Creative Defense to Stop Mobile Phone ‘Account Takeover’ Attacks Invented

BIRMINGHAM, United Kingdom — Computer scientists are hoping to stay one step ahead of hackers. A group of researchers in the United Kingdom has developed an innovative approach to protect against the increasing threat of mobile phone “account takeover” attacks. This is where hackers illegally gain access to online accounts, often leading to significant personal and financial harm.

The heart of modern mobile phones lies a complex web of interconnected software and apps. This complexity, unfortunately, opens up multiple avenues for cybercriminals to exploit security weaknesses. Understanding and thwarting these attacks requires delving into the mindset of a hacker, who orchestrates complex attacks through smaller, tactical steps.

“The ruse of looking over someone’s shoulder to find out their PIN is well known. However, the end game for the attacker is to gain access to the Apps, which store a wealth of personal information and can provide access to accounts such as Amazon, Google, X, Apple Pay, and even bank accounts,” says study author Dr. Luca Arnaboldi, an assistant professor of cyber security at the University of Birmingham, in a university release.

The team's focus was to catalog security vulnerabilities and model account takeover attacks by breaking them down into simpler components.

Previously, experts used “account access graphs” to study security vulnerabilities. These graphs illustrate how phones, SIM cards, apps, and various security features interact at each stage of access. However, these graphs fall short in modeling account takeovers. An attacker, for instance, could remove the SIM card and place it in a different phone, thus redirecting SMS messages and enabling SMS-driven password recovery methods.

To address this gap, researchers developed a new modeling approach based on formal logic — a method used by mathematicians and philosophers. This method helps capture the choices a hacker faces when they have access to a mobile phone and its PIN. This research is expected to be a valuable tool for device manufacturers and app developers. It aims to help them catalog vulnerabilities and deepen their understanding of complex hacking strategies.

The team also tested their method against speculative claims made in a Wall Street Journal report. This report suggested that an attack strategy used on iPhones to access data and bank accounts could be replicated on Android devices, despite no reported incidents. The study found that the connection to a Google account on Android devices offers some protection against such attacks. The research also proposed a security enhancement for iPhones: requiring a previous password in addition to a PIN, a measure that Apple has since implemented.

“The results of our simulations showed the attack strategies used by iPhone hackers to access Apple Pay could not be used to access Android Pay on Android, due to security features on the Google account,” explains Dr. Arnaboldi. “The simulations also suggested a security fix for iPhone — requiring the use of a previous password as well as a pin, a simple choice that most users would welcome.”

Further testing on various devices, including Motorola G10, Lenovo YT-X705F, Xiaomi Redmi Note Pro 10, and Samsung Galaxy Tab S6 Lite, revealed a common vulnerability in devices with manufacturer-specific accounts, similar to the issue found in Apple devices. However, the Google account remained secure.

An intriguing discovery emerged when the researchers applied their method to their personal devices. Dr. Arnaboldi found that sharing an iCloud account with his wife inadvertently compromised his security, highlighting the importance of individual security practices. Dr. Arnaboldi is now utilizing his expertise in academic consultancy, collaborating with major corporations and internet-based companies to bolster their defenses against hacking.

The study is published in the Proceedings of the 28th European Symposium on Research in Computer Security (ESORICS 23).