IT Matters
Computer science researchers have developed a new way to identify security weaknesses that leave people vulnerable to account takeover attacks, where a hacker gains unauthorised access to online accounts.
Most mobiles are now home to a complex ecosystem of interconnected operating software and apps, and as the connections between online services has increased, so have the possibilities for hackers to exploit the security weaknesses, often with disastrous consequences for their owner.
Luca Arnaboldi, from the University of Birmingham’s School of Computer Science, explains: “The ruse of looking over someone’s shoulder to find out their PIN is well known. However, the end game for the attacker is to gain access to the Apps, which store a wealth of personal information and can provide access to accounts such as Amazon, Google, X, Apple Pay, and even bank accounts.”
To understand and prevent these attacks, researchers had to get into the mind of the hacker, who can build a complex attack by combining smaller tactical steps.
Luca Arnaboldi worked with professor David Aspinall from the University of Edinburgh, Christina Kolb from the University of Twente and Sasa Radomirovic from the University of Surrey to define a way of cataloguing security vulnerabilities and modelling account takeover attacks, by reducing them their constituent building blocks.
Until now, security vulnerabilities have been studied using ‘account access graphs’, which shows the phone, the SIM card, the Apps, and the security features that limit each stage of access.
However, account access graphs do not model account takeovers, where an attacker disconnects a device, or an App, from the account ecosystem by, for instance, by taking out the SIM card and putting it into a second phone.
As SMS messages will be visible on the second phone, the attacker can then use SMS-driven password recovery methods.
The researchers overcame this obstacle by developing a new way to model how account access changes as devices, SIM cards, or Apps are disconnected from the account ecosystem.
Their method, which is based on the formal logic used by mathematicians and philosophers, captures the choices faced by a hacker who has access to the mobile phone and the PIN.
