view counter

AuthenticationVulnerability found in in two-factor authentication

Published 4 February 2016

Two-factor authentication is a computer security measure used by major online service providers to protect the identify of users in the event of a password loss. Security experts have long endorsed two-factor authentication as an effective safeguard against password attacks. But what if two-factor authentication could be cracked not by computer engineering but by social engineering?

Example of two-factor array card for authentication // Source: commons.wikimedia.org

Two-factor authentication is a computer security measure used by major online service providers to protect the identify of users in the event of a password loss. The process is familiar: When a password is forgotten, the site sends an SMS text message to the user’s mobile phone, providing a verification code that must be entered to reset the password. Two-factor authentication may also be triggered if a user signs on from an unrecognized computer IP address.

Security experts have long endorsed two-factor authentication as an effective safeguard against password attacks. Most methods of compromising this verification process are complex, requiring the malicious actor to be in control of both channels—the one generating the one-time passcode and the channel through which the user completes the verification.

But what if two-factor authentication could be cracked not by computer engineering but by social engineering?

NYU reports that Nasir Memon, Professor of Computer Science and Engineering at the New York University Tandon School of Engineering, along with doctoral students Hossein Siadati and Toan Nguyen, tested the premise that users may be tricked into sharing their verification code with a malicious party using a much simpler tactic: asking them.

Memon and his team constructed a scenario in which a hacker, armed only with the target’s mobile phone number, attempts to log into a user’s account and claims to forget the password, triggering a verification SMS text. The true user, unaware of hacker’s attempt, is likely to ignore the SMS message. But what if the hacker follows up directly with a second SMS requesting that the user forward the verification code to confirm that the phone is linked to the online account? The researchers found that users are as likely to fall for the ruse as they are for a traditional phishing scam. In a pilot test of twenty mobile phone users, 25 percent forwarded the verification code to an attacker upon request. The researchers termed this a “Verification Code Forwarding Attack,” and published their results at the PasswordsCon 2015, an international conference on password security at the University of Cambridge in December 2015.

The researchers followed the test with personal interviews to better understand how they perceived the attack. Were they suspicious? If so, what raised their suspicion? The researchers probed to find out what motivated them to forward the verification code. In this small sampling, most targets were not aware that the two-factor authentication process could be compromised,