It seems like every day I see headlines for a new security breach with the potential to affect millions of people and result in untold financial damage.
Take yesterday’s Twitter breach for example – where hackers tweeted on behalf of influential political figures and celebrities such as Barack Obama, Elon Musk, Bill Gates, Kim Kardashian, and Kanye West with a Bitcoin donation scam promising that they would double any Bitcoin payments sent to the supplied wallet address. It’s been confirmed so far that these hackers have made off with at least $115,000 in Bitcoin – all of which is completely irreversible.
There was also the news just two weeks ago that Google removed 25 malicious applications from Google Play that were phishing Facebook login information by overlaying a fake Facebook login form which allowed hackers to hijack user credentials. These malicious apps were collectively downloaded more than 2.34 million times before they were discovered and removed.
The Problem
Some sources suggest that phishing attacks accounted for roughly 90% of data breaches in 2019, so that got me thinking – what are some ways we could be doing better to protect against them?
Upon reading the aforementioned article about malicious apps phishing Facebook login credentials through 3rd party mobile apps, I didn’t think I’d be very susceptible to an attack like that. Hopefully I’m wise enough to know not to enter my Facebook login credentials into a flashlight app, right?
But what about the apps where it would make sense to have social media integration and require your credentials? It might not be so easy to tell what’s legitimate and what’s not, and these apps are a lot more prevalent than you might think.
Most of the major dating apps such as Tinder (100m+ downloads), Bumble (10m+ downloads), and Hinge (5m+ downloads) support integration with Facebook, Instagram, and Spotify which requires you to enter your credentials in-app just like the malicious apps removed by Google last month.
There’s also a huge market for apps that allow users to download Instagram posts or the equally large market for 3rd party Twitter extension apps (many of which require your account credentials to work properly). The size of these markets is at the very least in the tens of millions of downloads.
So this begs the question – if someone were to download any of these seemingly legitimate 3rd party apps, how are they to tell that the sign-in form they are presented with to link their Instagram, Twitter, or Facebook is actually legitimate and not a cleverly skinned phishing form that captures and steals your credentials?
I decided to download a few of the top results from these app categories on a test device I had laying around in order to see if I could tell which sign-in forms looked legitimate and which did not.
Here is a screenshot of the in-app Instagram sign-in page from within the oh-so-cleverly-titled app “Photo & Video Downloader for Instagram – Repost IG” (no affiliation whatsoever, and heads up this app is stuffed with more ads than the Yellowpages):
It definitely looks legitimate, right? But to be honest I have no clue if it is or isn’t.
Now I don’t particularly consider this my strength when it comes to mobile development, but I can confidently tell you that it would take me less than a two hours to implement an Android screen that looks and functions exactly like this sign-in form and start stealing account credentials just like the bad guys.
All I’d need to do is nab a screenshot of any legitimate and approved in-app Instagram sign-in form (you can be reasonably sure the ones shown in the biggest dating apps are probably legitimate), then hop into Photoshop and grab the hex colors of all the UI elements.
From there, I can find the majority of the fonts and icons used throughout the real 3rd party Instagram form with a few quick searches. Here’s one example of the cursive Instagram logo at the top, and this white Facebook logo icon would do fine for the “Continue with Facebook” button.
The point I’m getting at is (as far as I can tell) there’s no clear indicator anywhere in the UI that definitively proves this sign-in form is legitimate and approved by Instagram and is not a malicious phishing form.
A Solution
What I propose is that any service such as Facebook, Twitter, Instagram, and Spotify that has a public API for 3rd party extensions should implement an extra layer of security that would allow users to verify that a particular sign-in form presented by a 3rd party app is approved and legitimate.
The idea would be a slight adjustment to the sign-in process. Instead of entering your username and password at the same time, you’d start by entering just your username. The following screen would allow you to enter your password, but would also display a 6-digit authentication code along with a message asking you to verify that this 6-digit code matches the one displayed in a “security” section of the official app for the service you’re trying to sign into.
Using the Instagram example from above, here’s what I’m imagining this new flow would look like.
The first step would only ask for your phone number, username, or email – no mention of a password just yet.
After entering your username, you’re brought to the following screen that now asks for your password. The difference here is you can see a clear 6-digit security code in the UI along with a small call to action – “What’s this?” that can be used to explain how this authentication process works.
Now all the user has to do is open the official Instagram app, navigate to the “Security” section, and verify that these codes match:
If the codes don’t match or the code is missing from the 3rd party in-app sign-in form, then you can be reasonably confident that the suspect form is malicious.
The proposed flow really isn’t anything all that new. It’s essentially basic 2-factor authentication with a soft key, but in this case the official service is acting as the authenticator and source of truth. And just like traditional forms of 2-factor authentication, this code could rotate to a fresh one every few minutes to further reduce risk.
The user still needs to enter their correct password and also successfully bypass any preexisting 2-factor authentication they may have already enabled on their account (such as through SMS or Authenticator app) but despite all that, the new flow would still not be without problems.
Until this becomes an industry standard, people might be presented with a regular username and password form (the previous flow) and not even know that they need to be looking for an authentication code that they can verify.
But in theory once someone has gone through the new process a few times, they’ll come to expect the new flow with an authentication code and if it’s ever missing they’ll know to be suspicious.
Also if the verbiage in the “What’s this?” call to action does it’s job, then it should explain that moving forward this new flow will be the only authentic sign-in process for 3rd party apps that use the service – effectively training people that any time their 6-digit code is missing, it’s all but guaranteed to be a phishing scam.
Wrap Up
At the end of the day I see this solution as a small bandage that can help stem some of the bleeding from these incredibly common phishing attacks, but it would hopefully be enough to make some amount of difference.
Because password reuse is still so incredibly common on the internet, one single breach can easily make someone a victim across a multitude of different platforms through credential stuffing.
Troy Hunt (maintainer of HaveIBeenPwned.com) wrote a fantastic piece about how this process works, which perfectly illustrates why phishing attack prevention is all the more important.
If I’m late to the party with this idea and there’s already a service provider that offers this extra layer of security, then please send me an email and tell me about it.
If you support this idea and want to see it be implemented by the likes of Facebook and Twitter, I’d really appreciate it if you shared this post. I’m only a small content creator with near-zero influence, so I highly doubt anything I’d publish would get the attention of giant tech companies without significant external help.
I don’t write as often as I’d like, but you can also enter your email below to be notified by email whenever I publish a new post.
Thanks for reading!
2 comments
There is certainly a great deal to learn about this subject. I really like all the points you made. Wendi Shanan Shaum
Absolutely composed content material, Really enjoyed studying.