View The Email to Get Hacked: Attacking SMS-based Two-Factor - - PowerPoint PPT Presentation

view the email to get hacked attacking sms based two
SMART_READER_LITE
LIVE PREVIEW

View The Email to Get Hacked: Attacking SMS-based Two-Factor - - PowerPoint PPT Presentation

Dec 23, 2022 116 likes •421 views

View The Email to Get Hacked: Attacking SMS-based Two-Factor Authentication Philipp Markert, Florian Farke, and Markus Drmuth Santa Clara, California, USA | WAY 2019 | August 11, 2019 Two-Factor Authentication 1 1 2 1 Gmail 2FA

slide-1
SLIDE 1

Philipp Markert, Florian Farke, and Markus Dürmuth

View The Email to Get Hacked: Attacking SMS-based Two-Factor Authentication

Santa Clara, California, USA | WAY 2019 | August 11, 2019

slide-2
SLIDE 2

1

Two-Factor Authentication

slide-3
SLIDE 3

1 2

1

slide-4
SLIDE 4

2FA Adoption Gmail Confidential Mode Attacking Google’s 2FA Are there alternatives?

slide-5
SLIDE 5

3

2FA Adoption

slide-6
SLIDE 6

analyzed top 100 websites 75 left 57 left 31 offer 2FA 25

no login

18

duplicates

26

no 2FA

* Le Pochat et al. Tranco: A Research-Oriented Top Sites Ranking Hardened Against Manipulation. NDSS ’19

3

*

slide-7
SLIDE 7

31 websites offer 2FA 25 (81%) 7 (23%)

4

24 (77%)

slide-8
SLIDE 8

Gmail Confidential Mode

5

slide-9
SLIDE 9

6

slide-10
SLIDE 10

7

slide-11
SLIDE 11

8

slide-12
SLIDE 12

Email

Tonight’s door code: long long short long

9

slide-13
SLIDE 13

Link

Tonight’s door code: long long short long

https://confidential-mail.google.com/msg/... 10

slide-14
SLIDE 14

Link

Tonight’s door code: long long short long

11

2FA Confidential Mode

slide-15
SLIDE 15

12

Attacking Google’s 2FA

slide-16
SLIDE 16

alice@gmail.com pw: wonderland 12

slide-17
SLIDE 17

13

  • 1. Email
slide-18
SLIDE 18

13

  • 1. Email

https://confidential-mail.google.com/msg/… https://confidential-mail.oscar.com/msg/...

slide-19
SLIDE 19

13

  • 1. Email
slide-20
SLIDE 20

4.

  • 6. G-123456
  • 3. Login

13

  • 1. Email
  • 5. G-123456

2.

Confidential Mode

slide-21
SLIDE 21

14

Are there alternatives?

slide-22
SLIDE 22

14

  • 1. Improve the text of the SMS

2FA

Confidential Mode

slide-23
SLIDE 23

14

  • 1. Improve the text of the SMS
slide-24
SLIDE 24

14

  • 1. Improve the text of the SMS
slide-25
SLIDE 25

15

  • 2. Use a Software Token
slide-26
SLIDE 26
  • 3. Use a Hardware Token

16

slide-27
SLIDE 27

31 websites offer 2FA 25 (81%) 7 (23%) 24 (77%)

alice@gmail.com pw: wonderland
slide-28
SLIDE 28

Philipp Markert, Florian Farke, and Markus Dürmuth

View The Email to Get Hacked: Attacking SMS-based Two-Factor Authentication

Santa Clara, California, USA | WAY 2019 | August 11, 2019