閱讀全文 | |
篇名 |
Impact Assessment of Password Reset PRMitM Attack with Two-Factor Authentication
|
---|---|
並列篇名 | Impact Assessment of Password Reset PRMitM Attack with Two-Factor Authentication |
作者 | Kota Sasa、Hiroaki Kikuchi |
英文摘要 | Two factor authentication is widely used, to send a confirmation message via Short Message Service (SMS). Two factor authentication is believed as more secure than a simple password authentication because it prevents intrusion even if your password was compromised. However, SMS is used not only for an authentication when registering an account but for resetting password, too. Hence, in 2017, Gelernter proposed the Password Reset Min-in-the middle attack (PRMitM), which can take over a user’s account by using Two Factor Authentication via SMS. In this attack, a password reset request is sent via an SMS message instead of an expected authentication request, and the user enters a reset code at the malicious man-in-the-middle website without recognizing that the code resets the password. Two factor authentication was believed to improve security, however, it makes the site more vulnerable than before. Even after their publication, not all vulnerable websites addressed the vulnerability. Hence, it is still not clear if these attempts were sufficient to prevent victims from being attacked. In this paper, we report the comprehensive analysis results of an investigation of vulnerable major websites to PRMitM attack. To identify the causes of vulnerabil- ity, we conducted experiments with 180 subjects. The SMS-message parameters were “with/without warning”, “numeric/alphanumeric code”, and “one/two messages”, and subjects were tested to see if they in- put the reset code into the fake website. We show the successful-attack ratios and the typical behaviors of vulnerable subjects. Some of main results include that Vulnerable users do not remember whether they have registered accounts or not and users who frequently change their passwords are 11.6 times more vulnerable to users who do not change much. |
起訖頁 | 2297-2307 |
關鍵詞 | Two-factor authentication、PRMitM |
刊名 | 網際網路技術學刊 |
期數 | 201912 (20:7期) |
出版單位 | 台灣學術網路管理委員會 |
DOI |
|
QR Code | |
該期刊 上一篇
| An e-cash Scheme with Multiple Denominations and Transferability |