![Page 1: View The Email to Get Hacked: Attacking SMS-based Two ... · @gmail. com pw: w onderla nd. Philipp Markert, Florian Farke, and Markus Dürmuth View The Email to Get Hacked: Attacking](https://reader033.vdocument.in/reader033/viewer/2022042923/5f7379e3ebd9731724374359/html5/thumbnails/1.jpg)
Philipp Markert, Florian Farke, and Markus Dürmuth
View The Email to Get Hacked:Attacking SMS-based Two-Factor Authentication
Santa Clara, California, USA | WAY 2019 | August 11, 2019
![Page 2: View The Email to Get Hacked: Attacking SMS-based Two ... · @gmail. com pw: w onderla nd. Philipp Markert, Florian Farke, and Markus Dürmuth View The Email to Get Hacked: Attacking](https://reader033.vdocument.in/reader033/viewer/2022042923/5f7379e3ebd9731724374359/html5/thumbnails/2.jpg)
1
Two-Factor Authentication
![Page 3: View The Email to Get Hacked: Attacking SMS-based Two ... · @gmail. com pw: w onderla nd. Philipp Markert, Florian Farke, and Markus Dürmuth View The Email to Get Hacked: Attacking](https://reader033.vdocument.in/reader033/viewer/2022042923/5f7379e3ebd9731724374359/html5/thumbnails/3.jpg)
1 2
1
![Page 4: View The Email to Get Hacked: Attacking SMS-based Two ... · @gmail. com pw: w onderla nd. Philipp Markert, Florian Farke, and Markus Dürmuth View The Email to Get Hacked: Attacking](https://reader033.vdocument.in/reader033/viewer/2022042923/5f7379e3ebd9731724374359/html5/thumbnails/4.jpg)
2FAAdoption
Gmail Confidential
Mode
Attacking Google’s
2FA
Are there alternatives?
![Page 5: View The Email to Get Hacked: Attacking SMS-based Two ... · @gmail. com pw: w onderla nd. Philipp Markert, Florian Farke, and Markus Dürmuth View The Email to Get Hacked: Attacking](https://reader033.vdocument.in/reader033/viewer/2022042923/5f7379e3ebd9731724374359/html5/thumbnails/5.jpg)
3
2FAAdoption
![Page 6: View The Email to Get Hacked: Attacking SMS-based Two ... · @gmail. com pw: w onderla nd. Philipp Markert, Florian Farke, and Markus Dürmuth View The Email to Get Hacked: Attacking](https://reader033.vdocument.in/reader033/viewer/2022042923/5f7379e3ebd9731724374359/html5/thumbnails/6.jpg)
analyzed top 100 websites
75 left
57 left
31 offer 2FA
25no login
18duplicates
26no 2FA
* Le Pochat et al. Tranco: A Research-Oriented Top Sites Ranking Hardened Against Manipulation. NDSS ’193
*
![Page 7: View The Email to Get Hacked: Attacking SMS-based Two ... · @gmail. com pw: w onderla nd. Philipp Markert, Florian Farke, and Markus Dürmuth View The Email to Get Hacked: Attacking](https://reader033.vdocument.in/reader033/viewer/2022042923/5f7379e3ebd9731724374359/html5/thumbnails/7.jpg)
31 websites offer 2FA
25 (81%)
7 (23%)
4
24 (77%)
![Page 8: View The Email to Get Hacked: Attacking SMS-based Two ... · @gmail. com pw: w onderla nd. Philipp Markert, Florian Farke, and Markus Dürmuth View The Email to Get Hacked: Attacking](https://reader033.vdocument.in/reader033/viewer/2022042923/5f7379e3ebd9731724374359/html5/thumbnails/8.jpg)
Gmail Confidential
Mode5
![Page 9: View The Email to Get Hacked: Attacking SMS-based Two ... · @gmail. com pw: w onderla nd. Philipp Markert, Florian Farke, and Markus Dürmuth View The Email to Get Hacked: Attacking](https://reader033.vdocument.in/reader033/viewer/2022042923/5f7379e3ebd9731724374359/html5/thumbnails/9.jpg)
6
![Page 10: View The Email to Get Hacked: Attacking SMS-based Two ... · @gmail. com pw: w onderla nd. Philipp Markert, Florian Farke, and Markus Dürmuth View The Email to Get Hacked: Attacking](https://reader033.vdocument.in/reader033/viewer/2022042923/5f7379e3ebd9731724374359/html5/thumbnails/10.jpg)
7
![Page 11: View The Email to Get Hacked: Attacking SMS-based Two ... · @gmail. com pw: w onderla nd. Philipp Markert, Florian Farke, and Markus Dürmuth View The Email to Get Hacked: Attacking](https://reader033.vdocument.in/reader033/viewer/2022042923/5f7379e3ebd9731724374359/html5/thumbnails/11.jpg)
8
![Page 12: View The Email to Get Hacked: Attacking SMS-based Two ... · @gmail. com pw: w onderla nd. Philipp Markert, Florian Farke, and Markus Dürmuth View The Email to Get Hacked: Attacking](https://reader033.vdocument.in/reader033/viewer/2022042923/5f7379e3ebd9731724374359/html5/thumbnails/12.jpg)
Tonight’s door code:
long long short long
9
![Page 13: View The Email to Get Hacked: Attacking SMS-based Two ... · @gmail. com pw: w onderla nd. Philipp Markert, Florian Farke, and Markus Dürmuth View The Email to Get Hacked: Attacking](https://reader033.vdocument.in/reader033/viewer/2022042923/5f7379e3ebd9731724374359/html5/thumbnails/13.jpg)
Link
Tonight’s door code:
long long short long
https://confidential-mail.google.com/msg/...
10
![Page 14: View The Email to Get Hacked: Attacking SMS-based Two ... · @gmail. com pw: w onderla nd. Philipp Markert, Florian Farke, and Markus Dürmuth View The Email to Get Hacked: Attacking](https://reader033.vdocument.in/reader033/viewer/2022042923/5f7379e3ebd9731724374359/html5/thumbnails/14.jpg)
Link
Tonight’s door code:
long long short long
11
2FA Confidential Mode
![Page 15: View The Email to Get Hacked: Attacking SMS-based Two ... · @gmail. com pw: w onderla nd. Philipp Markert, Florian Farke, and Markus Dürmuth View The Email to Get Hacked: Attacking](https://reader033.vdocument.in/reader033/viewer/2022042923/5f7379e3ebd9731724374359/html5/thumbnails/15.jpg)
12
Attacking Google’s
2FA
![Page 17: View The Email to Get Hacked: Attacking SMS-based Two ... · @gmail. com pw: w onderla nd. Philipp Markert, Florian Farke, and Markus Dürmuth View The Email to Get Hacked: Attacking](https://reader033.vdocument.in/reader033/viewer/2022042923/5f7379e3ebd9731724374359/html5/thumbnails/17.jpg)
13
1. Email
![Page 18: View The Email to Get Hacked: Attacking SMS-based Two ... · @gmail. com pw: w onderla nd. Philipp Markert, Florian Farke, and Markus Dürmuth View The Email to Get Hacked: Attacking](https://reader033.vdocument.in/reader033/viewer/2022042923/5f7379e3ebd9731724374359/html5/thumbnails/18.jpg)
13
1. Email
https://confidential-mail.google.com/msg/…
https://confidential-mail.oscar.com/msg/...
![Page 19: View The Email to Get Hacked: Attacking SMS-based Two ... · @gmail. com pw: w onderla nd. Philipp Markert, Florian Farke, and Markus Dürmuth View The Email to Get Hacked: Attacking](https://reader033.vdocument.in/reader033/viewer/2022042923/5f7379e3ebd9731724374359/html5/thumbnails/19.jpg)
13
1. Email
![Page 20: View The Email to Get Hacked: Attacking SMS-based Two ... · @gmail. com pw: w onderla nd. Philipp Markert, Florian Farke, and Markus Dürmuth View The Email to Get Hacked: Attacking](https://reader033.vdocument.in/reader033/viewer/2022042923/5f7379e3ebd9731724374359/html5/thumbnails/20.jpg)
4. 6. G-123456
3. Login
13
1. Email
5. G-1234562.
Confidential Mode
![Page 21: View The Email to Get Hacked: Attacking SMS-based Two ... · @gmail. com pw: w onderla nd. Philipp Markert, Florian Farke, and Markus Dürmuth View The Email to Get Hacked: Attacking](https://reader033.vdocument.in/reader033/viewer/2022042923/5f7379e3ebd9731724374359/html5/thumbnails/21.jpg)
14
Are therealternatives?
![Page 22: View The Email to Get Hacked: Attacking SMS-based Two ... · @gmail. com pw: w onderla nd. Philipp Markert, Florian Farke, and Markus Dürmuth View The Email to Get Hacked: Attacking](https://reader033.vdocument.in/reader033/viewer/2022042923/5f7379e3ebd9731724374359/html5/thumbnails/22.jpg)
14
1. Improve the text of the SMS
2FA
ConfidentialMode
![Page 23: View The Email to Get Hacked: Attacking SMS-based Two ... · @gmail. com pw: w onderla nd. Philipp Markert, Florian Farke, and Markus Dürmuth View The Email to Get Hacked: Attacking](https://reader033.vdocument.in/reader033/viewer/2022042923/5f7379e3ebd9731724374359/html5/thumbnails/23.jpg)
14
1. Improve the text of the SMS
![Page 24: View The Email to Get Hacked: Attacking SMS-based Two ... · @gmail. com pw: w onderla nd. Philipp Markert, Florian Farke, and Markus Dürmuth View The Email to Get Hacked: Attacking](https://reader033.vdocument.in/reader033/viewer/2022042923/5f7379e3ebd9731724374359/html5/thumbnails/24.jpg)
14
1. Improve the text of the SMS
![Page 25: View The Email to Get Hacked: Attacking SMS-based Two ... · @gmail. com pw: w onderla nd. Philipp Markert, Florian Farke, and Markus Dürmuth View The Email to Get Hacked: Attacking](https://reader033.vdocument.in/reader033/viewer/2022042923/5f7379e3ebd9731724374359/html5/thumbnails/25.jpg)
15
2. Use a Software Token
![Page 26: View The Email to Get Hacked: Attacking SMS-based Two ... · @gmail. com pw: w onderla nd. Philipp Markert, Florian Farke, and Markus Dürmuth View The Email to Get Hacked: Attacking](https://reader033.vdocument.in/reader033/viewer/2022042923/5f7379e3ebd9731724374359/html5/thumbnails/26.jpg)
3. Use a Hardware Token
16
![Page 28: View The Email to Get Hacked: Attacking SMS-based Two ... · @gmail. com pw: w onderla nd. Philipp Markert, Florian Farke, and Markus Dürmuth View The Email to Get Hacked: Attacking](https://reader033.vdocument.in/reader033/viewer/2022042923/5f7379e3ebd9731724374359/html5/thumbnails/28.jpg)
Philipp Markert, Florian Farke, and Markus Dürmuth
View The Email to Get Hacked:Attacking SMS-based Two-Factor Authentication
Santa Clara, California, USA | WAY 2019 | August 11, 2019