How hackers can use message mirroring apps to see all your SMS texts — and bypass 2FA security

Shutterstock

Syed Wajid Ali Shah, Deakin University; Jongkil Jay Jeong, Deakin University, and Robin Doss, Deakin UniversityIt’s now well known that usernames and passwords aren’t enough to securely access online services. A recent study highlighted more than 80% of all hacking-related breaches happen due to compromised and weak credentials, with three billion username/password combinations stolen in 2016 alone.

As such, the implementation of two-factor authentication (2FA) has become a necessity. Generally, 2FA aims to provide an additional layer of security to the relatively vulnerable username/password system.

It works too. Figures suggest users who enabled 2FA ended up blocking about 99.9% of automated attacks.

But as with any good cybersecurity solution, attackers can quickly come up with ways to circumvent it. They can bypass 2FA through the one-time codes sent as an SMS to a user’s smartphone.

Yet many critical online services in Australia still use SMS-based one-time codes, including myGov and the Big 4 banks: ANZ, Commonwealth Bank, NAB and Westpac.

---

Read more:
A computer can guess more than 100,000,000,000 passwords per second. Still think yours is secure?

---

So what’s the problem with SMS?

Major vendors such as Microsoft have urged users to abandon 2FA solutions that leverage SMS and voice calls. This is because SMS is renowned for having infamously poor security, leaving it open to a host of different attacks.

For example, SIM swapping has been demonstrated as a way to circumvent 2FA. SIM swapping involves an attacker convincing a victims’s mobile service provider they themselves are the victim, and then requesting the victim’s phone number be switched to a device of their choice.

SMS-based one-time codes are also shown to be compromised through readily available tools such as Modlishka by leveraging a technique called reverse proxy. This facilitates communication between the victim and a service being impersonated.

So in the case of Modlishka, it will intercept communication between a genuine service and a victim and will track and record the victims’s interactions with the service, including any login credentials they may use).

In addition to these existing vulnerabilities, our team have found additional vulnerabilities in SMS-based 2FA. One particular attack exploits a feature provided on the Google Play Store to automatically install apps from the web to your android device.

Due to syncing services, if a hacker manages to compromise your Google login credentials on their own device, they can then install a message mirroring app directly onto your smartphone.
Shutterstock

If an attacker has access to your credentials and manages to log into your Google Play account on a laptop (although you will receive a prompt), they can then install any app they’d like automatically onto your smartphone.

The attack on Android

Our experiments revealed a malicious actor can remotely access a user’s SMS-based 2FA with little effort, through the use of a popular app (name and type withheld for security reasons) designed to synchronise user’s notifications across different devices.

Specifically, attackers can leverage a compromised email/password combination connected to a Google account (such as username@gmail.com) to nefariously install a readily-available message mirroring app on a victim’s smartphone via Google Play.

This is a realistic scenario since it’s common for users to use the same credentials across a variety of services. Using a password manager is an effective way to make your first line of authentication — your username/password login — more secure.

Once the app is installed, the attacker can apply simple social engineering techniques to convince the user to enable the permissions required for the app to function properly.

For example, they may pretend to be calling from a legitimate service provider to persuade the user to enable the permissions. After this they can remotely receive all communications sent to the victim’s phone, including one-time codes used for 2FA.

Although multiple conditions must be fulfilled for the aforementioned attack to work, it still demonstrates the fragile nature of SMS-based 2FA methods.

More importantly, this attack doesn’t need high-end technical capabilities. It simply requires insight into how these specific apps work and how to intelligently use them (along with social engineering) to target a victim.

The threat is even more real when the attacker is a trusted individual (e.g., a family member) with access to the victim’s smartphone.

What’s the alternative?

To remain protected online, you should check whether your initial line of defence is secure. First check your password to see if it’s compromised. There are a number of security programs that will let you do this. And make sure you’re using a well-crafted password.

We also recommend you limit the use of SMS as a 2FA method if you can. You can instead use app-based one-time codes, such as through Google Authenticator. In this case the code is generated within the Google Authenticator app on your device itself, rather than being sent to you.

However, this approach can also be compromised by hackers using some sophisticated malware. A better alternative would be to use dedicated hardware devices such as YubiKey.

The YubiKey, first developed in 2008, is an authentication device designed to support one-time password and 2FA protocols without having to rely on SMS-based 2FA.
Shutterstock

These are small USB (or near-field communication-enabled) devices that provide a streamlined way to enable 2FA across different services.

Such physical devices need to be plugged into or brought into close proximity of a login device as a part of 2FA, therefore mitigating the risks associated with visible one-time codes, such as codes sent by SMS.

It must be stressed an underlying condition to any 2FA alternative is the user themselves must have some level of active participation and responsibility.

At the same time, further work must be carried out by service providers, developers and researchers to develop more accessible and secure authentication methods.

Essentially, these methods need to go beyond 2FA and towards a multi-factor authentication environment, where multiple methods of authentication are simultaneously deployed and combined as needed.

---

Read more:
Can I still be hacked with 2FA enabled?

---

Syed Wajid Ali Shah, Research Fellow, Centre for Cyber Security Research and Innovation, Deakin University; Jongkil Jay Jeong, CyberCRC Research Fellow, Centre for Cyber Security Research and Innovation (CSRI), Deakin University, and Robin Doss, Research Director, Centre for Cyber Security Research and Innovation, Deakin University

This article is republished from The Conversation under a Creative Commons license. Read the original article.

Receiving a login code via SMS and email isn’t secure. Here’s what to use instead

No method is perfect, but physical security keys are a reliable form of multi-factor authentication.
Shutterstock

Mike Johnstone, Edith Cowan University

When it comes to personal cybersecurity, you might think you’re doing alright. Maybe you’ve got multi-factor authentication set up on your phone so that you have to enter a code sent to you by SMS before you can log in to your email or bank account from a new device.

What you might not realise is that new scams have made authentication using a code sent by SMS messages, emails or voice calls less secure than they used to be.

Multi-factor authentication is listed in the Australian Cyber Security Centre’s Essential Eight Maturity Model as a recommended security measure for businesses to reduce their risk of cyber attack.

Last month, in an updated list, authentication via SMS messages, emails or voice calls was downgraded, indicating they’re no longer considered optimal for security.

Here’s what you should do instead.

What is multi-factor authentication?

Whenever we log in to an app or device, we are usually asked for some form of identity check. This is often something we know (like a password), but it can also be something we have (like a security key or an access card) or something we are (like a fingerprint).

The last of these is often preferred because, while you can forget a password or a card, your biometric signature is always with you.

Multi-factor authentication is when more than one identity check is conducted via different channels. For instance, it’s common these days to enter your password, and an extra authentication code you need to enter is sent to your phone via SMS message, email or voice mail.

Lots of services, such as banks, already offer this feature. You’re sent a “one-time” code to your phone in order to confirm authority to enact a transaction.

This is good because:

• it uses two separate channels
• the code is randomly generated, so it can’t be guessed
• the code has a limited lifetime

How could this go wrong?

Suppose a cybercriminal has stolen your phone, but you have it locked via fingerprint. If the criminal wants to compromise your bank account and attempts to log in, your bank sends an authentication code to your phone.

Depending on how your phone settings are configured, the code could pop-up on your phone screen, even when it’s still locked. The criminal could then input the code and access your bank account. Note that “do not disturb” settings on your phone won’t help as the message still appears, albeit quietly. In order to avoid this problem, you need to disable message previews entirely in your phone’s settings.

A more elaborate hack involves “SIM swapping”. If a criminal has some of your identity details, they might be able to convince your phone provider that they are you and request a new SIM attached to your phone number to be sent to them. That way, any time an authentication code is sent from one of your accounts, it will go to the hacker instead of you.

This happened to a technology journalist in the US a couple of years ago, who described the experience:

At about 9pm on Tuesday, August 22 a hacker swapped his or her own SIM card with mine, presumably by calling T-Mobile. This, in turn, shut off network services to my phone and, moments later, allowed the hacker to change most of my Gmail passwords, my Facebook password, and text on my behalf. All of the two-factor notifications went, by default, to my phone number so I received none of them and in about two minutes I was locked out of my digital life.

Then there is the question of whether you want to provide your phone number to the service you are using. Facebook has come under fire in recent days for requiring users to provide their phone number to secure their accounts, but then allowing others to search for their profile via their phone number. They have also reportedly used phone numbers to target users with ads.

This is not to say that splitting identity checks is a bad thing, it’s just that sending part of an identity check via a less-secure channel promotes a false sense of security that could be worse than using no security at all.

Multi-factor authentication is important – as long as you do it via the right channels.

Which authentication combinations are best?

Let’s consider some combinations of multi-factor authentication that have varying degrees of ease of use and security.

An obvious first choice is something you know and something you have, say a password and a physical access card. A cybercriminal has to obtain both to impersonate you. Not impossible, but difficult.

Another combination is a password and a voiceprint. A voiceprint recognition system records you speaking a particular passphrase and then matches your voice when you need to authenticate your identity. This is attractive because you can’t leave your voice at home or in the car.

But could your voice be forged? With the aid of digital software, it might be possible to take an existing recording of your voice, unpack and re-sequence it to produce the required phrase. This is somewhat challenging, but not impossible.

A third combination is a card and a voiceprint. This choice removes the need to remember a password, which could be stolen, and as long as you keep the physical token (the card or key) safe, it is very hard for someone else to impersonate you.

There are no perfect solutions yet and using the most secure version of authentication depends on it being offered by the service you are using, such as your bank.

Cyber security is about managing risk, so which combination of multi-factor authentication suits your needs depends on the balance you accept between usability and security.

Mike Johnstone, Security Researcher, Associate Professor in Resilient Systems, Edith Cowan University

This article is republished from The Conversation under a Creative Commons license. Read the original article.

Video: Just One of the Dangers of Text Messages

PAKISTAN: LAWYER THREATENS TO KILL CHRISTIAN CHARGED WITH ‘BLASPHEMY’

Bail denied to Christian activist for his own safety; judge also under fire.

ISTANBUL, May 6 (Compass Direct News) – A Pakistani Christian charged with abetting blasphemy against Islam was denied bail for his own safety last week after an Islamist lawyer allegedly threatened his life in a court hearing.

Hector Aleem, 51, remains in Adiyala Jail in Rawalpindi, near Pakistan’s capital of Islamabad. Judge Mustafa Tanveer dismissed his bail application at a court session on Thursday (April 30).

“If the judge does not punish Aleem according to the law, then [we] will kill him ourselves,” said Tariq Dhamal, an attorney for the unnamed complainant, according to a report by the Centre for Legal Aid Assistance and Settlement (CLAAS).

Police arrested Aleem last November when a Muslim scholar received a text message insulting the Islamic prophet Muhammad. Authorities charged Aleem with blasphemy and abetting blasphemy, sections 295(c) and 109(bb) respectively of the Pakistani criminal code.

Court evidence shows the text message came from an unlisted phone number, not Aleem’s. At an April 25 hearing, Investigating Officer Zafer Ikbal said he had concluded that evidence proved Aleem’s innocence. Ikbal’s investigation, along with a February judicial decision, resulted in charges of blaspheming Islam being dropped. The charge of abetting blasphemy still stands.

Nevertheless, at the April 25 hearing prosecuting attorneys asserted that Aleem was guilty of blasphemy on grounds that “he is a Christian and can make blasphemous comments about the prophet Muhammad,” according to Katherine Sapna, a field officer for CLAAS.

Aleem’s lawyer, Malik Tafik, said he has filed for upcoming hearings to be closed to the public for fear that Muslim fanatics could try to kill his Christian client. Tafik will present another bail application in the high court of Islamabad on May 14.

Tafik, a Muslim, has come under pressure from the Rawalpindi Bar for taking on the case of a Christian accused of blasphemy. The bar has filed an application against him for handling the case.

Dhamal, the lawyer who allegedly made the death threat against Aleem, is a member of Sunni Tehreek, an Islamist political movement involved in violent sectarian clashes in the last decade.

In the April 25 hearing, five lawyers and 180 Islamist protestors gathered around the courthouse. Tafik said he believes the crowds hoped to intimidate the judge into declaring Aleem guilty. More than 100 protestors have congregated at previous hearings, shouting that Aleem’s life would not be spared and he should be handed over to the police.

Tafik said the judge is afraid to rule in favor of Aleem for fear of his life from Rawalpindi Islamists.

“The judge is under pressure and not deciding the case based on merits,” Tafik said. “He is ready to hear on merits, but the lawyers are just [acting] on the basis of Islamization.”

Pakistan’s blasphemy laws have come under heavy fire from international rights groups. Any private citizen can file blasphemy charges, and they have been used in petty disputes as a means of retaliation as they can destroy reputation, livelihood and possibly lead to the death penalty in the conservative Islamic country.

Before his arrest, Aleem led human rights campaigns on behalf of Christians, particularly a land dispute between a congregation and the Rawalpindi Water and Sanitation Agency, which wanted to demolish their church building.

More Muslims than Christians are charged with blasphemy in Pakistan. In 2008 there were 13 cases registered against Muslims in Punjab province, where Aleem resides, and only six against Christians.

Boy Dies

Insulting Islam is a dangerous activity in the conservative nation of 170 million, but with the spread of the Taliban, non-Muslims fear their very existence will make them a target to fundamentalists.

On April 22 Christians in Taiser town, near Karachi, noticed on the walls of their church graffiti that read, “Long Live the Taliban” and calls for Christians to either convert to Islam or pay the jizye, a poll tax under sharia (Islamic law) paid by non-Muslims for protection if they decline to convert.

Armed men arrived on the scene and opened fire on Christians who were erasing the graffiti, injuring five. An 11-year-old boy shot in the attack, Irfan Masih, has reportedly since died from his injuries (see “Taliban-Inspired Attacks Hit Christians,” April 27).

Security forces fear that sectarian violence could erupt in the port city of Karachi. They have banned public gatherings and processions, according to Release International aid agency.

Report from Compass Direct News