Vulnerability found in in two-factor authentication

nor did they notice that the two SMS messages came from different sources—in this case, one from Google and one from the researchers pretending to be hackers. Others explained that they often check their email from public computers in libraries or labs, so requests to verify their identity are common.

Memon and his team acknowledge that while their pilot test was small, the high rate of success lends credence to the Verification Code Forwarding Attack as a method worthy of further study. “Because this kind of attack doesn’t require victims to click phishing links or enter sensitive information, like an account or Social Security number, it’s easy to understand how it could be very effective,” said Memon. “Users are only being asked to forward a random string of numbers that have no real meaning.”

Further, he explained that SMS poses particular challenges with confirming the source of messages. “It’s not like email, in which you can carefully examine an address to see if it is real. Even sophisticated users don’t always know how to source an SMS message, and even if they do, this kind of attack takes advantage of the fact that the target has no context for the message — it appears out of nowhere.”

The researchers took the study one step further, surveying 100 email account holders who use two-factor authentication. The survey, conducted on Amazon Mechanical Turk, queried users about their beliefs regarding the security of two-factor authentication, as well as whether they had ever received an unsolicited verification request. The researchers also asked what respondents would do if a major email provider, Google, requested that they forward a verification code.

The results showed that more than 30 percent of those surveyed were unaware that two-factor authentication could be compromised, and more than 60 percent said that they do not routinely verify the source of SMS verification requests. Finally, a full 20 percent reported that they would forward a verification code if Google requested it—about the same percentage as those who fell for the scam in the pilot test. 

Memon and his colleagues believe online businesses and service providers may be able to ward off some attacks with simple changes to the two-factor authentication process. First, they suggest appending each SMS text to include a warning about forwarding verification codes. They also note that standardizing the phone numbers that each provider or business uses to send verification requests may help users readily source these SMS messages and feel assured of their authenticity.

Memon pointed out that human decisions prove a much harder process to change than any computer system. “There’s trust by association, and as long as there’s the sense that a message is coming from an email provider or another trusted site, the hackers will stay in business,” he said.

Memon heads the Department of Computer Science and Engineering at NYU Tandon, where he founded one of the nation’s first cybersecurity master’s degree programs. His recent research has centered frequently on the human elements of security. NYU Tandon has joined with other NYU schools to form the new NYU Center for Cyber Security to research approaches to security and privacy by combining security technology, psychology, law, public policy, and business.

NYU notes that NYU Tandon is an internationally recognized center for cyber security research, education, and policy. It has received all three Center of Excellence designations from the National Security Agency and the United States Cyber Command. NYU Tandon Online, the school’s online learning unit, delivers sixteen online graduate programs worldwide, including the virtual cyber security program, which was named the nation’s best online program by the Sloan Consortium (now the Online Learning Consortium) in 2011.

— Read more in Hossein Siadati et al., “Verification Code Forwarding Attack” (PasswordsCon 2015, December 2015)