SMS verification codes at risk of fraud, Abu Dhabi study finds

People’s use of authentication codes to regain access to their online accounts can be exploited by criminals. Researchers at New York University Abu Dhabi have released a study of how such attacks work and the ways to prevent them.
The proliferation of online services for banking, social media, shopping and just about everything else certainly makes life easier.
Buying things, checking account balances and staying in touch with friends involves little more than a few taps of a keyboard and the click of a mouse.
But remembering the passwords for our myriad online accounts can prove difficult, and often we need help to get into our accounts when our memory fails us.
With some accounts, users who forget their password can ask for a verification code to be sent to their mobile phone. The code can be used to regain access to the account.
However, a study by Prof Nasir Memon, who set up the Centre for Cyber Security at New York University Abu Dhabi, and his doctoral student Hossein Siadati has shown that this system is prone to abuse.
The work indicates that there is a significant risk of fraudsters obtaining verification codes – allowing them to gain access to accounts.
A fraudster looking to hack into an account can, relatively easily, activate the mechanism that leads to a verification code being sent to the mobile phone of the person to whom the account is registered. To do this, the fraudster needs to know only the email address associated with the account.
If they also know the user’s mobile phone number, and there are several ways of obtaining a person’s mobile number, they can contact them to try to get hold of the code. Doing this is known as a social engineering attack.
In their study, the researchers investigated what types of messages from fraudsters are most likely to get users to hand over a verification code.
Published in the Elsevier journal Computers and Security, their work also looked at how the messages that contain verification codes can be designed to minimise the risk of fraud.
"We wanted to explore this scientifically. What’s going on in the user’s mind. We sent them different messages," said Prof Memon.
To test what are the most effective "attack messages", the researchers recruited a team of adult participants.
So that the experiment mirrored as closely as possible what could happen in the real world, these volunteers did not know that they were going to be targeted in a simulated verification code forwarding attack.
The researchers sent, from their own mobile phones, a verification code to the mobile phones of the participants, none of whom had requested such a code. This first message was followed up with one of a number of "attack messages", such as, "We have received a complaint of abuse of your Gmail account. Please reply with the verification code we just sent you to receive the details privately", or, "You have a voicemail on Google Voice. To listen, please reply with the message code we just sent to you".
Sixteen attack messages were tested and the response rates compared. The attack message that was most effective at getting participants to send the verification code was: "Did you request a password reset for your Gmail account? Delete this message if you did. Otherwise, send "Cancel + the verification code we just sent to you".
Half of participants responded to this message by sending the verification code, an action which would have put their account at risk of being compromised had the attack been real.

Source: The National