Verification code forwarding attack

Hossein Siadati, Toan Nguyen, Nasir Memon

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Major Internet service providers deploy SMS-based verification mechanisms to fortify the security of users’ accounts for critical actions such as password reset and logging in from a new computer. In this paper, we describe a new type of phishing attack where an attacker triggers the delivery of a verification code from a service provider to a user and lures the user to forward the code to him so that he can bypass the SMS verification process. We call this a Verification Code Forwarding Attack (VCFA). The attacker can use VCFA to reset a password of a user’s account or to get access to a 2-factor enabled account which he already knows its password (e.g., through leaked databases). We attribute the success of this attack to the lack of an effective and usable means for users to verify the service provider, the lack of context for the message sent, and an assumption about users’ understanding of the authentication process. To show the susceptibility of the users to such an attack, we conducted an experiment with 20 mobile phone users and found that more than 25% of users were vulnerable against this type of attack. A semi-structured interview with the subjects of the experiment and a survey of 100 subjects on Amazon Mechanical Turk were done to explore possible causes for the success of this type of attack. We also discuss possible remediation.

Original languageEnglish (US)
Title of host publicationTechnology and Practice of Passwords - 9th International Conference, PASSWORDS 2015, Proceedings
PublisherSpringer Verlag
Pages65-71
Number of pages7
Volume9551
ISBN (Print)9783319299372
DOIs
StatePublished - 2016
Event9th International Conference on Technology and Practice of Passwords, PASSWORDS 2015 - Cambridge, United Kingdom
Duration: Dec 7 2015Dec 9 2015

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume9551
ISSN (Print)03029743
ISSN (Electronic)16113349

Other

Other9th International Conference on Technology and Practice of Passwords, PASSWORDS 2015
CountryUnited Kingdom
CityCambridge
Period12/7/1512/9/15

Fingerprint

Attack
Password
Internet service providers
Remediation
Mobile phones
Authentication
Experiments
Mobile Phone
Trigger
Susceptibility
Experiment
Attribute
Verify

ASJC Scopus subject areas

  • Computer Science(all)
  • Theoretical Computer Science

Cite this

Siadati, H., Nguyen, T., & Memon, N. (2016). Verification code forwarding attack. In Technology and Practice of Passwords - 9th International Conference, PASSWORDS 2015, Proceedings (Vol. 9551, pp. 65-71). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 9551). Springer Verlag. https://doi.org/10.1007/978-3-319-29938-9_5

Verification code forwarding attack. / Siadati, Hossein; Nguyen, Toan; Memon, Nasir.

Technology and Practice of Passwords - 9th International Conference, PASSWORDS 2015, Proceedings. Vol. 9551 Springer Verlag, 2016. p. 65-71 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 9551).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Siadati, H, Nguyen, T & Memon, N 2016, Verification code forwarding attack. in Technology and Practice of Passwords - 9th International Conference, PASSWORDS 2015, Proceedings. vol. 9551, Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 9551, Springer Verlag, pp. 65-71, 9th International Conference on Technology and Practice of Passwords, PASSWORDS 2015, Cambridge, United Kingdom, 12/7/15. https://doi.org/10.1007/978-3-319-29938-9_5
Siadati H, Nguyen T, Memon N. Verification code forwarding attack. In Technology and Practice of Passwords - 9th International Conference, PASSWORDS 2015, Proceedings. Vol. 9551. Springer Verlag. 2016. p. 65-71. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). https://doi.org/10.1007/978-3-319-29938-9_5
Siadati, Hossein ; Nguyen, Toan ; Memon, Nasir. / Verification code forwarding attack. Technology and Practice of Passwords - 9th International Conference, PASSWORDS 2015, Proceedings. Vol. 9551 Springer Verlag, 2016. pp. 65-71 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).
@inproceedings{3eeb3b8f05a846028e12393ecfa01f5c,
title = "Verification code forwarding attack",
abstract = "Major Internet service providers deploy SMS-based verification mechanisms to fortify the security of users’ accounts for critical actions such as password reset and logging in from a new computer. In this paper, we describe a new type of phishing attack where an attacker triggers the delivery of a verification code from a service provider to a user and lures the user to forward the code to him so that he can bypass the SMS verification process. We call this a Verification Code Forwarding Attack (VCFA). The attacker can use VCFA to reset a password of a user’s account or to get access to a 2-factor enabled account which he already knows its password (e.g., through leaked databases). We attribute the success of this attack to the lack of an effective and usable means for users to verify the service provider, the lack of context for the message sent, and an assumption about users’ understanding of the authentication process. To show the susceptibility of the users to such an attack, we conducted an experiment with 20 mobile phone users and found that more than 25{\%} of users were vulnerable against this type of attack. A semi-structured interview with the subjects of the experiment and a survey of 100 subjects on Amazon Mechanical Turk were done to explore possible causes for the success of this type of attack. We also discuss possible remediation.",
author = "Hossein Siadati and Toan Nguyen and Nasir Memon",
year = "2016",
doi = "10.1007/978-3-319-29938-9_5",
language = "English (US)",
isbn = "9783319299372",
volume = "9551",
series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",
publisher = "Springer Verlag",
pages = "65--71",
booktitle = "Technology and Practice of Passwords - 9th International Conference, PASSWORDS 2015, Proceedings",

}

TY - GEN

T1 - Verification code forwarding attack

AU - Siadati, Hossein

AU - Nguyen, Toan

AU - Memon, Nasir

PY - 2016

Y1 - 2016

N2 - Major Internet service providers deploy SMS-based verification mechanisms to fortify the security of users’ accounts for critical actions such as password reset and logging in from a new computer. In this paper, we describe a new type of phishing attack where an attacker triggers the delivery of a verification code from a service provider to a user and lures the user to forward the code to him so that he can bypass the SMS verification process. We call this a Verification Code Forwarding Attack (VCFA). The attacker can use VCFA to reset a password of a user’s account or to get access to a 2-factor enabled account which he already knows its password (e.g., through leaked databases). We attribute the success of this attack to the lack of an effective and usable means for users to verify the service provider, the lack of context for the message sent, and an assumption about users’ understanding of the authentication process. To show the susceptibility of the users to such an attack, we conducted an experiment with 20 mobile phone users and found that more than 25% of users were vulnerable against this type of attack. A semi-structured interview with the subjects of the experiment and a survey of 100 subjects on Amazon Mechanical Turk were done to explore possible causes for the success of this type of attack. We also discuss possible remediation.

AB - Major Internet service providers deploy SMS-based verification mechanisms to fortify the security of users’ accounts for critical actions such as password reset and logging in from a new computer. In this paper, we describe a new type of phishing attack where an attacker triggers the delivery of a verification code from a service provider to a user and lures the user to forward the code to him so that he can bypass the SMS verification process. We call this a Verification Code Forwarding Attack (VCFA). The attacker can use VCFA to reset a password of a user’s account or to get access to a 2-factor enabled account which he already knows its password (e.g., through leaked databases). We attribute the success of this attack to the lack of an effective and usable means for users to verify the service provider, the lack of context for the message sent, and an assumption about users’ understanding of the authentication process. To show the susceptibility of the users to such an attack, we conducted an experiment with 20 mobile phone users and found that more than 25% of users were vulnerable against this type of attack. A semi-structured interview with the subjects of the experiment and a survey of 100 subjects on Amazon Mechanical Turk were done to explore possible causes for the success of this type of attack. We also discuss possible remediation.

UR - http://www.scopus.com/inward/record.url?scp=84961137215&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84961137215&partnerID=8YFLogxK

U2 - 10.1007/978-3-319-29938-9_5

DO - 10.1007/978-3-319-29938-9_5

M3 - Conference contribution

AN - SCOPUS:84961137215

SN - 9783319299372

VL - 9551

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 65

EP - 71

BT - Technology and Practice of Passwords - 9th International Conference, PASSWORDS 2015, Proceedings

PB - Springer Verlag

ER -