Single-factor two-factor authentication
Are you a client of a bank using two-factor authentication via SMS in Internet banking? Do you have a phone on Android? Do you use the same computer to access Google services and to access Internet banking?
If all three answers are “Yes”, then access to your funds is less protected than it seems at first glance.
Immediately make a reservation about the scheme of access to banking. The article discusses the following protection offered by banks:
Of the four banks I encountered, three used this authentication scheme.
To steal funds, an attacker needs to know a username / password and have access to a phone that receives SMS.
He can achieve this by:
Now the first and third methods inspire the greatest fears. However, you should not discard the second method from the accounts.
')
The complexity of this scenario is that the computer and the phone must be infected separately, and the infection of one does not lead to the infection of the other. Infecting two devices is more difficult than one - it provides additional security.
But actually infecting your computer can lead to infecting your Android phone. For infection, connecting the phone to the computer is optional. Consider the attack scheme in more detail.
Google Play offers a convenient mechanism for remote installation of applications on the device. From play.google.com/store, you can remotely install any program on your phone without having physical access to the phone. This significantly reduces the level of protection through SMS authorization. In fact, it is enough for an intruder to infect only the computer, while the phone downloads and installs the malicious application itself.
The scheme itself looks like this:
Everything! Now the thief has a login and password to access Internet banking and a one-time password from SMS will be sent to him by the malware installed on the phone. At the same time, he will not need to look for any vulnerabilities to read the user's SMS correspondence (you can use the Android Permissions mechanism, which the Trojan itself will confirm from the computer itself) and convince the user to put the questionable program manually (the Trojan will do everything through the website).
Unfortunately, I did not find in the Google Play application on my phone a ban on installing programs via the WEB version of the service. Therefore, protection is reduced to other ways to make both factors of two-factor authentication independent of each other:
Two-factor authentication via SMS is less secure than it seems.
If all three answers are “Yes”, then access to your funds is less protected than it seems at first glance.
Authentication Scheme
Immediately make a reservation about the scheme of access to banking. The article discusses the following protection offered by banks:
- Pair login / password to access the banking site
- One-time password (most often digital), sent via SMS to the client's phone to confirm each operation
Of the four banks I encountered, three used this authentication scheme.
Attacker's scripts
To steal funds, an attacker needs to know a username / password and have access to a phone that receives SMS.
He can achieve this by:
- Stealing login / password pairs (for example with a laptop) and phone
- Accessing computer and phone via Trojan
- Using phishing methods (disguise your website under a banking site)
Now the first and third methods inspire the greatest fears. However, you should not discard the second method from the accounts.
')
The complexity of this scenario is that the computer and the phone must be infected separately, and the infection of one does not lead to the infection of the other. Infecting two devices is more difficult than one - it provides additional security.
But actually infecting your computer can lead to infecting your Android phone. For infection, connecting the phone to the computer is optional. Consider the attack scheme in more detail.
Attack pattern
Google Play offers a convenient mechanism for remote installation of applications on the device. From play.google.com/store, you can remotely install any program on your phone without having physical access to the phone. This significantly reduces the level of protection through SMS authorization. In fact, it is enough for an intruder to infect only the computer, while the phone downloads and installs the malicious application itself.
The scheme itself looks like this:
- The attacker publishes an application on Google Play, containing the code for sending SMS messages to a special email
- The malefactor infects the user's machine with a trojan
- Trojan enters play.google.com/store and installs the Android application on all user phones.
- Trojan sends login and password email to the attacker, read by keylogger
Everything! Now the thief has a login and password to access Internet banking and a one-time password from SMS will be sent to him by the malware installed on the phone. At the same time, he will not need to look for any vulnerabilities to read the user's SMS correspondence (you can use the Android Permissions mechanism, which the Trojan itself will confirm from the computer itself) and convince the user to put the questionable program manually (the Trojan will do everything through the website).
Protection
Unfortunately, I did not find in the Google Play application on my phone a ban on installing programs via the WEB version of the service. Therefore, protection is reduced to other ways to make both factors of two-factor authentication independent of each other:
- Do not use the same Google account on the Android phone receiving SMS banking and on the computer through which you enter the Internet-banking
- Do not use Google Play on your phone (in some custom firmware it is not)
- Use a separate phone (not Android) to receive one-time passwords via SMS
Conclusion
Two-factor authentication via SMS is less secure than it seems.
Source: https://habr.com/ru/post/156057/
All Articles