Researchers find vulnerability in two-factor authentication

February 3, 2016, New York University
Researchers find vulnerability in two-factor authentication

Two-factor authentication is a computer security measure used by major online service providers to protect the identify of users in the event of a password loss. The process is familiar: When a password is forgotten, the site sends an SMS text message to the user's mobile phone, providing a verification code that must be entered to reset the password. Two-factor authentication may also be triggered if a user signs on from an unrecognized computer IP address.

Security experts have long endorsed two-factor authentication as an effective safeguard against password attacks. Most methods of compromising this verification process are complex, requiring the malicious actor to be in control of both channels—the one generating the one-time passcode and the channel through which the user completes the verification.

But what if two-factor authentication could be cracked not by computer engineering but by social engineering?

Nasir Memon, Professor of Computer Science and Engineering at the New York University Tandon School of Engineering, along with doctoral students Hossein Siadati and Toan Nguyen, tested the premise that users may be tricked into sharing their verification code with a malicious party using a much simpler tactic: asking them.

Memon and his team constructed a scenario in which a hacker, armed only with the target's number, attempts to log into a user's account and claims to forget the password, triggering a verification SMS text. The true user, unaware of hacker's attempt, is likely to ignore the SMS message. But what if the hacker follows up directly with a second SMS requesting that the user forward the verification code to confirm that the phone is linked to the online account? The researchers found that users are as likely to fall for the ruse as they are for a traditional phishing scam. In a pilot test of 20 mobile phone users, 25 percent forwarded the verification code to an attacker upon request. The researchers termed this a Verification Code Forwarding Attack, and published their results at the PasswordsCon 2015, an international conference on password security at the University of Cambridge in December 2015. (Read the full paper).

The researchers followed the test with personal interviews to better understand how they perceived the attack. Were they suspicious? If so, what raised their suspicion? The researchers probed to find out what motivated them to forward the verification code. In this small sampling, most targets were not aware that the two-factor authentication process could be compromised, nor did they notice that the two SMS messages came from different sources—in this case, one from Google and one from the researchers pretending to be hackers. Others explained that they often check their email from public computers in libraries or labs, so requests to verify their identity are common.

Memon and his team acknowledge that while their pilot test was small, the high rate of success lends credence to the Verification Code Forwarding Attack as a method worthy of further study. "Because this kind of attack doesn't require victims to click phishing links or enter sensitive information, like an account or Social Security number, it's easy to understand how it could be very effective," said Memon. "Users are only being asked to forward a random string of numbers that have no real meaning."

Further, he explained that SMS poses particular challenges with confirming the source of messages. "It's not like email, in which you can carefully examine an address to see if it is real. Even sophisticated users don't always know how to source an SMS message, and even if they do, this kind of attack takes advantage of the fact that the target has no context for the message—it appears out of nowhere."

The researchers took the study one step further, surveying 100 email account holders who use two-factor authentication. The survey, conducted on Amazon Mechanical Turk, queried users about their beliefs regarding the security of two-factor authentication, as well as whether they had ever received an unsolicited verification request. The researchers also asked what respondents would do if a major email provider, Google, requested that they forward a verification code.

The results showed that more than 30 percent of those surveyed were unaware that two-factor authentication could be compromised, and more than 60 percent said that they do not routinely verify the source of SMS verification requests. Finally, a full 20 percent reported that they would forward a verification code if Google requested it—about the same percentage as those who fell for the scam in the pilot test.

Memon and his colleagues believe online businesses and service providers may be able to ward off some attacks with simple changes to the process. First, they suggest appending each SMS text to include a warning about forwarding verification codes. They also note that standardizing the phone numbers that each provider or business uses to send verification requests may help users readily source these SMS messages and feel assured of their authenticity.

Memon pointed out that human decisions prove a much harder process to change than any computer system. "There's trust by association, and as long as there's the sense that a message is coming from an email provider or another trusted site, the hackers will stay in business," he said.

Memon heads the Department of Computer Science and Engineering at NYU Tandon, where he founded one of the nation's first cybersecurity master's degree programs. His recent research has centered frequently on the human elements of security. NYU Tandon has joined with other NYU schools to form the new NYU Center for Cyber Security to research approaches to security and privacy by combining security technology, psychology, law, public policy, and business.

Explore further: Protecting data assets with two-factor authentication

Related Stories

Protecting data assets with two-factor authentication

February 3, 2016

To better protect the Institute's data – including employee data – from future cyber risks, the Office of Information Technology (OIT) will begin deploying two-factor authentication to early adopters across campus in ...

Ambient sound may help protect your online accounts

August 18, 2015

Two-factor authentication based on ambient sound has been the focus of four researchers from the Institute of Information Security ETH Zurich. Nikolaos Karapanos, Claudio Marforio, Claudio Soriente, and Srdjan Capkun posted ...

Tech Tips: Stay safe by reducing reliance on passwords

June 17, 2015

Mix upper and lower case letters in your password? Substitute the numeral 1 for the letter l? Throw in an exclamation point and other special characters? Who can remember all that for dozens of websites and services?

Recommended for you

A novel approach of improving battery performance

September 18, 2018

New technological developments by UNIST researchers promise to significantly boost the performance of lithium metal batteries in promising research for the next-generation of rechargeable batteries. The study also validates ...

Germany rolls out world's first hydrogen train

September 17, 2018

Germany on Monday rolled out the world's first hydrogen-powered train, signalling the start of a push to challenge the might of polluting diesel trains with costlier but more eco-friendly technology.

Technology streamlines computational science projects

September 15, 2018

Since designing and launching a specialized workflow management system in 2010, a research team from the US Department of Energy's Oak Ridge National Laboratory has continuously updated the technology to help computational ...


Adjust slider to filter visible comments by rank

Display comments: newest first

not rated yet Feb 03, 2016
I'm sure there's no way to truly overcome social engineering. But in cases like this, maybe the service provider could mitigate risk somewhat by issuing a warning during the process.

Could be as simple as a message on the PIN input screen like, "Please be aware that we will *never* ask you to forward the PIN code to anyone or to enter it anywhere but on this screen."
not rated yet Feb 03, 2016
Whoops. Or I guess in the specific case this article is describing, an alert message within the service provider-generated text (with the actual PIN). And if the user is oblivious to that, then oh well...
not rated yet Feb 04, 2016
Not so much social engineering but trust engineering.
not rated yet Feb 08, 2016
I'm sure there's no way to truly overcome social engineering.

There may be. There have been attempts at creating verification measures where the user does not consciously know the password.

Still in its infancy, but it's an interesting (and freaky) concept.

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.