Enhancing security measures to protect against mobile account takeovers
Computer science researchers in the UK have devised a novel method for identifying security vulnerabilities that render individuals susceptible to account takeover attacks. In these attacks, unauthorised access is gained by an attacker to online accounts.
In recent times, a multitude of mobile devices in the UK have become hosts to intricate ecosystems of interconnected operating software and applications. As the interconnections between online services have expanded, so too have the opportunities for hackers to exploit security vulnerabilities. This often leads to catastrophic consequences for the owners of such devices.
“The ruse of looking over someone’s shoulder to find out their PIN is well known. However, the end game for the attacker is to gain access to the apps, which store a wealth of personal information and can provide access to accounts such as Amazon, Google, X, Apple Pay, and even bank accounts,” said Dr Luca Arnaboldi, Assistant Professor of Cyber Security, University of Birmingham.
To comprehend and thwart these attacks, researchers had to delve into the mindset of hackers, who can construct intricate attacks by combining smaller tactical steps.
Dr. Luca Arnaboldi, affiliated with the School of Computer Science at the University of Birmingham, collaborated with Professor David Aspinall from the University of Edinburgh, Dr. Christina Kolb from the University of Twente, and Dr. Sasa Radomirovic from the University of Surrey to establish a method for categorising security vulnerabilities and modelling account takeover attacks by breaking them down into their constituent components.
Previously, security vulnerabilities were analysed using ‘account access graphs,’ illustrating the phone, SIM card, apps, and security features governing each access stage.
However, account access graphs failed to model account takeovers, where an attacker disconnects a device or app from the account ecosystem, such as by removing the SIM card and inserting it into a second phone. Since SMS messages become visible on the second phone, the attacker can employ SMS-driven password recovery methods.
The researchers overcame this challenge by devising a novel approach to model how account access evolves when devices, SIM cards, or apps are detached from the account ecosystem.
Their methodology, grounded in the formal logic employed by mathematicians and philosophers, captures the decisions confronting a hacker with access to the mobile phone and the PIN.
The researchers anticipate that this approach will be embraced by device manufacturers and app developers seeking to catalog vulnerabilities and enhance their comprehension of intricate hacking attacks.
The published account also outlines how the researchers tested their approach against claims made in a report by The Wall Street Journal, which speculated that an attack strategy employed to access data and bank accounts on an iPhone could be replicated on Android, despite the absence of reported such attacks.
Android apps are installed from the Play Store and require a Google account for installation, and the researchers discovered that this connection provides a degree of protection against attacks. Their work also proposed a security enhancement for iPhones.
“The results of our simulations showed the attack strategies used by iPhone hackers to access Apple Pay could not be used to access Android Pay on Android, due to security features on the Google account. The simulations also suggested a security fix for iPhone – requiring the use of a previous password as well as a pin, a simple choice that most users would welcome,” continued Arnaboldi.
Apple has now introduced a remedy for this issue, delivering an additional layer of safeguarding for iPhone users.
The researchers replicated this procedure with various other devices, including the Motorola G10 running Android 11, Lenovo YT-X705F on Android 10, Xiaomi Redmi Note Pro 10 on Android 11, and Samsung Galaxy Tab S6 Lite also on Android. Here, they observed that the devices equipped with their respective manufacturer accounts (Samsung and Xiaomi) exhibited the same vulnerability as Apple. Despite the Google account remaining secure, the tailored accounts were compromised.
Furthermore, the researchers applied their method to assess the security of their own mobile devices, yielding an unexpected outcome. One of them discovered that granting his wife access to a shared iCloud account had compromised his security. Although his security measures were as robust as possible, her chain of connections was not secure.