Fannv He (National Computer Network Intrusion Protection Center, University of Chinese Academy of Sciences, China), Yan Jia (DISSec, College of Cyber Science, Nankai University, China), Jiayu Zhao (National Computer Network Intrusion Protection Center, University of Chinese Academy of Sciences, China), Yue Fang (National Computer Network Intrusion Protection Center, University of Chinese Academy of Sciences, China), Jice Wang (National Computer Network Intrusion Protection Center, University of Chinese Academy of Sciences, China), Mengyue Feng (National Computer Network Intrusion Protection Center, University of Chinese Academy of Sciences, China), Peng Liu (College of Information Sciences and Technology, Pennsylvania State University, USA), Yuqing Zhang (National Computer Network Intrusion Protection Center, University of Chinese Academy of Sciences, China; Hangzhou Institute of Technology & School of Cyber Engineering, Xidian University, China; School of Cyberspace Security, Hainan University, China)

Authentication is one of the established practices to ensure user security. Personally identifiable information (PII), such as national identity card number (ID number) and bank card number, is used widely in China's mobile apps as an additional secret to authenticate users, i.e., PII-as-Factor Authentication (PaFA). In this paper, we found a new threat that calls on the cautiousness of PaFA: the simultaneous usages and business-related interactions of apps make the authentication strength of a target app weaker than designed. An adversary, who knows fewer authentication factors (only SMS OTP) than a PaFA system required, can break the authentication by gathering information or abusing cross-app authorization from other apps. To systematically study the potential risks, we proposed a semi-automatic system, MAGGIE, to evaluate the security of PaFA in target apps. By measuring 234 real-world apps in Chinese app markets with the help of MAGGIE, we found 75.4% of apps that deployed PaFA can be bypassed, including the popular and sensitive ones (e.g., AliPay, WeChat, UnionPay), leading to severe consequences like hijack user accounts and making unauthorized purchases. Additionally, we conducted a survey to demonstrate the practical implications of the new risk on users. Finally, we reported our findings to the vendors and provided several mitigation measures.

View More Papers

FirmLine: a Generic Pipeline for Large-Scale Analysis of Non-Linux...

Alexander Balgavy (Independent), Marius Muench (University of Birmingham)

Read More

Space-Domain AI Applications need Rigorous Security Risk Analysis

Alexandra Weber (Telespazio Germany GmbH), Peter Franke (Telespazio Germany GmbH)

Read More

ReqsMiner: Automated Discovery of CDN Forwarding Request Inconsistencies and...

Linkai Zheng (Tsinghua University), Xiang Li (Tsinghua University), Chuhan Wang (Tsinghua University), Run Guo (Tsinghua University), Haixin Duan (Tsinghua University; Quancheng Laboratory), Jianjun Chen (Tsinghua University; Zhongguancun Laboratory), Chao Zhang (Tsinghua University; Zhongguancun Laboratory), Kaiwen Shen (Tsinghua University)

Read More

OCPPStorm: A Comprehensive Fuzzing Tool for OCPP Implementations (Long)

Gaetano Coppoletta (University of Illinois Chicago), Rigel Gjomemo (Discovery Partners Institute, University of Illinois), Amanjot Kaur, Nima Valizadeh (Cardiff University), Venkat Venkatakrishnan (Discovery Partners Institute, University of Illinois), Omer Rana (Cardiff University)

Read More