How hackers can steal your 2FA email account by getting you to sign up for another website

In a paper for IEEE Security, researchers from Cyberpion and Israel's College of Management Academic Studies describe a "Password Reset Man-in-the-Middle Attack" that leverages a bunch of clever insights into how password resets work to steal your email account (and other kinds of accounts), even when it's protected by two-factor authentication.

Here's the basics: the attacker gets you to sign up for an account for their website (maybe it's a site that gives away free personality tests or whatever). The sign-up process presents a series of prompts for the signup, starting with your email address.

As soon as the attacker has your email address, a process on their server logs into your email provider as you and initiates an "I've lost access to my email" password reset process.

From then on, every question in your signup process for the attacker's service is actually a password reset question from your email provider. For example, if your email provider is known to text your phone with a PIN as part of the process, the attacker prompts you for your phone number, then says, "I've just texted you a PIN, please enter it now." You enter the PIN, and the attacker passes that PIN to your email provider.

Same goes for "security questions" like "What street did you live on when you were a kid?" The email provider asks the attacker these questions, the attacker asks you the questions for the signup process, and then uses your answers to impersonate you to the email provider.

It's a devastating attack that reveals some foundational weaknesses in the standard for password resetting. There are some steps you can take against this: most notably, you can treat all security questions as passwords and generate unique answers for each ("What was your first pet's name?" "2%x5p*TSavmJPlc]&Sd\VBPL@u-Y"). That requires a lot of vigilance on your side, and/or a sophisticated password manager — and it also requires the sites you're signing up for to accept password-like responses to security questions, allowing you to include punctuation, numbers, etc.

Also: your bank and other high-value targets that offer an app could allow you to use the app for the reset channel, sending one-time passwords to you as a push to the app instead of using SMS. You might inattentively fail to notice that the SMS you get from that new service says, "Here is your Yahoo Mail code" — but if the code came from your bank's app, it might be more obvious.

The attack
allows a weak attacker to take over accounts of many websites,
including Google and Facebook and other popular websites we
surveyed. We evaluated the attacks and pointed at vulnerabilities
and weaknesses of the password reset processes.

Although simple defense like more detailed SMS messages
seems to be enough, our experiments indicate that this is not
the case. We designed defenses and evaluated them compared
to the existing implementations of Google and Facebook; our
experiments show that our proposed defenses improve the
security significantly. Finally, to help the many vulnerable
websites to test and improve their password reset processes, we
created a list of rules and recommendations for easy auditing.

The Password Reset MitM Attack [Nethanel Gelernter, Senia Kalma, Bar Magnezi and Hen Porcilan/IEEE Security]

(via 4 Short Links)