- Home
- About us
- Products & Services
- Blog
- News
- Contact
- Client Portal
Banner Inner (Blog)
iPhone SMS 2-Factor Authentication Bypass
Mon, 04/04/2011 - 12:10 — Ty Miller
SMS 2-factor authentication has been implemented by a number of security conscious organisations, including banks, to secure online transactions. SMS 2-factor authentication has had a major impact in reducing online fraud. This is because an attacker most not only capture the victim's username and password to login to their bank account, but they must now also have the victim's phone to receive the SMS 2-factor authentication token. This restricts the number of possible attackers dramatically.
This security control has been around for a while now and has been very successful. With the introduction and dramatic increase in the number of smartphones available these days, such as iPhones and Androids, the effectiveness of this security control is slowly decreasing. Why?
Previously, a user would login to their internet banking on their laptop, and then receiving the SMS token on a separate device (their mobile). The attacker may be able to capture the username and password of the victim, but they are unable to capture the SMS token. Nice and secure.
Now we find that users are logging into their internet banking on their smartphone, and then receiving the SMS token on the same device. This means that an attacker who has hacked the victim's smartphone, most likely via a malicious website, is now able to capture the username, password, and SMS token all on the one device. Doh!
I have put together a quick demonstration video performing this attack. The victim's iPhone has already been compromised and the attacker has remote command line access on the iPhone. Take a look below.
Enjoy,
Ty
SMS 2-factor authentication has been implemented by a number of security conscious organisations, including banks, to secure online transactions. SMS 2-factor authentication has had a major impact in reducing online fraud. This is because an attacker most not only capture the victim's username and password to login to their bank account, but they must now also have the victim's phone to receive the SMS 2-factor authentication token. This restricts the number of possible attackers dramatically.
This security control has been around for a while now and has been very successful. With the introduction and dramatic increase in the number of smartphones available these days, such as iPhones and Androids, the effectiveness of this security control is slowly decreasing. Why?
Previously, a user would login to their internet banking on their laptop, and then receiving the SMS token on a separate device (their mobile). The attacker may be able to capture the username and password of the victim, but they are unable to capture the SMS token. Nice and secure.
Now we find that users are logging into their internet banking on their smartphone, and then receiving the SMS token on the same device. This means that an attacker who has hacked the victim's smartphone, most likely via a malicious website, is now able to capture the username, password, and SMS token all on the one device. Doh!
I have put together a quick demonstration video performing this attack. The victim's iPhone has already been compromised and the attacker has remote command line access on the iPhone. Take a look below.
Enjoy,
Ty
jkramz bartolaba 10/20/11 10:54
I was looking forward for this post to come out. I may missed it but I never stop in finding your blogs and posts. Thanks for taking time and sharing your ideas, thoughts and perspective which readers can learn something from it.
I just hope you will continue doing what you are doing now. I love you blog and you every posts.
shekhar 06/20/11 07:32
very nice blog
Post new comment