Impact Assessment of Password Reset PRMitM Attack with Two-Factor Authentication

Impact Assessment of Password Reset PRMitM Attack with Two-Factor Authentication

Two factor authentication is widely used, to send a confirmation message via Short Message Service (SMS). Two factor authentication is believed as more secure than a simple password authentication because it prevents intrusion even if your password was compromised. However, SMS is used not only for an authentication when registering an account but for resetting password, too. Hence, in 2017, Gelernter proposed the Password Reset Min-in-the middle attack (PRMitM), which can take over a user’s account by using Two Factor Authentication via SMS. In this attack, a password reset request is sent via an SMS message instead of an expected authentication request, and the user enters a reset code at the malicious man-in-the-middle website without recognizing that the code resets the password. Two factor authentication was believed to improve security, however, it makes the site more vulnerable than before. Even after their publication, not all vulnerable websites addressed the vulnerability. Hence, it is still not clear if these attempts were sufficient to prevent victims from being attacked. In this paper, we report the comprehensive analysis results of an investigation of vulnerable major websites to PRMitM attack. To identify the causes of vulnerabil- ity, we conducted experiments with 180 subjects. The SMS-message parameters were “with/without warning”, “numeric/alphanumeric code”, and “one/two messages”, and subjects were tested to see if they in- put the reset code into the fake website. We show the successful-attack ratios and the typical behaviors of vulnerable subjects. Some of main results include that Vulnerable users do not remember whether they have registered accounts or not and users who frequently change their passwords are 11.6 times more vulnerable to users who do not change much.