Researchers develop new method to identify and counteract account takeover attacks

Computer science researchers in the UK have developed a new method for identifying security vulnerabilities that make individuals vulnerable to account takeover attacks. These attacks occur when an attacker gains unauthorised access to online accounts.

In recent years, a growing number of mobile devices in the UK have become the centre of complex ecosystems of interconnected operating software and applications. As the links between online services have increased, so have the opportunities for hackers to exploit security vulnerabilities, often with devastating effects for device owners.

“The ruse of looking over someone’s shoulder to find out their PIN is well known. However, the end game for the attacker is to gain access to the apps, which store a wealth of personal information and can provide access to accounts such as Amazon, Google, X, Apple Pay, and even bank accounts,” stated Dr Luca Arnaboldi, Assistant Professor of Cyber Security at the University of Birmingham.

To understand and prevent these attacks, researchers had to explore the mindset of hackers, who can orchestrate complex attacks by combining smaller tactical steps.

Dr. Luca Arnaboldi, from the School of Computer Science at the University of Birmingham, worked with Professor David Aspinall from the University of Edinburgh, Dr. Christina Kolb from the University of Twente, and Dr. Sasa Radomirovic from the University of Surrey. They developed a method to categorise security vulnerabilities and model account takeover attacks by deconstructing them into their basic components.

Previously, security vulnerabilities were studied using ‘account access graphs’, which showed the phone, SIM card, apps, and security features controlling each access point.

However, these graphs were inadequate for modelling account takeovers, where an attacker might disconnect a device or app from the account ecosystem, such as by swapping the SIM card to a different phone. Once the SIM card is in a new phone, the attacker can use SMS-based password recovery methods, as SMS messages are now visible on the new device.

The researchers addressed this issue by introducing a new approach to model how account access changes when devices, SIM cards, or apps are separated from the account ecosystem.

Their method, based on the formal logic used by mathematicians and philosophers, captures the decisions faced by a hacker with access to a mobile phone and its PIN.

The researchers expect that their approach will be adopted by device manufacturers and app developers to catalogue vulnerabilities and improve understanding of complex hacking attacks.

The study also examined claims from a report by The Wall Street Journal, which suggested that an attack method used to access data and bank accounts on an iPhone could be applied to Android, despite no reported cases of such attacks.

Android apps, which are downloaded from the Play Store, require a Google account for installation, providing some protection against attacks. The researchers also suggested a security improvement for iPhones.

“The results of our simulations showed the attack strategies used by iPhone hackers to access Apple Pay could not be used to access Android Pay on Android, due to security features on the Google account. The simulations also suggested a security fix for iPhone – requiring the use of a previous password as well as a pin, a simple choice that most users would welcome,” Arnaboldi added.

Apple has since implemented a fix for this vulnerability, adding an extra layer of protection for iPhone users.

The researchers also tested their method on various devices, including the Motorola G10 on Android 11, Lenovo YT-X705F on Android 10, Xiaomi Redmi Note Pro 10 on Android 11, and Samsung Galaxy Tab S6 Lite on Android. They found that devices linked to their manufacturer’s accounts (Samsung and Xiaomi) shared the same vulnerabilities as Apple, although the Google account remained secure.

Moreover, the researchers used their methodology to check the security of their own mobile devices, leading to an unexpected discovery. One researcher found that allowing his wife access to a shared iCloud account had compromised his security. Although his security settings were as stringent as possible, her network of connections was not secure.