www.helpnetsecurity.com
Open in
urlscan Pro
44.229.251.251
Public Scan
URL:
https://www.helpnetsecurity.com/2024/01/22/safeguard-against-mobile-account-takeovers/
Submission: On January 23 via api from TR — Scanned from DE
Submission: On January 23 via api from TR — Scanned from DE
Form analysis 1 forms found in the DOM
POST
<form id="mc4wp-form-1" class="mc4wp-form mc4wp-form-244483 mc4wp-ajax" method="post" data-id="244483" data-name="Footer newsletter form">
<div class="mc4wp-form-fields">
<div class="hns-newsletter">
<div class="hns-newsletter__top">
<div class="container">
<div class="hns-newsletter__wrapper">
<div class="hns-newsletter__title">
<i>
<svg class="hic">
<use xlink:href="#hic-plus"></use>
</svg>
</i>
<span>Cybersecurity news</span>
</div>
</div>
</div>
</div>
<div class="hns-newsletter__bottom">
<div class="container">
<div class="hns-newsletter__wrapper">
<div class="hns-newsletter__body">
<div class="row">
<div class="col">
<div class="form-check form-control-lg">
<input class="form-check-input" type="checkbox" name="_mc4wp_lists[]" value="520ac2f639" id="mcs1">
<label class="form-check-label text-nowrap" for="mcs1">Daily Newsletter</label>
</div>
</div>
<div class="col">
<div class="form-check form-control-lg">
<input class="form-check-input" type="checkbox" name="_mc4wp_lists[]" value="d2d471aafa" id="mcs2">
<label class="form-check-label text-nowrap" for="mcs2">Weekly Newsletter</label>
</div>
</div>
</div>
</div>
<div class="form-check form-control-lg mb-3">
<input class="form-check-input" type="checkbox" name="_mc4wp_lists[]" value="28abe5d9ef" id="mcs3">
<label class="form-check-label" for="mcs3">(IN)SECURE - monthly newsletter with top articles</label>
</div>
<div class="input-group mb-3">
<input type="email" name="email" id="email" class="form-control border-dark" placeholder="Please enter your e-mail address" aria-label="Please enter your e-mail address" aria-describedby="hns-newsletter-submit-btn" required="">
<button class="btn btn-dark rounded-0" type="submit" id="hns-newsletter-submit-btn">Subscribe</button>
</div>
<div class="form-check">
<input class="form-check-input" type="checkbox" name="AGREE_TO_TERMS" value="1" id="mcs4" required="">
<label class="form-check-label" for="mcs4">
<span>I have read and agree to the <a href="https://www.helpnetsecurity.com/newsletter/" target="_blank" rel="noopener" class="d-inline-block">terms & conditions</a>
</span>
</label>
</div>
</div>
</div>
</div>
</div>
</div><label style="display: none !important;">Leave this field empty if you're human: <input type="text" name="_mc4wp_honeypot" value="" tabindex="-1" autocomplete="off"></label><input type="hidden" name="_mc4wp_timestamp"
value="1705976527"><input type="hidden" name="_mc4wp_form_id" value="244483"><input type="hidden" name="_mc4wp_form_element_id" value="mc4wp-form-1">
<div class="mc4wp-response"></div>
</form>Text Content
* News * Features * Expert analysis * Videos * Events * Whitepapers * Industry news * Product showcase * Newsletters * * * Please turn on your JavaScript for this page to function normally. Help Net Security January 22, 2024 Share NEW METHOD TO SAFEGUARD AGAINST MOBILE ACCOUNT TAKEOVERS Computer science researchers have developed a new way to identify security weaknesses that leave people vulnerable to account takeover attacks, where an attacker gains unauthorized access to online accounts. Most mobiles are now home to a complex ecosystem of interconnected operating software and apps, and as the connections between online services have increased, so have the possibilities for hackers to exploit the security weaknesses, often with disastrous consequences for their owners. “The ruse of looking over someone’s shoulder to find out their PIN is well known. However, the end game for the attacker is to gain access to the apps, which store a wealth of personal information and can provide access to accounts such as Amazon, Google, X, Apple Pay, and even bank accounts,” said Dr Luca Arnaboldi, Assistant Professor of Cyber Security, University of Birmingham. To understand and prevent these attacks, researchers had to get into the mind of the hacker, who can build a complex attack by combining smaller tactical steps. Dr Luca Arnaboldi from Birmingham’s School of Computer Science worked with Professor David Aspinall from the University of Edinburgh, Dr Christina Kolb from the University of Twente, and Dr Sasa Radomirovic from the University of Surrey to define a way of cataloging security vulnerabilities and modeling account takeover attacks, by reducing them their constituent building blocks. Until now, security vulnerabilities have been studied using ‘account access graphs’, which show the phone, the SIM card, the apps, and the security features that limit each access stage. However, account access graphs do not model account takeovers, where an attacker disconnects a device, or an app, from the account ecosystem by, for instance, by taking out the SIM card and putting it into a second phone. As SMS messages will be visible on the second phone, the attacker can then use SMS-driven password recovery methods. The researchers overcame this obstacle by developing a new way to model how account access changes as devices, SIM cards, or apps are disconnected from the account ecosystem. Their method, which is based on the formal logic used by mathematicians and philosophers, captures the choices faced by a hacker who has access to the mobile phone and the PIN. The researchers expect this approach to be adopted device manufacturers and app developers who wish to catalogue vulnerabilities, and further their understanding of complex hacking attacks. The published account also details how the researchers tested their approach against claims made in a report by Wall Street Journal, which speculated that an attack strategy used to access data and bank accounts on an iPhone could be replicated on Android, even though no such attacks were reported. Apps for Android are installed from the Play Store, and installation requires a Google account, and the researchers found that this connection provides some protection against attacks. Their work also suggested a security fix for iPhone. “The results of our simulations showed the attack strategies used by iPhone hackers to access Apple Pay could not be used to access Android Pay on Android, due to security features on the Google account. The simulations also suggested a security fix for iPhone – requiring the use of a previous password as well as a pin, a simple choice that most users would welcome,” continued Arnaboldi. Apple has now implemented a fix for this, providing a new layer of protection for iPhone users. The researchers repeated this exercise across other devices (Motorola G10 Android 11, Lenovo YT-X705F Android 10, Xiaomi Redmi Note Pro 10 Android 11, and Samsung Galaxy Tab S6 Lite Android). Here they found that the devices that had their own manufacturer accounts (Samsung and Xiaomi) had the same vulnerability as Apple – although the Google account remained safe, the bespoke accounts were compromised. The researchers also used their method to test the security on their own mobile devices, with an unexpected result. One of them found that giving his wife access to a shared iCloud account had compromised his security – while his security measures were as secure as they could be, her chain of connections was not secure. More about * Apple * attacks * cybersecurity * iPhone * mobile apps * mobile devices * mobile security * Samsung * Xiaomi Share FEATURED NEWS * Attackers can steal NTLM password hashes via calendar invites * Tietoevry ransomware attack halts Swedish organizations * New method to safeguard against mobile account takeovers Discover and secure every cloud and SaaS asset SPONSORED * eBook: Defending the Infostealer Threat * Guide: SaaS Offboarding Checklist * eBook: Keeping Active Directory out of hackers’ cross-hairs DON'T MISS * Attackers can steal NTLM password hashes via calendar invites * Tietoevry ransomware attack halts Swedish organizations * New method to safeguard against mobile account takeovers * Without clear guidance, SEC’s new rule on incident reporting may be detrimental * The reality of hacking threats in connected car systems Cybersecurity news Daily Newsletter Weekly Newsletter (IN)SECURE - monthly newsletter with top articles Subscribe I have read and agree to the terms & conditions Leave this field empty if you're human: © Copyright 1998-2024 by Help Net Security Read our privacy policy | About us | Advertise Follow us ×