Impact Assessment of Password Reset PRMitM Attack with Two-Factor Authentication

In 2017, Gelernter et al. identified the ``password-reset man-in-the-middle'' attack, which can take over a user's account during two-factor authentication. In this attack, a password reset request is sent via an SMS message instead of an expected authentication request, and the user enters a reset code at the malicious man-in-the-middle website without recognizing that the code resets the password. Following this publication, most vulnerable websites attempted to remove the vulnerability. However, it is still not clear whether these attempts were sufficient to prevent careless users from being attacked. In this paper, we describe the results of an investigation involving domestic major websites that were vulnerable to this type of attack. To clarify the causes of vulnerability, we conducted experiments with 180 subjects. The SMS-message parameters were ``with/without warning'', ``numeric/alphanumeric code'', and ``one/two messages'', and subjects were tested to see if they input the reset code into the fake website. According to the result of the experiment, we found that the PRMitM risk odds were increased 4.6, 1.86, and 11.59 times higher in a no-warning case, a numeric-only reset code, and a behavior that change passwords very frequently, respectively.