One-Factor Two-Factor Authentication

Are you a client of a bank using two-factor authentication via SMS in Internet banking? Do you have an Android phone? Do you use the same computer to access Google services and to access Internet banking?

If all three answers are “Yes”, then access to your funds is less protected than it seems at first glance.

Authentication scheme

We’ll immediately make a reservation about the banking access scheme. The article discusses the following protection offered by banks:
  • Login / password pair to access the banking site
  • One-time password (most often a digital one) sent via SMS to the client’s phone to confirm each operation

Of the four banks that I came across, three used this authentication scheme.

Attack Scenarios

To steal funds, an attacker needs to know a username / password and have access to the phone to which SMS arrives.
He can achieve this by:
  1. Theft of a username / password pair (for example, with a laptop) and phone
  2. Gaining access to a computer and phone through a trojan
  3. Using phishing methods (disguise your site as a banking site)

Now the first and third methods are most worrying. However, the second method should not be discounted.

The complexity of this scenario is that the computer and the phone must be infected separately, and infection of one does not entail infection of the other. It is more difficult to infect two devices than one - this provides additional security.

But in fact, a computer infection can lead to an Android phone infection . For infection, connecting the phone to the computer is optional. Consider the attack scheme in more detail.

Attack pattern

Google Play offers a convenient mechanism for remote installation of applications on the device. From, you can remotely install any program on your phone without having physical access to the phone. This significantly reduces the level of protection through SMS authorization. In fact, it is enough for the attacker to infect only the computer, while the phone will download and install the malicious application itself.

The circuit itself looks like this:
  1. An attacker publishes an application on Google Play containing a code for sending SMS messages to a special email
  2. An attacker infects a user's machine with a trojan
  3. The trojan goes to and installs the Android application on all the user's phones
  4. The Trojan sends the username and password that were read using the keylogger to the email address of the attacker

All! Now the thief has a login and password to enter Internet banking and a one-time password from SMS will be sent to him by the malware installed on the phone. At the same time, he will not need to look for any vulnerabilities to read the user's SMS correspondence (you can use the Android Permissions mechanism, which the trojan will confirm from the computer himself) and convince the user to install the dubious program manually (the Trojan will do everything through the site).


Unfortunately, I did not find in the Google Play application on the phone a ban on installing programs through the WEB version of the service. Therefore, protection comes down to other ways to make both factors of two-factor authentication independent of each other:
  • Do not use the same Google account on the Android phone of the recipient of bank SMS and on the computer through which you log in to Internet banking
  • Do not use Google Play on the phone (in some custom firmware it is not)
  • Use a separate phone (not Android) to receive one-time SMS passwords


Two-factor SMS authentication is less secure than it sounds.

Also popular now: