Mind your SMSes: Mitigating social engineering in second factor authentication

Hossein Siadati; Toan Nguyen; Payas Gupta; Markus Jakobsson; Nasir Memon

doi:10.1016/j.cose.2016.09.009

Mind your SMSes: Mitigating social engineering in second factor authentication

Hossein Siadati, Toan Nguyen, Payas Gupta, Markus Jakobsson, Nasir Memon

Center for Cyber Security

Research output: Contribution to journal › Article › peer-review

Abstract

SMS-based second factor authentication is a cornerstone for many service providers, ranging from email service providers and social networks to financial institutions and online marketplaces. Attackers have not been slow to capitalize on the vulnerabilities of this mechanism by using social engineering techniques to coerce users to forward authentication codes. We demonstrate one social engineering attack for which we experimentally obtained a 50% success rate against Google's SMS-based authentication. At the heart of the problem is the messaging associated with the authentication code, and how this must not have been developed with security against social engineering in mind. Pursuing a top-down methodology, we generate alternative messages and experimentally test these against an array of social engineering attempts. Our most robust messaging approach reduces the success of the most effective social engineering attack to 8%, or a sixth of its success against Google's standard second factor verification code messages.

Original language	English (US)
Pages (from-to)	14-28
Number of pages	15
Journal	Computers and Security
Volume	65
DOIs	https://doi.org/10.1016/j.cose.2016.09.009
State	Published - Mar 1 2017

Keywords

2-factor authentication
2-step verification
Human factors
Phishing
SMS
Verification code forwarding attack
Warning

ASJC Scopus subject areas

Computer Science(all)
Law

Access to Document

10.1016/j.cose.2016.09.009

Cite this

@article{0fac1d36a17c49ffa24c9817a6959c3e,

title = "Mind your SMSes: Mitigating social engineering in second factor authentication",

abstract = "SMS-based second factor authentication is a cornerstone for many service providers, ranging from email service providers and social networks to financial institutions and online marketplaces. Attackers have not been slow to capitalize on the vulnerabilities of this mechanism by using social engineering techniques to coerce users to forward authentication codes. We demonstrate one social engineering attack for which we experimentally obtained a 50% success rate against Google's SMS-based authentication. At the heart of the problem is the messaging associated with the authentication code, and how this must not have been developed with security against social engineering in mind. Pursuing a top-down methodology, we generate alternative messages and experimentally test these against an array of social engineering attempts. Our most robust messaging approach reduces the success of the most effective social engineering attack to 8%, or a sixth of its success against Google's standard second factor verification code messages.",

keywords = "2-factor authentication, 2-step verification, Human factors, Phishing, SMS, Verification code forwarding attack, Warning",

author = "Hossein Siadati and Toan Nguyen and Payas Gupta and Markus Jakobsson and Nasir Memon",

note = "Funding Information: Authors of this paper thank members of NYU's Center for Cyber Security, specifically Sameer Patil, Trishank Karthik and Kevin Gallagher, for their comments and feedback that helped to improve this work. We would like to thank Seda Gurses for inspiring discussions. This work was partially supported by NSF grant 1359601 . Publisher Copyright: {\textcopyright} 2016 Elsevier Ltd",

year = "2017",

month = mar,

day = "1",

doi = "10.1016/j.cose.2016.09.009",

language = "English (US)",

volume = "65",

pages = "14--28",

journal = "Computers and Security",

issn = "0167-4048",

publisher = "Elsevier Limited",

}

TY - JOUR

T1 - Mind your SMSes

T2 - Mitigating social engineering in second factor authentication

AU - Siadati, Hossein

AU - Nguyen, Toan

AU - Gupta, Payas

AU - Jakobsson, Markus

AU - Memon, Nasir

N1 - Funding Information: Authors of this paper thank members of NYU's Center for Cyber Security, specifically Sameer Patil, Trishank Karthik and Kevin Gallagher, for their comments and feedback that helped to improve this work. We would like to thank Seda Gurses for inspiring discussions. This work was partially supported by NSF grant 1359601 . Publisher Copyright: © 2016 Elsevier Ltd

PY - 2017/3/1

Y1 - 2017/3/1

N2 - SMS-based second factor authentication is a cornerstone for many service providers, ranging from email service providers and social networks to financial institutions and online marketplaces. Attackers have not been slow to capitalize on the vulnerabilities of this mechanism by using social engineering techniques to coerce users to forward authentication codes. We demonstrate one social engineering attack for which we experimentally obtained a 50% success rate against Google's SMS-based authentication. At the heart of the problem is the messaging associated with the authentication code, and how this must not have been developed with security against social engineering in mind. Pursuing a top-down methodology, we generate alternative messages and experimentally test these against an array of social engineering attempts. Our most robust messaging approach reduces the success of the most effective social engineering attack to 8%, or a sixth of its success against Google's standard second factor verification code messages.

AB - SMS-based second factor authentication is a cornerstone for many service providers, ranging from email service providers and social networks to financial institutions and online marketplaces. Attackers have not been slow to capitalize on the vulnerabilities of this mechanism by using social engineering techniques to coerce users to forward authentication codes. We demonstrate one social engineering attack for which we experimentally obtained a 50% success rate against Google's SMS-based authentication. At the heart of the problem is the messaging associated with the authentication code, and how this must not have been developed with security against social engineering in mind. Pursuing a top-down methodology, we generate alternative messages and experimentally test these against an array of social engineering attempts. Our most robust messaging approach reduces the success of the most effective social engineering attack to 8%, or a sixth of its success against Google's standard second factor verification code messages.

KW - 2-factor authentication

KW - 2-step verification

KW - Human factors

KW - Phishing

KW - SMS

KW - Verification code forwarding attack

KW - Warning

UR - http://www.scopus.com/inward/record.url?scp=84995794069&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84995794069&partnerID=8YFLogxK

U2 - 10.1016/j.cose.2016.09.009

DO - 10.1016/j.cose.2016.09.009

M3 - Article

AN - SCOPUS:84995794069

SN - 0167-4048

VL - 65

SP - 14

EP - 28

JO - Computers and Security

JF - Computers and Security

ER -

Mind your SMSes: Mitigating social engineering in second factor authentication

Abstract

Keywords

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Cite this