With the rapid growth of online services, the number of online accounts proliferates. The security of a single user account no longer depends merely on its own service provider but also the accounts on other service platforms(We refer to this online account environment as Online Account Ecosystem). In this paper, we first uncover the vulnerability of Online Account Ecosystem, which stems from the defective multi-factor authentication (MFA), specifically the ones with SMS-based verification, and dependencies among accounts on different platforms. We propose Chain Reaction Attack that exploits the weakest point in Online Account Ecosystem and can ultimately compromise the most secure platform. Furthermore, we design and implement ActFort, a systematic approach to detect the vulnerability of Online Account Ecosystem by analyzing the authentication credential factors and sensitive personal information as well as evaluating the dependency relationships among online accounts. We evaluate our system on hundreds of representative online services listed in Alexa in diversified fields. Based on the analysis from ActFort, we provide several pragmatic insights into the current Online Account Ecosystem and propose several feasible countermeasures including the online account exposed information protection mechanism and the built-in authentication to fortify the security of Online Account Ecosystem.
翻译:随着在线服务的迅速增长,在线账户的数量激增。单一用户账户的安全性不再仅仅取决于其自身的服务提供商,还取决于其他服务平台上的账户。在本文件中,我们首先发现在线账户生态系统的脆弱性,其原因是多要素认证存在缺陷,特别是基于短信的验证,以及不同平台账户之间的依赖性。我们提议利用在线账户生态系统中最薄弱的点进行链路反应攻击,最终可能损害最安全的平台。此外,我们设计和实施ActFort,这是通过分析认证识别因素和敏感个人信息以及评估在线账户之间的依赖关系来发现在线账户生态系统脆弱性的系统方法。我们评估了我们在多样化领域Alexa所列的数百个具有代表性的在线服务的系统。根据AcFort的分析,我们对当前在线账户生态系统提供了若干务实的见解,并提出若干可行的对策,包括在线账户披露的信息保护机制和内部认证,以加强在线账户生态系统的安全。