View The Email to Get Hacked: Attacking SMS-Based Two-Factor Authentication

Philipp Markert, Florian Farke, Markus Dürmuth

Who Are You?! Adventures in Authentication (WAY '19). Santa Clara, California, USA, August 11, 2019


Abstract

In the effort to improve the security of their logins, a growing number of online services offer two-factor authentication (2FA). Beside other mechanisms, one-time passwords sent via SMS are still one of the most used second factors. We empirically analyzed the top 100 of the Tranco top sites ranking and identified 31 unique online services that provide two-factor authentication. We also evaluated which forms of 2FA are used and found software tokens and SMS being the most widely used ones. Additionally, we present a phishing attack against Google's SMS-based two-factor authentication exploiting the similarity between the SMS containing the one-time password and SMS sent as part of Google Gmail's confidential mode. Through this attack, an adversary can obtain the one-time password for the 2FA by luring the victim to a site which mimics the look of the Gmail confidential mode without adding any steps that are not part of the original protocol flow.

[PDF] [Slides]

tags: authentication, phishing, two-factor authentication