%0 Conference Paper %1 DLRS2014 %A Dmitrienko, Alexandra %A Liebchen, Christopher %A Rossow, Christian %A Sadeghi, Ahmad-Reza %B Financial Cryptography and Data Security Conference (FC) %D 2014 %K Technical-Reports Two-Factor authentication myown %T On the (In)Security of Mobile Two-Factor Authentication %X Two-factor authentication (2FA) schemes aim at strengthening the security of login password-based authentication by deploying secondary authentication tokens. In this context, mobile 2FA schemes re-quire no additional hardware (e.g., a smartcard) to store and handle the secondary authentication token, and hence are considered as a reasonable trade-off between security, usability and costs. They are widely used in online banking and increasingly deployed by Internet service providers.In this paper, we investigate 2FA implementations of several well-known Internet service providers such as Google, Dropbox, Twitter and Face-book. We identify various weaknesses that allow an attacker to easily bypass them, even when the secondary authentication token is not under attacker’s control. We then go a step further and present a more general attack against mobile 2FA schemes. Our attack relies on cross-platform infection that subverts control over both end points (PC and a mobile device) involved in the authentication protocol. We apply this at-tack in practice and successfully circumvent diverse schemes: SMS-based TAN solutions of four large banks, one instance of a visual TAN scheme,2FA login verification systems of Google, Dropbox, Twitter and Face-book accounts, and the Google Authenticator app currently used by 32third-party service providers. Finally, we cluster and analyze hundreds of real-world malicious Android apps that target mobile 2FA schemes and show that banking Trojans already deploy mobile counterparts that steal 2FA credentials like TANs.

@inproceedings{DLRS2014, abstract = {Two-factor authentication (2FA) schemes aim at strengthening the security of login password-based authentication by deploying secondary authentication tokens. In this context, mobile 2FA schemes re-quire no additional hardware (e.g., a smartcard) to store and handle the secondary authentication token, and hence are considered as a reasonable trade-off between security, usability and costs. They are widely used in online banking and increasingly deployed by Internet service providers.In this paper, we investigate 2FA implementations of several well-known Internet service providers such as Google, Dropbox, Twitter and Face-book. We identify various weaknesses that allow an attacker to easily bypass them, even when the secondary authentication token is not under attacker’s control. We then go a step further and present a more general attack against mobile 2FA schemes. Our attack relies on cross-platform infection that subverts control over both end points (PC and a mobile device) involved in the authentication protocol. We apply this at-tack in practice and successfully circumvent diverse schemes: SMS-based TAN solutions of four large banks, one instance of a visual TAN scheme,2FA login verification systems of Google, Dropbox, Twitter and Face-book accounts, and the Google Authenticator app currently used by 32third-party service providers. Finally, we cluster and analyze hundreds of real-world malicious Android apps that target mobile 2FA schemes and show that banking Trojans already deploy mobile counterparts that steal 2FA credentials like TANs.}, added-at = {2020-05-03T20:09:10.000+0200}, author = {Dmitrienko, Alexandra and Liebchen, Christopher and Rossow, Christian and Sadeghi, Ahmad-Reza}, biburl = {https://www.bibsonomy.org/bibtex/2e6878e5d6e49220a07f736c4ef1547a8/sssgroup}, booktitle = {Financial Cryptography and Data Security Conference (FC)}, interhash = {6ac60fe6aaf99b2c6862a9bc57b7dc33}, intrahash = {e6878e5d6e49220a07f736c4ef1547a8}, keywords = {Technical-Reports Two-Factor authentication myown}, location = {Barbados}, month = {March}, pdf = {https://se2.informatik.uni-wuerzburg.de/publications/download/paper/1503.pdf}, timestamp = {2022-12-19T23:40:18.000+0100}, title = {On the (In)Security of Mobile Two-Factor Authentication}, venue = {FC}, year = 2014 }