNCS, vol. 5352, pp. 56–70. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  28. Mannan, M.S., van Oorschot, P.C.: Using a personal device to strengthen password authentication from an untrusted computer. In: Dietrich, S., Dhamija, R. (eds.) FC 2007 and USEC 2007. LNCS, vol. 4886, pp. 88–103. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  29. Mulliner, C., Borgaonkar, R., Stewin, P., Seifert, J.-P.: SMS-based one-time passwords: attacks and defense. In: Rieck, K., Stewin, P., Seifert, J.-P. (eds.) DIMVA 2013. LNCS, vol. 7967, pp. 150–159. Springer, Heidelberg (2013)

    Chapter  Google Scholar 

  30. Falliere, N.: Exploring Stuxnet’s PLC infection process (2010). http://www.symantec.com/connect/blogs/exploring-stuxnet-s-plc-infection-process

  31. V. News. Teamwork: how the ZitMo Trojan bypasses online banking security (2011). http://www.kaspersky.com/about/news/virus/2011/Teamwork_How_the_ZitMo_Trojan_Bypasses_Online_Banking_Security

  32. Parno, B., Kuo, C., Perrig, A.: Phoolproof phishing prevention. In: Di Crescenzo, G., Rubin, A. (eds.) FC 2006. LNCS, vol. 4107, pp. 1–19. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  33. Peikari, C.: Analyzing the crossover virus: the first PC to Windows handheld cross-infector (2006). http://www.informit.com/articles/article.aspx?p=458169

  34. Schartner, P., Bürger, S.: Attacking mTAN-applications like e-banking and mobile signatures. Technical report, University of Klagenfurt (2011)

    Google Scholar 

  35. Sparkasse: Online banking mit chipTAN. https://www.sparkasse-pm.de/privatkunden/banking/chiptan/vorteile/index.php?n=/privatkunden/banking/chiptan/vorteile/

  36. Starnberger, G., Froihofer, L., Goeschka, K.: QR-TAN: secure mobile transaction authentication. In: ARES. IEEE (2009)

    Google Scholar 

  37. Tanenbaum, A.S.: Modern Operating Systems. Prentice Hall Press, Upper Saddle River (2001)

    Google Scholar 

  38. TrendLabs: 3Q 2012 security roundup. Android under siege: popularity comes at a price (2012). http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/reports/rpt-3q-2012-security-roundup-android-under-siege-popularity-comes-at-a- price.pdf

  39. van der Veen, V., dutt-Sharma, N., Cavallaro, L., Bos, H.: Memory errors: the past, the present, and the future. In: Balzarotti, D., Stolfo, S.J., Cova, M. (eds.) RAID 2012. LNCS, vol. 7462, pp. 86–106. Springer, Heidelberg (2012)

    Chapter  Google Scholar 

  40. Wang, Z., Stavrou, A.: Exploiting smart-phone USB connectivity for fun and profit. In: 26th Annual Computer Security Applications Conference. ACM (2010)

    Google Scholar 

  41. Zhou, Y., Jiang, X.: Dissecting Android malware: characterization and evolution. In: IEEE Symposium on Security and Privacy (2012)

    Google Scholar 

  42. Zhou, Y., Wang, Z., Zhou, W., Jiang, X.: Hey, you, get off of my market: detecting malicious apps in official and alternative Android markets. In: NDSS (2012)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. CASED/Technische Universität Darmstadt, Darmstadt, Germany

    Christopher Liebchen & Ahmad-Reza Sadeghi

  2. CASED/Fraunhofer SIT Darmstadt, Darmstadt, Germany

    Alexandra Dmitrienko

  3. Vrije Universiteit Amsterdam, Amsterdam, The Netherlands

    Christian Rossow

Authors
  1. Alexandra Dmitrienko
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Christopher Liebchen
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Christian Rossow
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Ahmad-Reza Sadeghi
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Alexandra Dmitrienko .

Editor information

Editors and Affiliations

  1. Carnegie Mellon University, Pittsburgh, Pennsylvania, USA

    Nicolas Christin

  2. University of Calgary, Calgary, Alberta, Canada

    Reihaneh Safavi-Naini

Appendices

A Graphical Representation of OTPs

We plot a 6-digit OTP by plotting its two halves on the x- and y-axis (1000 dots wide). For example, the OTP “012763” is plotted at x=12 and y=763. Symbols ‘+’ and ‘x’ represent one and two occurrences of the same OTP, respectively. Empty space at the left side of Fig. 1 means that Google OTPs never start with a ‘0’ digit.

Fig. 1.
figure 1

Collected OTPs from three service providers

Full size image

B Mobile Malware Clustering Results

Table 2. Real-world malware families targeting 2FA by stealing SMS messages
Full size table

Rights and permissions

Reprints and permissions

Copyright information

© 2014 International Financial Cryptography Association

About this paper

Cite this paper

Dmitrienko, A., Liebchen, C., Rossow, C., Sadeghi, AR. (2014). On the (In)Security of Mobile Two-Factor Authentication. In: Christin, N., Safavi-Naini, R. (eds) Financial Cryptography and Data Security. FC 2014. Lecture Notes in Computer Science(), vol 8437. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-45472-5_24

Download citation

  • DOI: https://doi.org/10.1007/978-3-662-45472-5_24

  • Published:

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-662-45471-8

  • Online ISBN: 978-3-662-45472-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation