Preferred Name
Casey Lee Silver
Creative Commons License
This work is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 4.0 License.
ORCID
https://orcid.org/0000-0001-8564-5251
Date of Graduation
5-2020
Semester of Graduation
Spring
Document Type
Thesis
Degree Name
Master of Science (MS)
Department
Department of Computer Science
Advisor(s)
Brett Tjaden
Xunhua Wang
Hossain Heydari
Abstract
This paper explores how existing push notification based two-factor authentication systems are susceptible to real-time man-in-the-middle relay attacks and proposes a system for mitigating such attacks. A fully functional reference system of the proposed mitigation was built and compared to an existing push notification two-factor authentication system while undergoing a real-time man-in-the-middle relay attack. The reference systems used cloud infrastructure for hosting, an Apple iPhone as the notification receiver, and Apple’s push notification service to send notifications. A publicly available tool for conducting real-time man-in-the-middle relay attacks was used to conduct the attacks. The results of the tests were recorded and contrasted to show how existing implementations fail to identify such attacks and how the proposed system could. It is recommended that the existing push notification two-factor authentication providers implement additional measures to protect users against real-time man-in-the-middle relay attacks while appropriately weighing key usability issues. While the proposed mitigation system is shown to prevent such attacks, it has usability drawbacks that should be considered.
Recommended Citation
Silver, Casey, "Mitigating real-time relay phishing attacks against mobile push notification based two-factor authentication systems" (2020). Masters Theses, 2020-current. 4.
https://commons.lib.jmu.edu/masters202029/4
