Computer science researchers have introduced a novel method to detect security vulnerabilities, addressing the risk of account takeover attacks where hackers gain unauthorized access to online accounts, as reported in Tech Xplore.
In the contemporary digital landscape, researchers note that mobile devices serve as the hub for a complex network of interconnected operating systems and apps. The proliferation of online services has expanded the avenues for hackers to exploit security vulnerabilities, posing significant risks to users.
Account Takeover Attacks
Account takeover attacks occur when unauthorized individuals gain access to someone else's online accounts, such as email, social media, or financial accounts.
In these attacks, the perpetrators aim to impersonate the account owner, potentially leading to various malicious activities, including identity theft, unauthorized transactions, or the compromise of sensitive information.
Dr. Luca Arnaboldi from the University of Birmingham's School of Computer Science elucidates, "The ruse of looking over someone's shoulder to find out their PIN is well known. However, the end game for the attacker is to gain access to the Apps, which store a wealth of personal information and can provide access to accounts such as Amazon, Google, X, Apple Pay, and even bank accounts."
To comprehend and thwart these attacks, researchers needed to delve into the mindset of hackers capable of constructing intricate assaults through the amalgamation of smaller tactical maneuvers.
Collaborating with Professor David Aspinall from the University of Edinburgh, Dr. Christina Kolb from the University of Twente, and Dr. Sasa Radomirovic from the University of Surrey, Dr. Luca Arnaboldi devised a methodology to categorize security vulnerabilities and simulate account takeover attacks by breaking them down into their constituent building blocks.
Traditionally, security vulnerabilities have been examined through "account access graphs," illustrating the phone, the SIM card, the apps, and the security features that restrict each access stage, according to the research team.
Read Also: Influence of Algorithms: How Social Media Feeds Make Us Passive Consumers
New Approach to Handling Attacks
The traditional account access graphs fail to account for scenarios where attackers disconnect a device or app from the account ecosystem, such as by removing the SIM card and inserting it into another phone. This action exposes SMS messages on the second phone, allowing the attacker to exploit SMS-driven password recovery methods.
To address this limitation, researchers developed a novel method, grounded in formal logic akin to that used by mathematicians and philosophers. This method effectively captures the decisions confronting a hacker with access to the mobile phone and the PIN.
Anticipating its adoption by device manufacturers and app developers, the researchers believe their approach will aid in cataloging vulnerabilities and enhancing comprehension of intricate hacking attacks.
The study also outlines how the researchers tested their method against claims in a Wall Street Journal report, examining the potential replication of an attack strategy targeting iPhone data and bank accounts on Android.
While no such attacks were reported, the study suggests a security improvement for iPhones, acknowledging the protective role of the connection between Android apps and Google accounts.
The study's findings were published in Computer Security-ESORICS 2023.
Related Article: AI Can Simulate Tree Growth and Shape in Response to Their Environments, Researchers Discover
