People's use of authentication codes to regain access to their online accounts can be exploited by criminals. Researchers at New York University Abu Dhabi have released a study of how such attacks work and the ways to prevent them.
The proliferation of online services for banking, social media, shopping and just about everything else certainly makes life easier.
Buying things, checking account balances and staying in touch with friends involves little more than a few taps of a keyboard and the click of a mouse.
But remembering the passwords for our myriad online accounts can prove difficult, and often we need help to get into our accounts when our memory fails us.
With some accounts, users who forget their password can ask for a verification code to be sent to their mobile phone. The code can be used to regain access to the account.
However, a study by Prof Nasir Memon, who set up the Centre for Cyber Security at New York University Abu Dhabi, and his doctoral student Hossein Siadati has shown that this system is prone to abuse.
The work indicates that there is a significant risk of fraudsters obtaining verification codes – allowing them to gain access to accounts.
A fraudster looking to hack into an account can, relatively easily, activate the mechanism that leads to a verification code being sent to the mobile phone of the person to whom the account is registered. To do this, the fraudster needs to know only the email address associated with the account.
If they also know the user’s mobile phone number, and there are several ways of obtaining a person’s mobile number, they can contact them to try to get hold of the code. Doing this is known as a social engineering attack.
In their study, the researchers investigated what types of messages from fraudsters are most likely to get users to hand over a verification code.
Published in the Elsevier journal Computers and Security, their work also looked at how the messages that contain verification codes can be designed to minimise the risk of fraud.
“We wanted to explore this scientifically. What’s going on in the user’s mind. We sent them different messages,” said Prof Memon.
To test what are the most effective “attack messages”, the researchers recruited a team of adult participants.
So that the experiment mirrored as closely as possible what could happen in the real world, these volunteers did not know that they were going to be targeted in a simulated verification code forwarding attack.
The researchers sent, from their own mobile phones, a verification code to the mobile phones of the participants, none of whom had requested such a code. This first message was followed up with one of a number of “attack messages”, such as, “We have received a complaint of abuse of your Gmail account. Please reply with the verification code we just sent you to receive the details privately”, or, “You have a voicemail on Google Voice. To listen, please reply with the message code we just sent to you”.
Sixteen attack messages were tested and the response rates compared. The attack message that was most effective at getting participants to send the verification code was: “Did you request a password reset for your Gmail account? Delete this message if you did. Otherwise, send “Cancel + the verification code we just sent to you”.
Half of participants responded to this message by sending the verification code, an action which would have put their account at risk of being compromised had the attack been real.
This result shows the importance of designing verification code messages to discourage users from forwarding these messages to fraudsters. In the real world, these messages are often very simple, such as, “Your Google verification code is 109472”. The researchers wanted to find out how effective it was to add various warnings to such messages.
“It’s a very challenging problem because there’s no good way to identify who’s sending you the SMS, and SMSs restrict you to so many characters. You only have so much space to send a safe message, so they understand clearly what’s going on,” said Prof Memon, who works in Abu Dhabi and New York.
For this part of the research, the scientists sent out verification code messages with a number of different warnings in them. The warnings were included either before or after the verification code.
Once these messages were sent out, the researchers sent the same participants the attack message that had proved to be the most potent in the other part of the study.
The results indicated that warnings were most effective when they preceded, rather than came after, the verification code.
One such warning, “Please ignore this message if you did not request a code”, had a susceptibility to attack of just 8 per cent when it was included in the message before the verification code. This susceptibility rate is just a fraction of that seen when the verification codes were sent out without a warning.
“We spent quite a lot of time until we understood that users don’t read the warning message when it comes after the Google verification code message, because the screen is small” or the user wasn’t interested in the rest of the message, said Mr Siadati, who is based in New York.
“It was an experimental process of reading the different principles to come up with a warning message that’s short and gives an accurate and meaningful instruction for the user.”
The results showed that the content of the SMS that includes the verification code “can play a critical role in mitigating attacks”, the researchers noted.
They have passed on their results to organisations such as Google that might want to take note of the findings and include warnings in their verification code messages. But, even if such warnings are not included, all of us can take simple measures to ensure that we do not fall victim.
“Just like in the past we said, ‘Be careful about your password, don’t give it to somebody who asks for it’. The same holds true for verification codes. It’s your secret. It’s between you and the service provider,” said Prof Memon.