nach oben

Erschienen in:

2014 | OriginalPaper | Buchkapitel

On the (In)Security of Mobile Two-Factor Authentication

verfasst von : Alexandra Dmitrienko, Christopher Liebchen, Christian Rossow, Ahmad-Reza Sadeghi

Erschienen in: Financial Cryptography and Data Security

Verlag: Springer Berlin Heidelberg

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

Two-factor authentication (2FA) schemes aim at strengthening the security of login password-based authentication by deploying secondary authentication tokens. In this context, mobile 2FA schemes require no additional hardware (e.g., a smartcard) to store and handle the secondary authentication token, and hence are considered as a reasonable trade-off between security, usability and costs. They are widely used in online banking and increasingly deployed by Internet service providers. In this paper, we investigate 2FA implementations of several well-known Internet service providers such as Google, Dropbox, Twitter and Facebook. We identify various weaknesses that allow an attacker to easily bypass them, even when the secondary authentication token is not under attacker’s control. We then go a step further and present a more general attack against mobile 2FA schemes. Our attack relies on cross-platform infection that subverts control over both end points (PC and a mobile device) involved in the authentication protocol. We apply this attack in practice and successfully circumvent diverse schemes: SMS-based TAN solutions of four large banks, one instance of a visual TAN scheme, 2FA login verification systems of Google, Dropbox, Twitter and Facebook accounts, and the Google Authenticator app currently used by 32 third-party service providers. Finally, we cluster and analyze hundreds of real-world malicious Android apps that target mobile 2FA schemes and show that banking Trojans already deploy mobile counterparts that steal 2FA credentials like TANs.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Vorheriges Kapitel Drone to the Rescue: Relay-Resilient Authentication using Ambient Multi-sensing

Nächstes Kapitel MoP-2-MoP – Mobile Private Microblogging

Nur mit Berechtigung zugänglich

Also by the world’s biggest banks such as Bank of America, Deutsche Bank, Santander in UK, ING in the Netherlands, and ICBC in China.

Alternatively, the server can send a secret value to be used in OTP generation on the client side rather than an OTP itself.

http://securityxploded.com/dll-injection-and-hooking.php

We keep the names of these banks confidential due to responsible disclosure.

We stress that we used a publicly available demo version of CrontoSign for our analysis, while commercial versions were not subject of our investigation.

see http://contagiominidump.blogspot.de/.

Google Wallet. http://www.google.com/wallet/how-it-works/index.html

National vulnerability database version 2.2. http://nvd.nist.gov/

Cell phone virus tries leaping to PCs (2005). http://news.cnet.com/Cell-phone-virus-tries-leaping-to-PCs/2100-7349_3-5876664.html?tag=mncol;txt

The security risks of Free Public WiFi (2009). http://searchsecurity.techtarget.com.au/news/2240020802/The-security-risks-of-Free-Public-WiFi

KARMA demo on the CBS early show (2010). http://blog.trailofbits.com/2010/07/21/karma-demo-on-the-cbs-early-show/

New Spitmo banking Trojan attacks Android users (2011). http://www.securitynewsdaily.com/1048-spitmo-banking-trojan-attacks-android-users.html

RSA breach leaks data for hacking securID tokens (2011). http://www.theregister.co.uk/2011/03/18/rsa_breach_leaks_securid_data/

MasterCard PAYPASS (2012). http://www.mastercard.us/paypass.html#/home/

Raiffeisen PhotoTAN (2012). http://www.raiffeisen.ch/web/phototan

10.

RSA SecurID software token cloning: a new how-to (2012). http://arstechnica.com/security/2012/05/rsa-securid-software-token-cloning-attack/

11.

Aloul, F., Zahidi, S., El-Hajj, W.: Two factor authentication using mobile phones. In: IEEE/ACS Computer Systems and Applications, May 2009

12.

Aloul, F., Zahidi, S., ElHajj, W.: Multi factor authentication using mobile phones. Int. J. Math. Comput. Sci. 4, 65–80 (2009)

13.

Alves, T., Felton, D.: TrustZone: integrated hardware and software security. Inf. Q. 3(4), 18–24 (2004)

14.

Azema, J., Fayad, G.: M-Shield mobile security technology: making wireless secure. http://focus.ti.com/pdfs/wtbu/ti_mshield_whitepaper.pdf

15.

Balfanz, D., Felten, E.W.: Hand-held computers can be better smart cards. In: USENIX Security Symposium - Volume 8. USENIX Association (1999)

16.

Castillo, C., McAfee: Android banking Trojans target Italy and Thailand (2013). http://blogs.mcafee.com/mcafee-labs/android-banking-trojans-target-italy-and-thailand/

17.

Castillo, C., McAfee: Phishing attack replaces Android banking apps with malware (2013). http://blogs.mcafee.com/mcafee-labs/phishing-attack-replaces-android-banking-apps-with-malware

18.

Clarke, D., Gassend, B., Kotwal, T., Burnside, M., van Dijk, M., Devadas, S., Rivest, R.L.: The untrusted computer problem and camera-based authentication. In: Mattern, F., Naghshineh, M. (eds.) PERVASIVE 2002. LNCS, vol. 2414, pp. 114–124. Springer, Heidelberg (2002)CrossRef

19.

Cronto Limited: Commerzbank and Cronto launch secure online banking with photoTAN - World’s first deployment of visual transaction signing mobile solution (2008). http://www.cronto.com/download/Cronto_Commerzbank_photoTAN.pdf

20.

Cronto Limited. CorpBanca and Cronto secure online banking transactions with CrontoSign (2011). http://www.cronto.com/corpbanca-cronto-secure-online-banking-transactions-crontosign.htm

21.

Dmitrienko, A., Liebchen, C., Rossow, C., Sadeghi, A.-R.: On the (in)security of mobile two-factor authentication. Technical Report TUD-CS-2014-0029. CASED (2014). http://www.trust.informatik.tu-darmstadt.de/fileadmin/user_upload/Group_TRUST/PubsPDF/TUD-CS-2014-0029.pdf

22.

Enck, W., Gilbert, P., Chun, B.-G., Cox, L.P., Jung, J., McDaniel, P., Sheth, A.N.: TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones. In: USENIX OSDI (2010)

23.

Evers, J.: Virus makes leap from PC to PDA (2006). http://news.cnet.com/2100-1029_3-6044457.html

24.

Giesecke & Devrient: The Mobile Security Card offers increased security. http://www.gd-sfs.com/the-mobile-security-card/mobile-security-card-se-1--0/

25.

Jerschow, Y.I., Lochert, C., Scheuermann, B., Mauve, M.: CLL: a cryptographic link layer for local area networks. In: Ostrovsky, R., De Prisco, R., Visconti, I. (eds.) SCN 2008. LNCS, vol. 5229, pp. 21–38. Springer, Heidelberg (2008)CrossRef

26.

Kalige, E., Burkey, D.: Eurograbber: how 36 million euros was stolen via malware. http://www.cs.stevens.edu/spock/Eurograbber_White_Paper.pdf

27.

King, D., Hicks, B., Hicks, M.W., Jaeger, T.: Implicit Flows: Can’t Live with ‘Em, Can’t Live without ‘Em. In: Sekar, R., Pujari, A.K. (eds.) ICISS 2008. LNCS, vol. 5352, pp. 56–70. Springer, Heidelberg (2008)CrossRef

28.

Mannan, M.S., van Oorschot, P.C.: Using a personal device to strengthen password authentication from an untrusted computer. In: Dietrich, S., Dhamija, R. (eds.) FC 2007 and USEC 2007. LNCS, vol. 4886, pp. 88–103. Springer, Heidelberg (2007)CrossRef

29.

Mulliner, C., Borgaonkar, R., Stewin, P., Seifert, J.-P.: SMS-based one-time passwords: attacks and defense. In: Rieck, K., Stewin, P., Seifert, J.-P. (eds.) DIMVA 2013. LNCS, vol. 7967, pp. 150–159. Springer, Heidelberg (2013)CrossRef

30.

Falliere, N.: Exploring Stuxnet’s PLC infection process (2010). http://www.symantec.com/connect/blogs/exploring-stuxnet-s-plc-infection-process

31.

V. News. Teamwork: how the ZitMo Trojan bypasses online banking security (2011). http://www.kaspersky.com/about/news/virus/2011/Teamwork_How_the_ZitMo_Trojan_Bypasses_Online_Banking_Security

32.

Parno, B., Kuo, C., Perrig, A.: Phoolproof phishing prevention. In: Di Crescenzo, G., Rubin, A. (eds.) FC 2006. LNCS, vol. 4107, pp. 1–19. Springer, Heidelberg (2006)CrossRef

33.

Peikari, C.: Analyzing the crossover virus: the first PC to Windows handheld cross-infector (2006). http://www.informit.com/articles/article.aspx?p=458169

34.

Schartner, P., Bürger, S.: Attacking mTAN-applications like e-banking and mobile signatures. Technical report, University of Klagenfurt (2011)

35.

Sparkasse: Online banking mit chipTAN. https://www.sparkasse-pm.de/privatkunden/banking/chiptan/vorteile/index.php?n=/privatkunden/banking/chiptan/vorteile/

36.

Starnberger, G., Froihofer, L., Goeschka, K.: QR-TAN: secure mobile transaction authentication. In: ARES. IEEE (2009)

37.

Tanenbaum, A.S.: Modern Operating Systems. Prentice Hall Press, Upper Saddle River (2001)

38.

TrendLabs: 3Q 2012 security roundup. Android under siege: popularity comes at a price (2012). http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/reports/rpt-3q-2012-security-roundup-android-under-siege-popularity-comes-at-a- price.pdf

39.

van der Veen, V., dutt-Sharma, N., Cavallaro, L., Bos, H.: Memory errors: the past, the present, and the future. In: Balzarotti, D., Stolfo, S.J., Cova, M. (eds.) RAID 2012. LNCS, vol. 7462, pp. 86–106. Springer, Heidelberg (2012)CrossRef

40.

Wang, Z., Stavrou, A.: Exploiting smart-phone USB connectivity for fun and profit. In: 26th Annual Computer Security Applications Conference. ACM (2010)

41.

Zhou, Y., Jiang, X.: Dissecting Android malware: characterization and evolution. In: IEEE Symposium on Security and Privacy (2012)

42.

Zhou, Y., Wang, Z., Zhou, W., Jiang, X.: Hey, you, get off of my market: detecting malicious apps in official and alternative Android markets. In: NDSS (2012)

Titel: On the (In)Security of Mobile Two-Factor Authentication
verfasst von: Alexandra Dmitrienko
Christopher Liebchen
Christian Rossow
Ahmad-Reza Sadeghi
Verlag: Springer Berlin Heidelberg
Buch: Financial Cryptography and Data Security
Print ISBN: 978-3-662-45471-8

Electronic ISBN: 978-3-662-45472-5

Copyright-Jahr: 2014
DOI: https://doi.org/10.1007/978-3-662-45472-5_24

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Premium Partner