How hackers can steal your 2FA email account by getting you to sign up for another website

Originally published at: http://boingboing.net/2017/06/22/security-questions-suck.html


In a paper for IEEE Security, researchers from Cyberpion and Israel’s College of Management Academic Studies describe a “Password Reset Man-in-the-Middle Attack” that leverages a bunch of clever insights into how password resets work to steal your email account (and other kinds of accounts), even when it’s protected by two-factor authentication.

Here's the basics: the attacker gets you to sign up for an account for their website (maybe it's a site that gives away free personality tests or whatever). The sign-up process presents a series of prompts for the signup, starting with your email address.

As soon as the attacker has your email address, a process on their server logs into your email provider as you and initiates an "I've lost access to my email" password reset process.

From then on, every question in your signup process for the attacker's service is actually a password reset question from your email provider. For example, if your email provider is known to text your phone with a PIN as part of the process, the attacker prompts you for your phone number, then says, "I've just texted you a PIN, please enter it now." You enter the PIN, and the attacker passes that PIN to your email provider.

Same goes for "security questions" like "What street did you live on when you were a kid?" The email provider asks the attacker these questions, the attacker asks you the questions for the signup process, and then uses your answers to impersonate you to the email provider.

It's a devastating attack that reveals some foundational weaknesses in the standard for password resetting. There are some steps you can take against this: most notably, you can treat all security questions as passwords and generate unique answers for each ("What was your first pet's name?" "2%x5p*TSavmJPlc]&Sd\VBPL@u-Y"). That requires a lot of vigilance on your side, and/or a sophisticated password manager -- and it also requires the sites you're signing up for to accept password-like responses to security questions, allowing you to include punctuation, numbers, etc.

Also: your bank and other high-value targets that offer an app could allow you to use the app for the reset channel, sending one-time passwords to you as a push to the app instead of using SMS. You might inattentively fail to notice that the SMS you get from that new service says, "Here is your Yahoo Mail code" -- but if the code came from your bank's app, it might be more obvious.

The attack allows a weak attacker to take over accounts of many websites, including Google and Facebook and other popular websites we surveyed. We evaluated the attacks and pointed at vulnerabilities and weaknesses of the password reset processes.

Although simple defense like more detailed SMS messages seems to be enough, our experiments indicate that this is not the case. We designed defenses and evaluated them compared to the existing implementations of Google and Facebook; our experiments show that our proposed defenses improve the security significantly. Finally, to help the many vulnerable websites to test and improve their password reset processes, we created a list of rules and recommendations for easy auditing.

The Password Reset MitM Attack [Nethanel Gelernter, Senia Kalma, Bar Magnezi and Hen Porcilan/IEEE Security]

(via 4 Short Links)

3 Likes

How hackers can steal your 2FA email account by getting you to sign up for another website

Yes folks, your interwebs aren’t safe.

3 Likes

I’ve been pressing citizens advice bureau off and on to implicate companies who allow unsubscription which does not work for many for some years

The pin passed to your phone needs to have a link to validate the request as well.

This seems to be another attack vector targeted at a very specific audience of people who are hungry enough for shitty free online fluff services to go through multi-factor authentication. I can barely get people in my office to agree to 2FA to use our Mailchimp account…

This highlights one reason SMS is a poor form of 2FA, but there are plenty of others. This attack won’t work with token-based 2FA, since they’d have to ask the user to enter the token for the provider they’re hacking, and hopefully at that point the user realises something is wrong.

1 Like

There are some steps you can take against this: most notably, you can treat all security questions as passwords and generate unique answers for each

This is exactly what I do and I have unique responses for each site that I keep stored away. When I started using long hashes for passwords it seemed a really bad idea to use a low entropy response that might be publicly discoverable for something that is essentially a password.

Yeah it is a pain but it seemed worth it.

I also use my own domains so I’m about to start using unique hashes for account recover emails. like twitter-YVYB7VEbKjJ.vvpR@blah.com so it is even harder to mass grab accounts.

1 Like

Maybe not obligatory, but highly recommended xkcd

That is true but all it takes is a determined troll that suddenly decides you are interesting.

When I think about these problems I do think about who I’m defending against. If it is a state actor I know I’m fucked and there isn’t much I can do. If it’s a 4chan troll I can at least do some due diligence to make it harder for them.

The other day I got one of those telemarkting scammers and I started to argue and make fun of the guy for ripping off old ladies. I actually got to the guy and I started to receive phone calls from him every 10 minutes. He started to patch my call into some random outgoing calls so I would get the abuse from them. I had a bit of fun explaining to some random people who these scammers were and how they work. I did realize at this point this guy was angry and had my cellphone number so he could start fucking with me even more than prank calls for a few hours.

1 Like

This would still be useful for resetting a non-2FA account, wouldn’t it? Just without the SMS confirmation.

I also use my own domains so I’m about to start using unique hashes for account recover emails. like twitter-YVYB7VEbKjJ.vvpR@blah.com so it is even harder to mass grab accounts.

An excellent idea!

I’m looking for a tool to use with my own domains that would work like Throttle.
Ideally, integrate with LastPass, generate unique usernames and recovery emails.

1 Like

This topic was automatically closed after 5 days. New replies are no longer allowed.