Countering Smartphone ‘Account Takeover’ Attacks

This post is also available in: עברית (Hebrew)

Account takeover attacks consist of a hacker gaining unauthorized access to online accounts. Computer science researchers developed a new way to identify security weaknesses that leave people vulnerable to such attacks.

Nowadays, most smartphones contain a complex ecosystem of interconnected operating software and Apps, and as the connections between online services have increased, so have the possibilities for hackers to exploit the security weaknesses, often with disastrous consequences for their owner.

Dr. Luca Arnaboldi from the University of Birmingham’s School of Computer Science explains: “The ruse of looking over someone’s shoulder to find out their PIN is well known. However, the end game for the attacker is to gain access to the Apps, which store a wealth of personal information and can provide access to accounts such as Amazon, Google, X, Apple Pay, and even bank accounts.”

The researchers worked to define a way of cataloging security vulnerabilities and modeling account takeover attacks by reducing them to their constituent building blocks.

According to Techxplore, security vulnerabilities have so far been studied using “account access graphs,” which show the phone, the SIM card, the Apps, and the security features that limit each stage of access. However, account access graphs do not model account takeovers, where an attacker disconnects a device, or an App, from the account ecosystem.

An example of this type of attack can include the malicious actor taking out the SIM card and putting it into another device, which can then be used for SMS-driven password recovery methods.

The researchers overcame this obstacle by developing a new way to model how account access changes as devices, SIM cards, or Apps are disconnected from the account ecosystem. Their method captures the choices faced by a hacker who has access to the mobile phone and the PIN.

In the study published in Computer Security—ESORICS 2023, the researchers also tackle the claim that the same attack strategy can be used to access data and bank accounts on an iPhone as well as an Android. The researchers explain that installing apps on an Android device is done through the Play Store (which requires a Google account) – a connection that provides some protection against attacks. Their work also suggested a security fix for the iPhone that Apple has since implemented, providing a new layer of protection for iPhone users.

When repeating this exercise on other smartphones, the researchers found that the devices that had their own manufacturer accounts (like Samsung and Xiaomi) had the same vulnerability as Apple—while the Google account was safe, the manufacturer accounts were compromised.