We investigated a phishing attack in which attackers bypass two-factor authentication by luring users to forward verification codes delivered via SMS messages to them. We found an attack that can lure 50% of the users to give up their verification codes. We found that our robust messaging approach reduces the success of the most effective social engineering attack to 8%, or a sixth of its success against Google’s standard two-factor verification code messages.
- Hossein Siadati, Toan Nguyen, Payas Gupta, Nasir Memon, Markus Jakobsson, Mind your SMSes: Mitigating Social Engineering in Second Factor Authentication, Computers & Security, Volume 65, March 2017, Pages 14–28
- Hossein Siadati, Toan Nguyen, Nasir Memon, Verification Code Forwarding Attack, PasswordsCon, University of Cambridge, December 2015