The Password Reset MitM Attack 翻譯 (谷歌)密碼重置中間人攻擊
The Password Reset MitMAttack
Abstract—Wepresent the password reset MitM (PRMitM) attack and show how it can be used totake over user accounts. The PRMitM attack exploits the similarity of theregistration and password reset processes to launch a man in the middle (MitM)attack at the application level. The attacker initiates a password resetprocess with a website and forwards every challenge to the victim who eitherwishes to register in the attacking site or to access a particular resource onit.
摘要-我們提供密碼重置MitM(PRMitM)攻擊並顯示如何使用它來接管使用者賬號。PRMitM攻擊利用註冊和密碼重置過程的相似性,在應用程式級別啟動中間人(MitM)攻擊。攻擊者通過網站啟動密碼重置過程,並將每一個挑戰轉發給想要在攻擊性網站上註冊或訪問其上的特定資源的受害者。
The attack hasseveral variants, including exploitation of a password reset process thatrelies on the victim’s mobile phone, using either SMS or phone call. Weevaluated the PRMitM attacks on Google and Facebook users in severalexperiments, and found that their password reset process is vulnerable to thePRMitM attack. Other websites and some popular mobile applications arevulnerable as well.
攻擊有好幾種變化,包括利用受害者的行動電話利用簡訊或電話的密碼重置過程。我們在幾次實驗中評估了Google和Facebook使用者的PRMitM攻擊,發現他們的密碼重置過程容易受到PRMitM攻擊。其他網站和一些流行的移動應用程式也一樣很脆弱。
Althoughsolutions seem trivial in some cases, our experiments show that thestraightforward solutions are not as effective as expected. We designed andevaluated two secure password reset processes and evaluated them on users ofGoogle and Facebook. Our results indicate a significant improvement in thesecurity.
儘管在某些情況下解決方案看起來微不足道,但我們的實驗表明,簡單的解決方案並不像預期的那樣有效。我們設計和評估了兩個安全的密碼重置流程,並對Google和Facebook的使用者進行了評估。我們的研究結果表明安全性有了顯著的提高。
Since millionsof accounts are currently vulnerable to the PRMitM attack, we also present alist of recommendations for implementing and auditing the password resetprocess.
目前數百萬的賬號容易受到PRMitM攻擊,我們還因此提供了實施和審計密碼重置流程的建議清單。
I.INTRODUCTION
A password isthe primary and most popular mechanism for account protection. Users ofweb-services all use passwords to prevent unauthorized parties from accessingtheir accounts. For decades, this key role of passwords in the security worldhas attracted many hackers and security researchers.
密碼是賬號保護的主要和最受歡迎的機制。網路服務的使用者都使用密碼來防止未經授權的人訪問他們的賬戶。幾十年來,密碼在安全領域的重要作用已經吸引了許多黑客和安全研究人員。
The firstcomputers had no need for passwords, and physical obstacles were the onlysecurity countermeasures. The need for passwords appeared with the rise ofshared environments. Initially, passwords were saved in plain text. The firstcases of password theft introduced the need for other solutions, such as usingencryption, hashing, and salt.
第一臺電腦不需要密碼,物理障礙是唯一的安全對策。隨著共享環境的興起,對密碼的需求也隨之出現了。最初,密碼以純文字儲存。第一種密碼盜竊案引起了對其他解決方案的需求,如使用加密,雜湊和鹽。
Despite theimprovements in secure password storage techniques, attackers still hackdatabases and get information about users and their hashed passwords. Theattackers then try to break the passwords offline using classical attacks likebruteforce or dictionary attacks.
儘管安全密碼儲存技術有所改進,但攻擊者仍然竊聽資料庫並獲取有關使用者及其雜湊密碼的資訊。然後攻擊者嘗試使用經典的攻擊(如暴力破解或字典攻擊)來破解密碼。
Even the mostsecure password storage will not help a user who chooses a weak password.Unfortunately, many users tend to choose easy to remember but also easy toguess passwords. To prevent users from making this kind of mistake, manywebsites force their users to use strong passwords, or at least give them anindication about the strength of their password. Enforcing strong passwords byapplying restrictions to the user passwords and providing indications about thestrength of the password were shown to be effective. In addition to the strongpassword requirement, web-services such as banks, which allow sensitive operations,often force their clients to change their passwords frequently. Choosing astrong password and ensuring it is securely stored are imperative tomaintaining account security. However, these efforts are not worth much if thepassword reset process is vulnerable to attacks.
即使是最安全的密碼儲存也不能幫助選擇弱密碼的使用者。不幸的是,許多使用者傾向於選擇容易記住,但也容易猜測密碼。為了防止使用者犯這樣的錯誤,許多網站強制使用者使用強密碼,或者至少給他們一個密碼強度的指示。通過對使用者密碼施加限制並提供關於密碼強度的指示來執行強密碼是有效的。除了強大的密碼要求之外,諸如允許敏感操作的銀行等網路服務通常迫使他們的客戶經常更改密碼。選擇一個強大的密碼並確保其安全儲存對維護賬號安全至關重要。但是,如果密碼重置過程容易受到攻擊,這些努力就是不值得的。
The fact thatmany users tend to forget their passwords has raised the need for passwordreset mechanisms. Paradoxically, the security requirements for choosing strongunique passwords and periodically replacing them, only makes passwordforgetting more common. Today, most of the websites with a password-based loginsystem allow users to reset a lost password.
許多使用者傾向於忘記密碼的事實提出了密碼重置機制的需要。矛盾的是,選擇強大的唯一密碼並定期更換它們的安全要求,只會使忘記密碼變得更為常見。今天,大多數具有密碼登入系統的網站都允許使用者重置丟失的密碼。
Passwordresetting is a challenging process. The website needs to ensure that the usercan prove her identity without that password. Most websites rely on the emailaddress of the victim, e.g., by sending a reset password link to the emailaddress that was used to register the website account. However, this becomesmuch more challenging for the very important websites that provide the emailservices.
密碼重置是一個具有挑戰性的過程。網站需要確保使用者可以在沒有密碼的情況下證明自己的身份。大多數網站依靠受害者的電子郵件地址,例如,通過向用於註冊網站賬戶的電子郵件地址傳送重置密碼連結。但是,對於提供電子郵件服務的非常重要的網站而言,這變得更具挑戰性。
Websites thatcannot reset passwords via email address, and websites that support cases inwhich the user lost access to a registered email account, offer alternativeways to reset the password. These websites use security questions or othercommunication channels such as mobile phone to authenticate the user before shereceives the option to reset her password.
無法通過電子郵件地址重置密碼的網站以及支援使用者無法訪問已註冊電子郵件賬號的網站,提供了重置密碼的其他方法。這些網站在收到重置密碼的選項之前,使用安全問題或其他通訊渠道(如手機)對使用者進行身份驗證。
This papershows that existing password reset processes in many popular websites arevulnerable to attacks by a weak attacker. In particular, we characterize,research, and evalute a new attack, which we call password resetman-in-the-middle (PRMitM).
本文表明,現有的密碼重置過程在很多熱門網站都容易受到弱勢攻擊者的攻擊。特別是,我們描述,研究和評估一種新的攻擊,我們稱之為密碼重置中間人(PRMitM)。
In a basicPRMitM attack, a user accessed the website of an attacker to get a resource,e.g., free software. The attacker requires the user to login for free in orderto access the resource. During the registration process, or via othercross-site attacks, the attacker gets the email address of the victim. Then, onthe server side, the attacker accesses the email service provider website andinitiates a password reset process. The attacker forwards every challenge thathe gets from the email service provider to the victim in the registrationprocess. In the other direction, every ”solution” that is typed by the victimin the registration process is forwarded to the email service provider. Thatway, the cross-site attacker is actually a man in the middle of a passwordreset process.
在基本的PRMitM攻擊中,使用者訪問攻擊者的網站以獲取資源,例如免費軟體。攻擊者要求使用者免費登入才能訪問資源。在註冊過程中,或通過其他跨站點攻擊,攻擊者獲取受害者的電子郵件地址。然後,在伺服器端,攻擊者訪問電子郵件服務提供商網站並啟動密碼重置過程。攻擊者在註冊過程中將從電子郵件服務提供商處獲得的每一個挑戰轉發給受害者。另一方面,在註冊過程中受害者輸入的每個“解決方案”都會被轉發給電子郵件服務提供商。這樣,跨站點攻擊者實際上是一個在密碼重置過程中的人。
Some of thechallenges the attacker may come up against when he tries to reset a user’spassword are CAPTCHA challenges, security questions, and code that is sent tothe mobile phone. Figure 1 illustrates a basic PRMitM attack.
攻擊者在嘗試重置使用者密碼時遇到的一些挑戰是CAPTCHA的挑戰,安全問題以及傳送到手機的程式碼。圖1展示了一個基本的PRMitM攻擊。
Counterintuitively,websites that rely only on sending password reset message code to the user’smobile phone are sometimes more vulnerable to the attack. This is because theattacker can launch the PRMitM attack on them even in scenarios that are simplerthan registration to a website.
違反直覺的是,僅僅依靠向用戶的手機發送密碼重置訊息程式碼的網站有時更容易受到攻擊。這是因為攻擊者即使在比註冊網站更簡單的情況下也可以對其進行PRMitM攻擊。
We explore andanalyze the different password reset SMS messages sent by popular websites totheir users as well as password reset using phone calls.
我們探索並分析了受歡迎的網站傳送給使用者的不同密碼重置SMS訊息以及使用電話重置密碼。
We surveyed thepassword-reset mechanism of the most popular websites and of other popularemail service providers, and analyzed how vulnerable they are. Our findingsshow that popular websites are vulnerable to PRMitM attacks, some of them veryseverely.
我們調查了最受歡迎的網站和其他受歡迎的電子郵件服務提供商的密碼重置機制,並分析了它們的脆弱性。我們的調查結果顯示,受歡迎的網站很容易受到PRMitM攻擊,其中一些非常嚴重。
For example, wefound that Google, the most popular website in the world, is extremelyvulnerable to PRMitM attacks that exploit Google password reset using a phonecall. We also evaluated the PRMitM attack using SMS messages on Facebook, theworld’s second most popular website. Beyond Google and Facebook, we foundvulnerabilities in Yahoo!, LinkedIn, Yandex and other email services. We alsodiscovered additional problems that occur in other websites and analyzed PRMitMvulnerabilities in mobile messaging applications like Whatsapp and Snapchat.
例如,我們發現世界上最受歡迎的網站Google非常容易受到PRMitM攻擊,這些攻擊利用Google通過電話重置Google密碼重置。我們還使用全球第二大網站Facebook上的簡訊評估了PRMitM攻擊。除Google和Facebook之外,我們發現了Yahoo!,LinkedIn,Yandex和其他電子郵件服務中的漏洞。我們還發現了其他網站出現的其他問題,並分析了WhatsApp和Snapchat等移動訊息應用程式中的PRMitM漏洞。
Beyond thesurprisingly high number of vulnerable popular services, our findings includeseveral problems, some of them surprising, that have not considered before inthe design of secure password-reset process:
除了令人驚訝的大量易受攻擊的流行服務之外,我們的研究結果還包括一些令人驚訝的問題,這些問題在設計安全密碼重置過程之前沒有考慮過:
1) Informativepassword-reset messages do not prevent exploitation of users, mainly becausemany users ignore the text and just copy the code.
2) Users mightbe vulnerable to the attack, depending on their language settings. This iseither due to difference in the content of password-reset messages in differentlanguages or due to services that provide services in several languages, butsend password-reset messages in another language.
3) The PRMitMattack can be used to take over accounts of very popular websites (e.g.,Facebook) given minimal information about the user (e.g., phone number only).This allows easy exploitation in additional scenarios (not registration).
1)提供資訊的密碼重置訊息不妨礙使用者的使用,主要是因為許多使用者忽略了文字,只是複製了程式碼。
2)使用者可能容易受到攻擊,這取決於他們的語言設定。這可能是由於不同語言的密碼重置訊息的內容不同所致,也可能是由於以多種語言提供服務的服務,而是以其他語言傳送密碼重置訊息。
3)PRMitM攻擊可以用於接收非常受歡迎的網站(例如,Facebook)的賬號,給出有關使用者的最少資訊(例如,僅電話號碼)。這允許在其他情況下(不註冊)容易利用。
As existingdesigns of password-reset processes are vulnerable, we designed secure passwordreset processes using SMS and phone calls. We then evaluated theireffectiveness on real Facebook and Google users with excellent results, mainlycompared to the poor results achieved by their current mechanisms. We summarizeour work with a list of recommendations for testing and improving the securityof password reset processes in many websites.
由於密碼重設過程的現有設計是脆弱的,我們設計了使用SMS和電話的安全密碼重置過程。然後,我們評估了他們在真實Facebook和Google使用者上的有效性,主要與他們現有機制所取得的糟糕成果相比,效果很好。我們總結了我們的工作,並列出了許多網站上測試和改進密碼重置過程安全性的建議。
A.Contributions
We make thefollowing contributions: 1) Introduce the PRMitM attack, a new attack thatexploits bad design of password-reset process in websites and applications. 2)Evaluate the PRMitM attack on Google and Facebook, the two most popularwebsites in the world. 3) Review the password reset processes of many popularwebsites and comparing the different approaches. 4) Explore further andidentify similar vulnerabilities in popular mobile applications. 5) Designsecure password reset processes using SMS and phone calls, and evaluate of themon Google and Facebook users. This was necessary, as our experiments indicatedthat in some cases, the straightforward solutions are not effective enough (seeExperiment 2). 6) List recommendations for the secure design of the passwordreset process. Following the number of popular websites affected, this list iscritical for quickly patching the vulnerabilities.
A貢獻
我們做出如下貢獻:1)引入PRMitM攻擊,這是一種利用網站和應用程式中密碼重置過程的不良設計的新攻擊。2)評估世界上最受歡迎的兩個網站Google和Facebook上的PRMitM攻擊。3)回顧許多熱門網站的密碼重置過程,並比較不同的方法。4)進一步探索和識別流行移動應用程式中類似的漏洞。5)使用簡訊和電話設計安全的密碼重置流程,並在Google和Facebook使用者上進行評估。這是必要的,因為我們的實驗表明,在某些情況下,簡單的解決方案不夠有效(見實驗2)。6)列出密碼重設過程安全設計的建議。在受影響的受歡迎的網站數量之後,此列表對於快速修補漏洞至關重要。
Our work hasalready helped several popular services improve the security of their passwordreset process. We believe it will help many other websites protect their users.
我們的工作已經幫助了一些流行的服務來提高密碼重置過程的安全性。我們相信這將有助於許多其他網站保護他們的使用者。
B.Organization
We begin with adescription of the adversary model in Section II; this section also includes asurvey that justifies the practicality of this model. In Section III, wedescribe the basic PRMitM attack. In Sections IV and V, we present and evaluatePRMitM attacks on password reset processes using SMS and phone-calls,respectively. Section VI shows that the PRMitM attack can also be launched onsome mobile applications. Section VII presents possible defenses and evaluatesthem, and Section VIII discusses related work. The last two sections summarizeour findings in a list of recommendations that can be used by websites to testand improve their password reset processes.
B.組織結構
我們首先描述第二節中的對手模型;這部分還包括一個調查,證明這種模式的實用性。在第三節中,我們描述了基本的PRMitM攻擊。在第四部分和第五部分,我們分別介紹和評估PRMitM攻擊的密碼重置過程,分別使用簡訊和電話。第六部分顯示,PRMitM攻擊也可以在一些移動應用上啟動。第七節提出可能的辯護並進行評估,第八節討論相關工作。最後兩節將我們的發現總結在一個可以被網站用來測試和改進密碼重置過程的建議列表中。
C.Ethics
Our instituteshave no ethics committee. Nevertheless, we followed common sense and advicefrom experts to conduct the research ethically.
We reported ourfindings to the vulnerable vendors. Vendors that are severely vulnerable to thePRMitM attack, either fixed the vulnerability (Snapchat, Yahoo!) or informed usthat they plan to fix the vulnerability (Google, LinkedIn and Yandex). Otherwebsites, which are less vulnerable (e.g., Facebook) thanked us, and told usthey will consider using our findings in the future, but they do not plan toapply fixes soon.
In theexperiments we conducted, we avoided accessing information we did not get fromthe participants in advance. We also did not take over their accounts or changeanything in their accounts. Additionally, we did not keep any privateinformation beyond the final results (e.g., attack has succeeded or not).
C.道德
我們的研究所沒有道德委員會。不過,我們遵循專家的常識和建議進行道德研究。
我們向弱勢供應商報告了我們的發現。嚴重受到PRMitM攻擊的廠商要麼修復漏洞(Snapchat,Yahoo!),要麼告知我們他們計劃修復漏洞(Google,LinkedIn和Yandex)。其他不易受到攻擊的網站(例如Facebook)感謝我們,並告訴我們他們將在未來考慮使用我們的調查結果,但他們不打算很快應用修復。
在我們進行的實驗中,我們避免了提前獲取參與者提供的資訊。我們也沒有接管他們的賬戶,也沒有改變他們的賬戶。此外,我們沒有保留任何私人資訊超出最終結果(例如,攻擊成功與否)。
D.Methodology Challenges andLimitations
This paperpresents a set of attacks and evaluates them on different settings. Althoughthe attack exploits vulnerability in the design of the password-reset process,the attack includes interaction with users. Hence, extensively rely on userstudies and surveys. Totally, 536 participants took part in the surveys and theexperiments that were done in this research; each of them participated only inonce experiment or survey.
本文提出了一系列攻擊並在不同的環境下進行評估。儘管攻擊利用了密碼重置過程設計中的漏洞,但攻擊包括與使用者的互動。因此,廣泛依靠使用者研究和調查。共有536人蔘加了本次調查和實驗,他們每個人只參加一次實驗或調查。
The need ofmany participants for both the surveys and the experiments was a technicalchallenge for us. Moreover, the nature of most of the experiments made thischallenge becomes even harder. As our experiments simulate versions of thePRMitM attack, we preferred to rely on volunteers that will feel free to leavethe experiment at any step. If participants get money, they might feelobligated to complete the experiment.
許多調查和實驗需要的參與者都是我們的技術挑戰。而且,大多數實驗的性質使得這一挑戰變得更加困難。由於我們的實驗模擬了PRMitM攻擊的版本,我們更願意依靠志願者,隨時隨地離開實驗。如果參與者獲得金錢,他們可能覺得有義務完成實驗。
Like many otherresearches on related topics like phishing and password security, e.g., wedecided to rely on students from our institute. Although it is preferred toconduct larger user studies also on other populations, like other researchers,we believe that conducting all the experiments and the surveys with studentsgives good and reliable results that are relevant also for other populations.Other alternatives like Amazon Mechanical Turk workers (which is not availablein our country) are not better, as there are many common characteristics to theusers there.
像其他許多有關釣魚和密碼安全等相關主題的研究一樣,我們決定依靠我們學院的學生。雖然與其他研究人員一樣,也希望對其他人群進行更大的使用者研究,但我們認為,與學生一起進行所有的實驗和調查都會給出與其他人群相關的良好可靠的結果。像亞馬遜土耳其機械工人(在我們國家沒有)的其他替代方案並不是更好,因為那裡的使用者有很多共同的特徵。
Except of theages of the students that were used to make sure that all the participants areadults, we did not collect any private information about the participants, aswe did not think that this is necessary for the results. Of course, all theparticipants are required to be web users; otherwise, they cannot be used toevaluate the situations discussed in this paper. Like in most of thedepartments in our institute, the ages of the students in all the experimentsranged between 18 and 35, almost uniformly.
除了用來確保所有參與者都是成年人的學生年齡以外,我們沒有收集任何關於參與者的私人資訊,因為我們認為這對於結果是不必要的。當然,所有參與者都必須是網路使用者,否則,不能用來評估本文討論的情況。與我所大部分院系一樣,所有實驗的學生年齡在18-35歲之間,差不多一致。
II. ADVERSARY MODEL
To launch aPRMitM attack, the attacker only needs to control a website; no MitM oreavesdropping capabilities are required. The attacker attacks visitors of hiswebsite and takes over their accounts in other websites. This is similar tocross-site attacks like cross-site scripting, cross-site request forgery, andclickjacking. We extend the discussion on the differences from cross-siteattacks and from phishing in Section II-B.
為了發起PRMitM攻擊,攻擊者只需要控制一個網站;不需要MitM或竊聽功能。攻擊者攻擊他的網站的訪問者,並接管其他網站的賬號。這類似於跨站點指令碼攻擊,跨站點請求偽造和點選劫持等跨站點攻擊。我們將在第II-B部分討論跨站點攻擊與網路釣魚的區別。
In order toinitiate the password reset process for a website in the name of the victim,the attacker needs basic pieces of information; these include items such asusername, email, or phone number. This information can be extracted from thevictim by the attacker during a registration process to the attacking website(Section III) or before some operations like file download, when the victim isrequired to identify herself using her phone.
為了以受害者的名義啟動網站的密碼重置過程,攻擊者需要一些基本資訊;這些包括使用者名稱,電子郵件或電話號碼等專案。攻擊者在攻擊網站的註冊過程中(第三部分)或者在檔案下載等操作之前,可以從受害者身上提取這些資訊,當受害者被要求使用手機識別自己時。
For somewebsites, the attacker may be able to use cross-site attacks such as cross-sitescripting, cross-site script inclusion, or newer techniques to gather detailsabout the user. However, the use of these techniques implies restrictions,e.g., the user must be logged into the attacked website (see below for moredetails).
對於某些網站,攻擊者可能能夠使用跨站點攻擊,例如跨站點指令碼,跨站點指令碼包含或更新的技術來收集有關使用者的詳細資訊。 然而,這些技術的使用意味著限制,例如,使用者必須登入到攻擊的網站(更多細節見下文)。
In addition toa visit to the attacker’s website, the attacking page has to lure the victimsinto registering or inputting their phone number to get a code. To do that, theattacker can apply known and common methods. For example, the attacker cancreate a website that offers (or claims to offer) free services, e.g.,streaming or files download. The website can require basic authentication(prove you are not a bot) before accessing some or all the services or torestrict them only for registered users. Section II-A shows that thisrequirement is reasonable.
除了訪問攻擊者的網站,攻擊頁面還必須引誘受害者註冊或輸入他們的電話號碼以獲取程式碼。為此,攻擊者可以應用已知和常用的方法。例如,攻擊者可以建立一個網站,提供(或聲稱提供)免費服務,例如流媒體或檔案下載。在訪問部分或全部服務之前,網站可能需要進行基本身份驗證(證明您不是機器人),或者僅限於註冊使用者。第二節-A顯示這個要求是合理的。
A.Personal Details in UnknownWebsites
Our attack isbased on the assumption that users will agree to register or to have a one-timecode sent to their phone in order to enjoy services online. Although it will begood for attacking website to provide valuable services to attract potentialvictims, in practice, the attacking website can only claim it is offering suchservices.
A.未知網站的個人資訊
我們的攻擊是基於這樣的假設:使用者將同意註冊或者將一次性程式碼傳送到他們的電話以線上享受服務。攻擊網站雖然有利於提供有價值的服務來吸引潛在的受害者,但在實踐中,攻擊性網站只能宣稱提供這種服務。
To test thisassumption we conducted an anonymous survey among students in our institute. Inthe short survey, we asked participants whether they would agree to eitherregister to a website or prove they are human using their phone or both theoptions, in order to use common online services such as file downloads forfree.
為了驗證這個假設,我們在我們學院的學生中進行了匿名調查。在簡短的調查中,我們詢問參與者是否同意註冊網站或者使用手機認證,也可以兩種情況都做,從而能夠使用免費的檔案下載等常見的線上服務。
Among 138participants, only 6 claimed they will never register for unknown websites orgive their phone number, no matter what free services are offered. Of theparticipants, 60.9% said they would agree to use both the options. Anadditional 27.5% would only agree to register, and the remaining 7.2% wouldonly agree to identify themselves using their phone.
在138名參與者當中,只有6人聲稱他們永遠不會註冊不知名的網站或給他們的電話號碼,不管提供什麼免費服務。 60.9%的受訪者表示同意使用這兩種方案。 另有27.5%的人只會同意登記,其餘的7.2%只會同意使用電話表示身份。
These resultsstrengthen our assumption and show that the adversary model, in which victimsregister or authenticate themselves using their phones, reflects a commonsituation on the web.
這些結果加強了我們的假設,並顯示了受害者使用手機註冊或驗證身份的對手模式反映了網路上的一種常見情況。
Some of ourcolleagues were surprised by the willingness of users to use their phonenumber. For ethical reasons, we could not create a website with attractivecontent, and a fake website would not do the job. Hence, we conducted asimulation with the participation of another 99 students.
我們有些同事對使用者使用他們的電話號碼的意願感到驚訝。 出於道德原因,我們不能建立一個有吸引力的內容的網站,一個虛假的網站不會做這項工作。 因此,我們進行了一個模擬,另有99名學生的參與。
In thissimulation, we described a website that stores files and requires a valid phonenumber to download them. The verification is done via SMS code, and the user isonly required to insert his phone number.
在這個模擬中,我們描述了一個儲存檔案的網站,並且需要一個有效的電話號碼來下載它們。 驗證通過簡訊程式碼完成,使用者只需要輸入他的電話號碼。
We asked theparticipants whether they would agree to insert their phone number to receivethe files in which they are interested. Of these, 39.4% said they would inserttheir phone number immediately, and 14.1% said they would first try to obtainthe files via friends or via online SMS services. An additional 18.2% percentsaid they would insert their phone number only if they really needed the files(rather than just wanting them). In total, 71.7% of the participants wouldagree to insert their phone number.
我們詢問參與者是否同意輸入他們的電話號碼來接收他們感興趣的檔案。其中,39.4%表示會立即輸入電話號碼,14.1%表示會先通過朋友或線上簡訊服務獲取檔案。另有18.2%的受訪者表示,只有在確實需要這些檔案(而不是僅僅需要這些檔案)時才會輸入他們的電話號碼。總共有71.7%的參與者同意輸入他們的電話號碼。
B.Comparison to Cross-SiteAttacks and Phishing
與跨網站攻擊和網上誘騙的比較
Visiting amalicious page might expose the user to several attacks. If the browser or oneof its plugins has security bugs, an attacker could exploit these bugs to takeover the entire machine. However, finding such bugs is considered a difficulttask. Once a critical zero-day bug is discovered, it is quickly patched bypopular browser vendors such as Chrome and Firefox.
訪問惡意頁面可能會使使用者受到多次攻擊。如果瀏覽器或其中一個外掛存在安全漏洞,攻擊者可以利用這些漏洞來控制整個機器。然而,找到這樣的錯誤被認為是一項艱鉅的任務。一旦發現關鍵的零日漏洞,Chrome瀏覽器和Firefox等流行的瀏覽器廠商就會迅速修補這些漏洞。
Other riskscome from vulnerabilities in the websites themselves, although it is challengingto find security bugs in popular websites. An attacker who wants to take overan account using classical web attacks like XSS or CSRF, has to intenselyexplore each of its target websites. Without finding a vulnerability it is hardto know for sure whether the website is vulnerable or not. Unlike PRMitM, incross-site attacks users must also be authenticated to the attacked website.
其他風險來自網站本身的漏洞,儘管在熱門網站上發現安全漏洞是一項挑戰。 想要使用XSS或CSRF等傳統網路攻擊來佔用賬號的攻擊者必須深入探索其每個目標網站。沒有發現漏洞,很難確定網站是否易受攻擊。與PRMitM不同的是,在跨站點攻擊中,使用者還必須對受攻擊的網站進行身份驗證。
On the otherhand, more interaction between the attacking page and the victim is required tolaunch PRMitM attacks. Unlike clickjacking and some XSS attacks, where only afew clicks are required, in PRMitM attacks, the victim is required to performan operation in the attacking page and to insert at least a single minimalcorrect piece of information about herself, e.g., a phone number.
另一方面,攻擊頁面和受害者之間需要進行更多的互動才能發起PRMitM攻擊。與點選劫持和一些XSS攻擊(只需要點選幾次)不同,在PRMitM攻擊中,受害者需要在攻擊頁面中執行操作,並輸入至少一個關於自己的最小正確資訊,例如電話數。
The need toinsert private information is similar to phishing attacks in websites. However,in phishing attacks, the attacking page impersonates a legitimate website andtricks the victim into inserting her credentials (username and password). In PRMitMattacks, the victim is only required to give personal information (e.g., phonenumber) that users agree to give in order to get some services (see SectionII-A).
輸入隱私資訊的需求與網站中的釣魚攻擊類似。但是,在網路釣魚攻擊中,攻擊頁面冒充合法網站並欺騙受害者輸入她的憑證(使用者名稱和密碼)。在PRMitM攻擊中,受害者只需要提供使用者同意提供某些服務的個人資訊(例如電話號碼)(見第II-A部分)。
Sophisticatedphishing attacks might also follow similar application-level MitM approach toimitate legitimate websites or during the entire login process. Such a MitMapproach might overcome also 2-factor authentication schemes, as the victiminserts codes and passwords into the phishing website. Hence, one might missthe most significant difference between phishing and PRMitM attacks: thevulnerability itself. Namely, for each of the attacks, there is a differentanswer to the question what is being exploited?
複雜的網路釣魚攻擊也可能遵循類似的應用程式級MitM方法模仿合法網站或在整個登入過程中。這種MitM方法也可能克服雙因素身份驗證方案,因為受害者將程式碼和密碼輸入釣魚網站。因此,可能會錯過網路釣魚和PRMitM攻擊之間最重要的差異:漏洞本身。也就是說,對於每個攻擊,對於被攻擊的問題有不同的答案。
Phishingattacks exploit the users; there is no bug in the design of the attackedwebsite and the attacker exploits unwary users who ignore indications given tothem by the browsers. On the other hand, PRMitM attacks exploit bugs in thedesign of password-reset process.
網路釣魚攻擊利用使用者;被攻擊的網站的設計沒有任何錯誤,攻擊者利用忽略瀏覽器給予他們指示的粗心的使用者。另一方面,PRMitM攻擊利用密碼重置過程設計中的缺陷。
The greatestchallenge of the phishing attacker is the impersonation to another website.Users with minimal understanding can detect phishing attempts by carefullychecking the site URL and whether HTTPS is on. Other anti-phishing solutionsmake the launch of phishing attacks harder also against other users. The PRMitMattack obviates the need for impersonation; it can be launched naturally fromevery website.
網路釣魚攻擊者最大的挑戰是冒充另一個網站。瞭解最少的使用者可以通過仔細檢查網站URL和HTTPS是否開啟來檢測釣魚攻擊。其他反釣魚解決方案也使得釣魚攻擊的發起更加困難。PRMitM攻擊避免了冒充的需要;它可以從每個網站自然推出。
As the PRMitMattack exploits server-side design bug, depending on the severity of thevulnerability, there is no chance for the users and other client-side defenses(e.g., browser builtin mechanisms or extensions) to detect the attack. Table Isummarizes the comparison.
由於PRMitM攻擊利用了伺服器端設計漏洞,根據漏洞的嚴重程度,使用者和其他客戶端防禦(例如,內建瀏覽器機制或擴充套件)不可能檢測到攻擊。表一總結了比較。
III.MITM IN PASSWORD RESET PROCESS
This sectiondescribes the basic password reset MitM (PRMitM) attack, and presents thechallenges and difficulties of the attacker. This section also surveys themechanisms used by popular websites during the password recovery process.
本節介紹基本的密碼重設MitM(PRMitM)攻擊,並介紹攻擊者的挑戰和困難。 本節還將對密碼恢復過程中受歡迎網站使用的機制進行調查。
Password ResetMitM Attack 密碼重置MitM攻擊
The basicPRMitM attack exploits the similarity between the registration process and thepassword reset process. In both the processes, it is common to solve CAPTCHAchallenges, answer security questions, get a confirmation link to the email, orto type in a code that is sent to a phone number. Hence, the attacker can takechallenges from a password reset process of Our attack is based on theassumption that users will agree to register or to have a one-time code sent totheir phone in order to enjoy services online. Although it will be good forattacking website to provide valuable services to attract 253 a user, andpresent them to her as legitimate challenges during the registration process.
基本的PRMitM攻擊利用註冊過程和密碼重置過程之間的相似性。 在這兩個過程中,解決CAPTCHA挑戰,回答安全問題,獲得電子郵件的確認連結,或輸入傳送到電話號碼的程式碼是很常見的。 因此,攻擊者可以從密碼重置過程中挑戰我們的攻擊是基於這樣的假設,即使用者同意註冊或者將一次性程式碼傳送到他們的電話以便線上享受服務。 雖然攻擊網站有利於提供有價值的服務來吸引使用者,並在註冊過程中作為合法的挑戰呈現給使用者。
We now describethe attack in detail. For simplicity, we describe the attacked website as theemail service provider of the victim. When a user initiates a registrationprocess in the attacker’s website, the attacker either asks the user toidentify herself with her email address or launches another cross-site attackto extract it .
我們現在詳細描述這個攻擊。 為簡單起見,我們將被攻擊的網站描述為受害者的電子郵件服務提供者。 當用戶在攻擊者的網站上啟動註冊過程時,攻擊者要求使用者用自己的電子郵件地址標識自己,或者啟動另一個跨站點攻擊來提取它。
Once theattacker knows the victim’s email address, he already knows both her emailservice provider and her username in this service. The attacker initiates a passwordreset procedure against the attacked website with the email address of thevictim. The attacker acts as man in the middle between the victim user and theattacked website in the password reset procedure.
一旦攻擊者知道受害者的電子郵件地址,他就已經知道她的電子郵件服務提供者和她在這個服務中的使用者名稱。 攻擊者利用受害者的電子郵件地址對攻擊的網站發起密碼重置程式。 在密碼重置程式中,攻擊者充當受害者使用者和被攻擊網站之間的中間人
The attackerforwards almost every challenge (see Section III-C) from the attacked websiteto the victim under the cover of the registration process. This process isillustrated in Figure 1. Given the email address of the victim, the attackercan similarly initiate a password reset process in the name of the victim inother websites, e.g., Facebook.
攻擊者幾乎把每一個挑戰(見第三節C)從受到攻擊的網站傳送到受害者的註冊過程中。 該過程如圖1所示。給定受害者的電子郵件地址,攻擊者可以類似地在其他網站(例如Facebook)中以受害者的名義啟動密碼重置過程。
Challenges
We now discussthe four most common challenges that the attacker may encounter during thepassword reset process. The challenges are described from the easiest to themost difficult. 1) CAPTCHA Challenges: CAPTCHA challenges do not aim to preventan attacker from resetting the password, but rather aim to prevent the attackerfrom doing this automatically. A human attacker should be able to solve CAPTCHAchallenges just like a human victim. However, to launch the PRMitM attack on alarger scale it is necessary to solve them automatically. Therefore, the PRMitMattacker forwards the CAPTCHA challenges to the victim users, and forwards thesolutions submitted by them back to the attacked website. 2) Security Question:Another identification challenge is presented by security questions. During theregistration, users are sometimes asked to answer personal question(s) thatwill be used to identify them in case the password is lost or forgotten. Whenthe attacker receives a security question in the password reset process, he canjust forward this question to the victim who is currently registering to theattacker’s website. The attacker will forward the user’s answer on to theattacked website. 3) Code to the Mobile Phone: Authentication can be done viaone of three approaches: (1) something you know (e.g., password), (2) somethingyou are (e.g., fingerprints), and (3) something you have (e.g., special tokendevice or a phone) Therefore, when users forget their password, many websitesallow them to authenticate themselves via something they have, like a mobilephone. This is usually done by sending a message with a password reset code tothe phone of the user via SMS. Some websites also support an automated phonecall to the user, in which the code is given. The user is required to insertthis code in order to change her password. In Section IV, we analyze thedifferent messages sent by popular websites and show that it is possible launcha PRMitM attack also in this case. In Section V, we show that phone calls arealso vulnerable to the attack. 4) Reset Link to the Email: The most commoncountermeasure involves sending a link to reset the password of the victim’semail address. To bypass this mechanism, the attacker must be able to access datain the email account of the victim; therefore, the PRMitM attack cannot beapplied on websites that allow password reset only by sending a reset link tothe email. Unfortunately, this option is usually not relevant for the emailservices themselves. Moreover, relying only on this option blocks passwordrecovery when users have lost access to their email account.
我們現在討論攻擊者在密碼重置過程中可能遇到的四個最常見的挑戰。挑戰從最簡單到最困難的描述。 1)驗證碼挑戰:驗證碼挑戰不是為了防止攻擊者重新設定密碼,而是為了防止攻擊者自動進行。人類攻擊者應該能夠像人類受害者一樣解決CAPTCHA的挑戰。但是,要在更大規模上啟動PRMitM攻擊,則需要自動解決這個問題。因此,PRMitM攻擊者將CAPTCHA挑戰轉發給受害使用者,並將他們提交的解決方案轉發回受攻擊的網站。 2)安全問題:安全問題提出了另一個身份驗證挑戰。在註冊過程中,有時會要求使用者回答用於識別密碼的個人問題,以防密碼遺失或遺忘。當攻擊者在密碼重置過程中收到安全問題時,他只能將此問題轉發給當前正在註冊攻擊者網站的受害者。攻擊者會將使用者的答案轉發到被攻擊的網站。 3)手機程式碼:驗證可以通過以下三種方法之一完成:(1)你知道的東西(例如密碼),(2)你的東西(例如指紋)和(3)你有的東西例如,特殊的令牌裝置或電話)。因此,當用戶忘記密碼時,許多網站允許他們通過他們有的東西(如手機)進行身份驗證。這通常是通過傳送帶有密碼重置碼的訊息通過SMS到使用者的電話來完成的。一些網站還支援給使用者的自動電話,其中給出了該程式碼。使用者需要插入此程式碼才能更改密碼。在第四節中,我們分析了流行網站傳送的不同訊息,並表明在這種情況下也可能發起PRMitM攻擊。在第五節中,我們表明,電話也容易受到攻擊。 4)重置連結到電子郵件:最常見的對策包括髮送連結重置受害者的電子郵件地址的密碼。為了繞過這個機制,攻擊者必須能夠訪問受害者的電子郵件帳戶中的資料;因此,PRMitM攻擊不能應用於僅通過向電子郵件傳送重置連結來允許密碼重置的網站。不幸的是,這個選項通常與電子郵件服務本身無關。而且,僅僅依靠這個選項阻止了使用者在失去訪問他們的電子郵件帳戶時的密碼恢復。
Challenges inPopular Websites 熱門網站的挑戰
We surveyed the challenges used during thepassword reset process by the most popular websites in the world . Table IIsummarizes the findings. The 10 most popular websites support password resetusing the user’s email account and most of them allow password reset using aphone as an alternative.
我們調查了世界上最受歡迎的網站在密碼重置過程中使用的挑戰。 表二總結了調查結果。 10個最受歡迎的網站使用使用者的電子郵件帳戶支援密碼重置,其中大部分網站允許使用電話重置密碼
Google is theonly one that also supports security questions, and three of them requiresolving a CAPTCHA in addition to one of the first two challenges.
Google是唯一一個也支援安全問題的,除了前兩個挑戰之外,還有三個需要解開CAPTCHA。
We alsosurveyed popular email-services, because those have difficulty offering anemail-based password recovery process. Email-services are usually verysensitive; by obtaining access to the victim’s email account, an attacker canfurther reset the password of other websites.
我們還對受歡迎的電子郵件服務進行了調查,因為這些服務很難提供基於電子郵件的密碼恢復流程。 電子郵件服務通常非常敏感, 通過訪問受害者的電子郵件賬號,攻擊者可以進一步重置其他網站的密碼。
The challengesused by popular email-services that do not appear in Table II, are summarizedin Table III. We chose only email services to which we could register, all ofthem from USA, Russia, India, and Germany.
表III中總結了表II中未列出的常見電子郵件服務所使用的挑戰。 我們只選擇了我們可以註冊的電子郵件服務,全部來自美國,俄羅斯,印度和德國。
Among these 10email services, we found that Yandex, one of the most popular websites in theworld, mail.com, gmx.com and reddif.com allow password recovery by onlyanswering a security question and solving a CAPTCHA. In Yandex, this option ispossible only for users who did not input their phone and alternative email.This makes these websites vulnerable to a simple variant of the PRMitM attack,in which the attacker only forwards the security question and the CAPTCHAchallenge to the victim to solve, and then takes over the account.
在這10個電子郵件服務中,我們發現世界上最受歡迎的網站之一Yandex,mail.com,gmx.com和reddif.com只允許回答安全問題並解答驗證碼,從而允許恢復密碼。 在Yandex中,此選項僅適用於未輸入電話和備用電子郵件的使用者。 這使得這些網站很容易受到PRMitM攻擊的一個簡單變種,攻擊者只將安全問題和CAPTCHA挑戰轉發給受害者解決,然後接管賬戶。
Google alsosupports password recovery using security questions. However, Google’smechanism is mainly based on activities done by the user in the account, and onother parameters like the IP address and the browser used by the requester.Although Google also uses general security questions in some cases, PRMitMattack alone cannot be used to overcome the security questions. See alsoSection VII-A.
Google還使用安全問題來支援密碼恢復。 但是,Google的機制主要基於使用者在帳戶中完成的活動,以及其他引數,如請求者使用的IP地址和瀏覽器。 儘管Google在某些情況下也使用一般的安全問題,但單靠PRMitM攻擊無法解決安全問題。 另見第VII-A部分。
Clearly, mostof the popular websites and email services support authentication using amobile phone. In Sections IV and V, we show that sending the reset passwordcode by SMS or phone call is also vulnerable to attack.
顯然,大多數受歡迎的網站和電子郵件服務都支援使用手機進行身份驗證。 在第四節和第五節中,我們表明通過簡訊或電話傳送重置密碼也容易受到攻擊。
Evaluation:PRMitM with Security Question
評估:帶安全問題的PRMitM
As somewebsites still allow password reset that relies on security questions, weconducted a small user study (Experiment 1) to test whether or not usersprovide the correct answers for such questions. Since popular websites do notrely on security questions, we could not recruit participants and simulate areal attack on their accounts.
Yet, under theassumption that users who give the correct answer in a low-importance websitewould also correctly answer their security question in more reputable websites,the experiment should offer a good indication. Although not analyzed in thisexperiment,
users who give the same wrong answer to both the attacked and theattacking websites, are vulnerable to the attack.
由於一些網站仍然允許依賴安全問題的密碼重置,我們進行了一項小型的使用者研究(實驗1),以測試使用者是否為這些問題提供了正確的答案。 由於受歡迎的網站不依賴安全問題,我們無法招募參與者並模擬真實的賬戶攻擊。
然而,假設在低重要性網站上給出正確答案的使用者也可以在更有信譽的網站上正確回答他們的安全問題,這個實驗應該提供一個很好的指示。 儘管在這個實驗中沒有進行分析,但是對被攻擊和攻擊的網站給予同樣錯誤答案的使用者也很容易受到攻擊。
EXPERIMENT 1: Correctness of securityquestion’s answer.
實驗1:安全問題的正確答案。
Experimentprocess. Participants were asked to register to a website in order toperform a short experiment. During the registration process, they were asked totype their email address, and only then, to answer a classical securityquestion: What is your mother’s maiden name. Once the users completed theregistration, we asked them whether the answer they just typed was correct.
Ethics. We did not save anyprivate data about the participants. We only saved the answer distribution ofthe last question.
Participants. 52 volunteer students fromour institute.
Results. Although registering to alow-importance website, 76.9% of the participants provided the correct answerto the security question.
Bonneaue et al.conducted a larger survey with the participation of 1500 users. There, 37% ofthe participants reported that they gave wrong answer to the security questionwhen registering on their primary email account. Beyond the population and thenumber of participants, the difference in the results can be due to theexperiment process.
In ourexperiment, the users answered a security question; in the users were onlyasked about registration that probably occurred several years ago. It issurprising that the survey of did not include statistics about users that donot remember their answers. For example, the authors of this paper do not evenremember if they were asked to answer a security question during theirregistration to Gmail.
Even if only63% of the population are vulnerable to the attack, this is still a highpercentage and an indicator for the problem of relying on security questions.
實驗過程:參與者被要求註冊一個網站,以進行一個簡短的實驗。在註冊過程中,他們被要求鍵入他們的電子郵件地址,然後才回答一個經典的安全問題:你母親的孃家姓是什麼?一旦使用者完成註冊,我們問他們剛剛輸入的答案是否正確。
倫理:我們沒有儲存任何有關參與者的私人資料。我們只儲存了最後一個問題的答案分佈。
參與者:來自我院的52名志願者。
結果:儘管註冊到一個低度重要的網站,76.9%的參與者為安全問題提供了正確的答案。
Bonneaue等人在1500名使用者的參與下進行了更大規模的調查。在那裡,有37%的參與者報告說,他們在主電子郵件賬戶上註冊時,對安全問題做出了錯誤的回答。除了人口和參與者的數量,結果的差異可能是由於實驗過程。
在我們的實驗中,使用者回答了一個安全問題;在使用者只被問及幾年前可能發生的註冊。令人驚訝的是,調查沒有包括不記得他們答案的使用者的統計資料。例如,本文的作者甚至不記得他們是否被要求在Gmail註冊期間回答安全問題。
即使只有63%的人口容易受到攻擊,這個比例仍然很高,是依靠安全問題的一個指標。
IV. PRMITM VIASMS
Popular websitesalso usually offer mechanisms for password recovery to users who lost access totheir email account. The problems with security questions and the popularity ofmobile phones has made the authentication using mobile devices a preferredoption for password recovery (e.g., see Tables II and III). The most common wayto authenticate a user via mobile phone is by sending a code to the device. Theuser then has to insert the received code into the website to reset the password.
受歡迎的網站通常還提供密碼恢復機制,以便使用者無法訪問其電子郵件帳號。安全問題和行動電話普及的問題已經使得使用移動裝置的認證成為密碼恢復的首選方案(例如,見表II和表III)。通過手機驗證使用者的最常見方式是向裝置傳送驗證碼。使用者然後必須輸入收到的程式碼到網站重置密碼。
Unfortunately,in some cases, when the reset code is sent by SMS, the PRMitM attack is stillpossible. The attacker asks the victim for her phone number, claiming that acode will be sent to it. Then the attacker initiates a password reset processusing this phone number in the attacked website, causing this website to sendan SMS with a password reset code to the victim’s phone. The victim receivesthe expected message, and may type the code in the attacking page. Now, theattacker can complete the password reset process.
不幸的是,在某些情況下,當通過SMS傳送重置碼時,PRMitM攻擊仍然是可能的。攻擊者詢問受害人的電話號碼,聲稱將傳送一個程式碼給它。然後攻擊者利用被攻擊的網站上的這個電話號碼啟動密碼重置過程,導致這個網站傳送帶密碼重置程式碼的簡訊給受害者的電話。受害者收到預期的訊息,並可能在攻擊頁面輸入程式碼。現在,攻擊者可以完成密碼重置過程
The attacker caneven trick the user into disclosing her password reset code under simplerconditions. Unlike security questions, a code to the mobile phone is not usedsolely for registration and password recovery. Although email addresses thatcan be generated easily and for free by bots, mobile numbers are harder andmore expensive to attain. Therefore, sending a code to a mobile device is areasonable way to both prove that users are not bots and to prevent overuse byusers. Instead of the registration process, the attacker can ask the user toinsert a code sent to her mobile phone before accessing a resource ordownloading a file.
攻擊者甚至可以在簡單的條件下欺騙使用者公開自己的密碼重置程式碼。與安全問題不同,行動電話的驗證碼不僅僅用於註冊和密碼恢復。 雖然電子郵件地址,可以輕鬆地和免費的機器人生成,移動號碼是更難和更昂貴的。 因此,向移動裝置傳送程式碼是一種合理的方式,既能證明使用者不是殭屍程式,又能防止使用者過度使用。 攻擊者可以在訪問資源或下載檔案之前,要求使用者輸入傳送到手機的驗證碼,而不是註冊過程。
In the rest ofthis section we discuss the problems with password reset using SMS (SectionIV-A), survey this mechanism in popular websites (Section IV-B), and ultimatelyevaluate the attack on Facebook users (Section IV-C).
在本節的其餘部分中,我們將討論使用SMS(第IV-A節)重置密碼的問題,在熱門網站(第IV-B節)中調查這種機制,並最終評估對Facebook使用者的攻擊(第IV-C節)。
A. Limitations ofPassword Reset Using SMS
A.使用簡訊重置密碼的限制
We identifiedseveral problems with sending a password reset via SMS. While the first problemis inherent, we found additional problems that appear in some of the websitesand can be easily fixed.
我們發現了通過簡訊傳送密碼重置的幾個問題。雖然第一個問題是固有的,但是我們發現了一些網站上出現的其他問題,可以很容易地解決
Unclear message. SMS is limitedto 160 ASCII characters, and there are at least 3 pieces of information thatshould appear in each message in addition to the password reset code: (1) thesending website, (2) explanation about the code’s meaning (password reset), and(3) a warning to avoid disclosing the code to anyone else. Most of the websitesare aware of the need to include these three elements. As evidence, theyinclude all of them (and more) in emails that are sent to reset a password.Yet, the length limitation and the desire to avoid sending multiple SMSmessages prevent them from sending the optimal message.
不清楚的訊息。簡訊限制為160個ASCII字元,除了密碼重置程式碼外,每條資訊至少還應該出現3條資訊:(1)傳送網站;(2)程式碼含義說明(密碼重置)(3)避免向其他人洩露程式碼的警告。大多數網站都意識到需要包含這三個要素。作為證據,它們將所有這些(以及更多)包含在傳送用於重置密碼的電子郵件中。然而,長度限制和避免傳送多個SMS訊息的願望阻止了他們傳送最佳訊息。
Sender identity. SMS spoofingis the process of setting the sender of SMS messages to a value that is not theoriginating mobile number. The sender can be set to another number or toalphanumeric text. Usually, SMS messages are sent from numbers that are notknown to the users. Using SMS spoofing, the sending companies can give the useran indication about the sender. However, we noticed that some of them do not usethis option at all, or they use it with a sender name that is non-informative.In spite of that, the importance of using informative sender identity seems tobe minor compared to content of the message; see the results analysis ofExperiment 2.
發件人的身份。簡訊欺騙是將短訊息傳送方設定為非原始移動號碼的過程。發件人可以設定為其他號碼或字母數字文字。通常,SMS訊息是從使用者不知道的號碼傳送的。使用簡訊欺騙,傳送公司可以給使用者關於傳送者的指示。但是,我們注意到其中一些根本不使用這個選項,或者它們使用一個非資訊性的傳送者名稱。儘管如此,與資訊內容相比,使用資訊傳送者身份的重要性似乎較小;見實驗2的結果分析
Token validity period. When a code isgiven, the user can use it only during a limited time period. However, thistime period varies between websites, and can be anywhere from 15 minutes to 24hours. In the PRMitM attack, this time slot is critical. Ideally, the attackerwould like to reset the passwords as late as possible. An attacker who gets thecode at noon would prefer to reset the password late at night, when the user issleeping.
令牌有效期。當給出一個程式碼時,使用者只能在有限的時間內使用它。但是,這個時間段因網站而異,可以在15分鐘到24小時之間。在PRMitM攻擊中,這個時隙非常關鍵。理想情況下,攻擊者希望儘快重置密碼。在中午獲取程式碼的攻擊者寧願在晚上晚些時候重置密碼,當用戶正在睡覺時。
Language compatibility. Many websitesoffer services in many languages, but some do not send the SMS message in thesupported language. Users who cannot read and understand the text, but only toidentify the code, become exposed to the attack. Namely, users who get a messagein an unfamiliar language, can read the code, but not the attached text. Insuch cases, an informative warning text becomes irrelevant.
語言相容性。許多網站提供多種語言的服務,但有些網站不以支援的語言傳送簡訊。無法閱讀和理解文字,但只能識別程式碼的使用者,將會受到攻擊。即,以不熟悉的語言獲得訊息的使用者可以閱讀程式碼,但不能閱讀附加的文字。在這種情況下,提供資訊的警告文字變得無關緊要。
B. Websites Survey
B.網站調查
Table IVsummarizes the SMS messages sent by popular websites during their passwordreset process. We also specify which text represented the sender, the code’svalidity period, and whether the language is adjusted to the user.
表四總結了熱門網站在密碼重置過程中傳送的簡訊。我們還指定哪些文字代表發件人,程式碼的有效期,以及語言是否調整為使用者。
The tablepresents only websites that support multiple languages. The second column showsthe English message sent in the SMS by each of the websites.
Unlike commonpassword reset emails, none of the websites’ SMS messages included a warningabout the danger of disclosing the code. The fact that this message was sent aspart of a password reset process appears in only 4 of them. Popular websiteslike Yahoo and Google have a general message about verification codes. Such amessage can be easily abused by a PRMitM attacker. Moreover, unlike theirmessages in the other lang