Science & Technology, UK (Commonwealth Union) – Researchers have stated that in order to comprehend and thwart these attacks, researchers needed to delve into the thought processes of hackers who construct intricate attacks by amalgamating smaller tactical maneuvers. There have been parallels by many law enforcement agencies and detectives investigating crimes to attempt to crack cases by thinking like a criminal and predicting their moves.
Computer science experts have devised a novel method to pinpoint security vulnerabilities that expose individuals to the risk of account takeover attacks, where unauthorized access is gained to online accounts.
The majority of mobile devices now host a sophisticated ecosystem comprising interconnected operating software and apps. With the growing interconnections between online services, hackers find increased opportunities to exploit security weaknesses, often resulting in dire consequences for the account owner.
To grasp and counteract these attacks, researchers had to gain insight into the hacker’s mindset, as they adeptly assemble complex attacks through the combination of smaller tactical steps.
Dr. Luca Arnaboldi, affiliated with Birmingham’s School of Computer Science, collaborated with Professor David Aspinall from the University of Edinburgh, Dr. Christina Kolb from the University of Twente, and Dr. Sasa Radomirovic from the University of Surrey. Together, they established an innovative approach for categorizing security vulnerabilities and constructing models for account takeover attacks. This involved breaking down these attacks into their fundamental components.
“The ruse of looking over someone’s shoulder to find out their PIN is well known. However, the end game for the attacker is to gain access to the Apps, which store a wealth of personal information and can provide access to accounts such as Amazon, Google, X, Apple Pay, and even bank accounts,” said Dr. Arnaboldi.
Researchers of the study pointed out that traditionally, security vulnerabilities were analyzed using ‘account access graphs,’ depicting elements such as phones, SIM cards, apps, and security features, delineating each stage of access.
However, the existing method failed to capture account takeovers, wherein an assailant disconnects a device or app from the account ecosystem. For example, removing a SIM card from one phone and inserting it into another. In this scenario, SMS messages become visible on the second device, enabling the attacker to exploit SMS-driven password recovery methods.
To address this limitation, the researchers devised a novel approach to model changes in account access when devices, SIM cards, or apps are detached from the account ecosystem.
Utilizing formal logic employed by mathematicians and philosophers, their methodology delineates the decisions confronted by a hacker with access to both a mobile phone and its corresponding PIN.
This innovative approach, presented in the Proceedings of the 28th European Symposium on Research in Computer Security (ESORICS 23), is anticipated to be embraced by device manufacturers and app developers seeking to systematically document vulnerabilities and enhance their comprehension of intricate hacking scenarios.
The research publication elucidates how the proposed methodology was rigorously tested in response to assertions in a Wall Street Journal report. The report had hypothesized the replication of an attack strategy, originally targeting data and bank accounts on an iPhone, for use on Android devices, even though such incidents had not been reported.
In the Android ecosystem, where apps are sourced from the Play Store and installation mandates a Google account, the researchers observed that this connection affords a degree of protection against potential breaches. Furthermore, their findings proposed a security solution for iPhones.
“The results of our simulations showed the attack strategies used by iPhone hackers to access Apple Pay could not be used to access Android Pay on Android, due to security features on the Google account. The simulations also suggested a security fix for iPhone – requiring the use of a previous password as well as a pin, a simple choice that most users would welcome,” said Dr. Arnaboldi.
Apple has recently introduced a solution, introducing an additional security layer for iPhone users.
The researchers replicated this investigation on various devices, including Motorola G10 running Android 11, Lenovo YT-X705F with Android 10, Xiaomi Redmi Note Pro 10 running Android 11, and Samsung Galaxy Tab S6 Lite with Android. In this analysis, it was discovered that devices linked to their respective manufacturer accounts (Samsung and Xiaomi) exhibited a vulnerability similar to Apple’s. While the Google account remained secure, the bespoke accounts were noted being compromised.
