How hackers can use message mirroring apps to see all your SMS texts — and bypass 2FA security

Shutterstock

Syed Wajid Ali Shah, Deakin University; Jongkil Jay Jeong, Deakin University, and Robin Doss, Deakin UniversityIt’s now well known that usernames and passwords aren’t enough to securely access online services. A recent study highlighted more than 80% of all hacking-related breaches happen due to compromised and weak credentials, with three billion username/password combinations stolen in 2016 alone.

As such, the implementation of two-factor authentication (2FA) has become a necessity. Generally, 2FA aims to provide an additional layer of security to the relatively vulnerable username/password system.

It works too. Figures suggest users who enabled 2FA ended up blocking about 99.9% of automated attacks.

But as with any good cybersecurity solution, attackers can quickly come up with ways to circumvent it. They can bypass 2FA through the one-time codes sent as an SMS to a user’s smartphone.

Yet many critical online services in Australia still use SMS-based one-time codes, including myGov and the Big 4 banks: ANZ, Commonwealth Bank, NAB and Westpac.

---

Read more:
A computer can guess more than 100,000,000,000 passwords per second. Still think yours is secure?

---

So what’s the problem with SMS?

Major vendors such as Microsoft have urged users to abandon 2FA solutions that leverage SMS and voice calls. This is because SMS is renowned for having infamously poor security, leaving it open to a host of different attacks.

For example, SIM swapping has been demonstrated as a way to circumvent 2FA. SIM swapping involves an attacker convincing a victims’s mobile service provider they themselves are the victim, and then requesting the victim’s phone number be switched to a device of their choice.

SMS-based one-time codes are also shown to be compromised through readily available tools such as Modlishka by leveraging a technique called reverse proxy. This facilitates communication between the victim and a service being impersonated.

So in the case of Modlishka, it will intercept communication between a genuine service and a victim and will track and record the victims’s interactions with the service, including any login credentials they may use).

In addition to these existing vulnerabilities, our team have found additional vulnerabilities in SMS-based 2FA. One particular attack exploits a feature provided on the Google Play Store to automatically install apps from the web to your android device.

Due to syncing services, if a hacker manages to compromise your Google login credentials on their own device, they can then install a message mirroring app directly onto your smartphone.
Shutterstock

If an attacker has access to your credentials and manages to log into your Google Play account on a laptop (although you will receive a prompt), they can then install any app they’d like automatically onto your smartphone.

The attack on Android

Our experiments revealed a malicious actor can remotely access a user’s SMS-based 2FA with little effort, through the use of a popular app (name and type withheld for security reasons) designed to synchronise user’s notifications across different devices.

Specifically, attackers can leverage a compromised email/password combination connected to a Google account (such as username@gmail.com) to nefariously install a readily-available message mirroring app on a victim’s smartphone via Google Play.

This is a realistic scenario since it’s common for users to use the same credentials across a variety of services. Using a password manager is an effective way to make your first line of authentication — your username/password login — more secure.

Once the app is installed, the attacker can apply simple social engineering techniques to convince the user to enable the permissions required for the app to function properly.

For example, they may pretend to be calling from a legitimate service provider to persuade the user to enable the permissions. After this they can remotely receive all communications sent to the victim’s phone, including one-time codes used for 2FA.

Although multiple conditions must be fulfilled for the aforementioned attack to work, it still demonstrates the fragile nature of SMS-based 2FA methods.

More importantly, this attack doesn’t need high-end technical capabilities. It simply requires insight into how these specific apps work and how to intelligently use them (along with social engineering) to target a victim.

The threat is even more real when the attacker is a trusted individual (e.g., a family member) with access to the victim’s smartphone.

What’s the alternative?

To remain protected online, you should check whether your initial line of defence is secure. First check your password to see if it’s compromised. There are a number of security programs that will let you do this. And make sure you’re using a well-crafted password.

We also recommend you limit the use of SMS as a 2FA method if you can. You can instead use app-based one-time codes, such as through Google Authenticator. In this case the code is generated within the Google Authenticator app on your device itself, rather than being sent to you.

However, this approach can also be compromised by hackers using some sophisticated malware. A better alternative would be to use dedicated hardware devices such as YubiKey.

The YubiKey, first developed in 2008, is an authentication device designed to support one-time password and 2FA protocols without having to rely on SMS-based 2FA.
Shutterstock

These are small USB (or near-field communication-enabled) devices that provide a streamlined way to enable 2FA across different services.

Such physical devices need to be plugged into or brought into close proximity of a login device as a part of 2FA, therefore mitigating the risks associated with visible one-time codes, such as codes sent by SMS.

It must be stressed an underlying condition to any 2FA alternative is the user themselves must have some level of active participation and responsibility.

At the same time, further work must be carried out by service providers, developers and researchers to develop more accessible and secure authentication methods.

Essentially, these methods need to go beyond 2FA and towards a multi-factor authentication environment, where multiple methods of authentication are simultaneously deployed and combined as needed.

---

Read more:
Can I still be hacked with 2FA enabled?

---

Syed Wajid Ali Shah, Research Fellow, Centre for Cyber Security Research and Innovation, Deakin University; Jongkil Jay Jeong, CyberCRC Research Fellow, Centre for Cyber Security Research and Innovation (CSRI), Deakin University, and Robin Doss, Research Director, Centre for Cyber Security Research and Innovation, Deakin University

This article is republished from The Conversation under a Creative Commons license. Read the original article.

Christians Narrowly Escape Flying Bullets in Pakistan

Evangelistic team cheats death; separately, stray gunshot leads to false charges.

RAWALPINDI, Pakistan, July 15 (CDN) — Suspected Islamic extremists fired bullets into the car of a Christian evangelist with impunity last month, while in another Punjab Province town stray gunfire led to two Christians being falsely accused of murder.

Following a youth revival in Essa Nagri, near Faisalabad, the Rev. Kamran Pervaiz, a guest speaker from Rawalpindi, was in the passenger seat of a Toyota Corolla returning to Faisalabad with his team on June 25 when 12 armed men tried to stop their car, the pastor said.

Pastor Naeem Joseph, an organizer of the revival, was leading the ministry team by motorbike, and he led them past the armed men as they reached the Narawala Road bypass at about 1:15 a.m.

“I didn’t stop,” Pastor Joseph told Compass. “A gunshot was fired at me, but it missed, and instead of going straight I turned right towards the Sudhar bypass and took the motorbike into the fields.”

Pervaiz Sohtra was driving the car.

“Rev. Kamran asked me to increase the speed,” Sohtra said. “The armed men shouted to stop and directly fired at the car. I saw from the rearview mirror that they were coming after us, and I told everyone to stay down.”

The rear window suddenly broke to pieces as bullets pierced the car.

“Pervaiz [Sohtra] turned off the lights and took the car into the fields and turned off the engine,” Kamran Pervaiz said. “The attackers drove by, near the road, without noticing the fields. No one was injured. We were all safe.”

Pervaiz said he was certain that they were targeted because of their involvement in the Christian revival meeting; response to Pervaiz’s preaching jumped when a crippled man was healed after the evangelist prayed for him at the event. Muslim groups had warned the Christians to abort the meeting after banners and posters were displayed across Essa Nagri.

“A local Muslim group tore the banners and threatened us, telling us not to organize the meeting or else we would face dire consequences,” said Salman John, one of the organizers.

A police patrol responded to the ministry team’s emergency number phone call, reaching them in the field shortly before 2 a.m. and escorting Pervaiz and the others in their bullet-damaged car to Model Town, Faisalabad.

Pastor Joseph filed an application for a First Information Report (FIR) at Ghulam Muhammad Abad police station in Faisalabad. Acting Superintendent Shabir Muhammad took the application but declined to register an FIR due to pressure from local Muslim groups, he said.

“I am trying to register the FIR, but the things are out of my control at higher levels,” Muhammad told Compass.

 

False Arrest

In Gujrat, by contrast, police soon arrested two young Christian men after shots fired into the air by a drunken man killed a neighbor.

Cousins Saleem Masih, 22, and John Masih, 23, were falsely accused of robbery as well as murder, a later police investigation found, and they were released. Both worked at the farm of Chaudhry Ashraf Gondal, who became inebriated along with friend Chaudhry Farhan on June 18, according to Riaz Masih, father of Saleem Masih.

“They were feasting and then got drunk and started firing gunshots into the air for fun, and one of the bullets hit a passer-by near their home, and he died on the spot,” Riaz Masih said.

Yousaf Masih, father of John Masih, told Compass that when police arrived, Ashraf Gondal “gave them some money and asked them to take care of the matter.”

On June 22, police went to Yousaf Masih’s house asking for Saleem and John Masih. When Yousaf Masih said they were at work and asked if everything was alright, the inspector told him that the two young men had robbed and murdered shopkeeper Malik Sajid on June 18 at about 11:30 p.m.

“My son and Saleem came home around 6 p.m. and they didn’t go out after that,” Yousaf Masih told the officers. “On June 18 they were at home – they didn’t go out, so how could they murder Sajid?”

Police went to Ashraf Gondal’s farm and arrested the two young Christians. When police told Ashraf Gondal that they had robbed and murdered Sajid, he replied that they were capable of such a crime as they often asked him for advances on their pay and “they even sell alcohol.” Alcohol is illegal for Muslims in Pakistan and can be sold only by non-Muslims with a license.

Riaz Masih said he and Yousaf Masih rushed to Ashraf Gondal for help, but that he spoke harshly to them, saying, “Your sons have robbed and murdered an innocent person, and they even sell alcohol. Why should I help criminals, and especially Christian criminals?”

The two fathers went to the police station, where the Station House Officer (SHO) refused to allow them to meet with their sons. They went to Pastor Zaheer Latif.

“I’ve known Saleem and John since they were small kids, and they could never rob or murder anyone,” Pastor Latif told Compass. “They were targeted because they are Christians. The SHO and Ashraf knew that these boys would not be able to prove themselves innocent.”

The pastor referred the fathers to the senior superintendent of police operations officer Raon Irfan, who undertook an investigation. When he spoke with Ashraf Gondal, Irfan said, the landowner denied that Farhan had visited him on June 18.

“I have read the inquiry report by the SHO,” Irfan told Compass. “I am aware of the fact that this SHO is a corrupt person, and it is clearly a false report.”

Irfan said that, after talking with villagers, he concluded that Farhan was with Ashraf Gondal in Gujrat on June 18, and that they shot into the air for fun and one of the bullets killed Sajid.

“Ashraf bribed the SHO to arrest someone else and file charges of robbery and murder,” Irfan said. “Ashraf is an influential person, and he told the SHO to file the case against Saleem and John, as they are Christians and would not be able to prove themselves innocent.”

Advocacy group Peace Pakistan filed an appeal of the false charges with the Gujrat Session Court on June 25. In light of Irfan’s report, Session Judge Muhammad Gulfam Malik on June 27 released Saleem Masih and John Masih and suspended the SHO for corruption and filing a false case.

No action, however, was taken against Ashraf Gondal or Farhan. Police have not arrested either of them.

Report from Compass Direct News

Chinese Christian Rights Activist Gao Zhisheng Released

Church likely to face another harsh year, report says.

DUBLIN, April 9 (CDN) — Christian human rights activist Gao Zhisheng, kidnapped by state security agents on Feb. 4, 2009, has been released, though he appears unable to move or speak freely.

On Tuesday (April 6) Gao told Bob Fu, president of the U.S.-based China Aid Association (CAA), by telephone that he had just returned to his Beijing apartment from his guarded location in Shanxi Province.

“Gao Zhisheng and his family have suffered deeply from the long separation,” Fu stated on CAA’s website. “Despite the persecution, he continues to trust the Lord.”

On Jan. 9, 2009, less than a month before Gao was abducted in his home village in Shaanxi Province, his family members began their escape from China. His wife, Geng He, along with then 16-year-old daughter Geng Ge and then 5-year-old son Gao Tianyu, arrived on foot to Thailand and eventually reached New York City on March 14, 2009.

With Fu and with reporters from The Associated Press (AP) this week, Gao declined to discuss his physical condition or how he was treated during his captivity. He told the AP that by leaving his role as a critic of human rights violations in China, he hopes to be re-united with his family.

“Gao is still not able to speak or move freely,” Fu said on the CAA website. “We urge the Chinese government now to allow Gao Zhisheng to be reunited with his family. It is his right, according the Chinese law, to be able to see them, since he has broken no laws during his time of probation.”

Gao’s disappearance had drawn protests from international human rights groups, U.S. and British officials and the United Nations. He had defended house church Christians and coal miners as well as members of the banned Falun Gong, which fuses Buddhist-inspired teachings with forms of meditation. In 1999 Beijing banned it as an “evil cult.”

Early in 2009, Gao authorized CAA to release his account of 50 days of torture by state-sponsored thugs in September and October of 2007. Gao had written the account in November 2007 while under house arrest in Beijing after prolonged beatings and electric shocks on his mouth and genitals.

Gao’s suffering in the fall of 2007 followed an open letter he wrote to the U.S. Congress describing China’s torture of Falun Gong members and other human rights abuses.

Another Harsh Year Expected

Chinese Christians can expect more attacks on large urban churches, more harsh punishments for house church leaders and tighter control of registered churches this year, according to CAA.

In a report summarizing persecution it monitored in 2009, CAA identified five key trends in China’s management of Protestant Christianity.

Authorities last year specifically targeted house church leaders, sometimes handing out harsh sentences and fines; carried out violent raids on large urban churches; attempted to disrupt regular worship meetings and tightened control of churches registered with the government-approved Three-Self Protestant Movement (TSPM).

In response, some urban churches engaged in a “power encounter” with local governments, refusing to quietly allow officials to close or destroy their meeting places, CAA noted. For example, almost 1,000 members of Beijing Shouwang church on Nov. 1 worshiped in Haidian Park during a snowstorm after officials pressured Huajie Plaza managers not to renew the church rental contract.

These trends were confirmed by a Chinese House Church Alliance (CHCA) report, released in December, which described harassment and arrest of church leaders, violent raids on house churches and the oppression of TSPM churches.

While CAA reported only 77 incidents in 2009, these occurred throughout China, giving a broad indication of the status of Protestant Christians, particularly those in unregistered churches. A total of 2,935 people were affected in these incidents, a 44.8 percent increase from 2008. Of these, 389 were arrested, a decrease in arrests of 49 percent; and 23 were sentenced to prison, a decline of 34 percent.

Of the 389 people arrested, 211 were church leaders. Several received harsh prison sentences and fines, including Beijing bookstore owner and church leader Shi Weihan, who on June 12 was sentenced to three years in prison and fined 150,000 RMB (US$21,945). Xinjiang officials on Aug. 6 sentenced Uyghur church leader Alimjan Yimit (Alimujiang Yimiti in Chinese) to 15 years in prison, while a day later, officials in Inner Mongolia sentenced church leaders Li Ming-shun and Zhang Yong-hu to 10 and seven years respectively, with fines of 30,000 (US$4,390) and 20,000 (US$2,925) RMB.

A court in Shanxi Province in November awarded five Linfen church pastors sentences ranging from three to seven years, with fines ranging from 10,000 to 50,000 RMB (US$1,462 to US$7,315). A further five pastors were sentenced to two years in labor camp.

At least 400 paramilitary police violently raided the Fushan county branch of Linfen church on Sept. 13, injuring a few dozen church members, confiscating Bibles and money and damaging church property. A similar raid was carried out on another large church in Shanxi Province in November.

Authorities also sealed or destroyed both house church and TSPM church buildings. In one prominent case last June, officials in Chengdu city, Sichuan Province declared Quiyu church to be an illegal organization, forcing the church to close and confiscating church property.

Officials in Rizhao city, Shandong province, raided a training event at a TSPM church and de-registered two church meeting places, CAA reported, while CHCA reported that officials tore down the meeting place of Changchun church in Ninan city, Shandong Province, giving only token compensation.

Churches in ‘Grey’ Zone

Chinese scholar and former policy writer Liu Peng believes the government is attempting to remove the “grey” zone in Protestant Christianity, where some churches operate openly without legal status.

China now permits churches to bypass joining the TSPM when registering, but many house church groups reject this solution. Leaders would prefer churches to be in one camp or the other, Liu said in a December interview with the China Daily.

In predicting harsher treatment this year, CAA quoted Wang Zuoan, head of the State Administration for Religious Affairs, who in January told Oriental Outlook that the “reluctance, intimidation and inability” of local governments to deal with religious issues must be addressed.

If these words represent China’s religious policy direction in 2010, churches are likely to be targets of greater persecution, CAA concluded.

Report from Compass Direct News 

IRAN: THREE CONVERTS ORDERED TO STOP ‘CHRISTIAN ACTIVITIES’

Judge puts them on probation, threatening them with ‘apostasy’ trial.

LOS ANGELES, March 31 (Compass Direct News) – Declaring three Iranian Christians guilty of cooperating with “anti-government movements,” a court in Shiraz on March 10 ordered the converts to discontinue Christian activities and stop propagating their faith.

An Islamic Revolutionary Court judge handed an eight-month suspended prison sentence with a five-year probation to Seyed Allaedin Hussein, Homayoon Shokouhi, and Seyed Amir Hussein Bob-Annari. The judge said he would enforce their prison sentence and try them as “apostates,” or those who leave Islam, if they violate terms of their probation – including a ban on contacting one another.

A new penal code under consideration by the Iranian Parliament includes a bill that would require the death penalty for apostasy.

“The warning that they will be ‘arrested and tried as apostates’ if they continue their Christian activities is quite chilling,” said a regional analyst who requested anonymity.

The Islamic Revolutionary Court was created after Iran’s 1979 revolution to prosecute those suspected of seeking to depose the Islamic regime. The “anti-government movements” referred to by the judge are satellite television stations Love Television and Salvation TV. Unlike the Internet, which is heavily censored in Iran, the two 24-hour satellite TV stations can bypass government information barriers.

Sources said links between the accused and these organizations, however, remain tenuous.

“The TV link came up almost six months after [the original arrests], so it is very new,” said an informed source. “We believe they just made it up, or it is something they want to make appear more important than is the reality.”

The three men were arrested by security forces on May 11, 2008 at the Shiraz airport while en route to a Christian marriage seminar in Dubai. According to a report by Farsi Christian News Network (FCNN), at that time the families of the three men avoided formal charges by agreeing to terms of release, including payment of a bond amount. Details of the terms were undisclosed.

 

Churches Pressured

The sentencing of three converts from Islam follows more than 50 documented arrests of Christians in 2008 alone, and the recent government crackdown includes Christian institutions that minister beyond Iran’s tiny indigenous Christian community.

On March 19, Assyrian Member of Parliament Yonathan Betkolia announced that by order of the Islamic Revolutionary Court, an Assyrian Pentecostal church in Tehran would be closed. According to FCNN, the church in the Shahrara area of Tehran was facing closure because it offered a Farsi-language service attended by converts from Islam.

During a speech following his election to Parliament in October, Betkolia had lauded freedoms accorded to minority groups in Iran, and he has publicly protested the Shahrara church allowing “non-Assyrians” – that is, Muslims – to attend services. The regional analyst said that Betkolia made these pronouncements as the increase in government pressure on the Christian community has put him in a difficult position.

“As a representative of the Assyrian community, a priority for Betkolia is to ensure the preservation of the limited freedoms and relative peace his traditional Christian community enjoys,” said the analyst. “Disassociation from a church which has welcomed believers from a Muslim background should therefore be seen as a form of self-defense.”

The number of Assyrian Christians in the country is estimated at between 10,000 and 20,000, with estimates of Armenian Christians in Iran ranging from 110,000 to 300,000.

Advocacy organization Human Rights Activists in Iran strongly criticized the decision to close the Assyrian church.

“The closing of the church is clearly a violation of human rights,” the organization stated, “because the right to change one’s religion and the right of self-expression are hereby targeted by the Islamic Revolutionary Court.”

The pastor of the Shahrara church has indicated that cancelling Farsi-language services may allow it to continue, though it was unclear at press time whether the congregation’s leadership was willing to make that compromise. FCNN reported in February that church leaders had on some occasions cancelled Farsi-language services at church.  

Report from Compass Direct News