Verification Code Forwarding Attack

Verification Code Phishing Attack

We investigated a phishing attack in which attackers bypass two-factor authentication by luring users to forward verification codes delivered via SMS messages to them. We found an attack that can lure 50% of the users to give up their verification codes. We found that our robust messaging approach reduces the success of the most effective social engineering attack to 8%, or a sixth of its success against Google’s standard two-factor verification code messages.

Publication:

  1. Hossein Siadati, Toan Nguyen, Payas Gupta, Nasir Memon, Markus Jakobsson, Mind your SMSes: Mitigating Social Engineering in Second Factor Authentication, Computers & Security, Volume 65, March 2017, Pages 14–28
  2. Hossein Siadati, Toan Nguyen, Nasir Memon, Verification Code Forwarding Attack, PasswordsCon, University of Cambridge, December 2015


Media:

  1. Verification code or cyber attack? NYU Press Release
  2. Researchers find vulnerability in two­factor authentication, phys.org
  3. Vulnerability found in two-factor authentication, Homeland Security News Wire
  4. More…