There’s a new way to identify security weaknesses and vulnerabilities to account takeover attacks, where hackers gain unauthorized access to online accounts. According to Dr Luca Arnaboldi, from the University of Birmingham’s School of Computer Science, “The ruse of looking over someone’s shoulder to find out their PIN is well known. However, the end game for the attacker is to gain access to the Apps, which store a wealth of personal information and can provide access to accounts such as Amazon, Google, X, Apple Pay, and even bank accounts.”
The research team had to “think like a hacker” to build a complex attack by combining small tactical steps. They found a way of cataloging security vulnerabilities and modeling account takeover attacks by reducing them to building blocks. Previously, vulnerabilities were studied using ‘account access graphs,’ showing the phone, the SIM card, the apps, and the security features that limit each stage of access.
This process doesn’t work to model account takeovers, where an attacker disconnects a device or an app from the account ecosystem by, for instance, taking out the SIM card and putting it into a second phone. As SMS messages will be visible on the second phone, the attacker can then use SMS-driven password recovery methods.
Instead, they modeled how account access changes as devices, SIM cards, or Apps are disconnected from the account ecosystem, capturing the choices faced by a hacker with access to the mobile phone and the PIN.
The researchers expect device manufacturers and app developers who want to catalog vulnerabilities and further understand complex hacking attacks will adopt this system.
Interestingly, the researchers used their method to test the security on their own mobile devices, with an unexpected result. One found that giving his wife access to a shared iCloud account compromised his security – while his security measures were as secure as they could be, her chain of connections were not.