Within this paper we present our novel friend injection attack which exploits the fact that the great majority of social networking sites fail to protect the communication between its users and their services. In a practical evaluation, on the basis of public wireless access points, we furthermore demonstrate the feasibility of our attack. The friend injection attack enables a stealth infiltrat...

In this paper, we show that many formal and informal security results on distance-bounding (DB) protocols are incorrect/ incomplete. We identify that this inadequacy stems from the fact that the pseudorandom function (PRF) assumption alone, invoked in many security claims, is insufficient. To this end, we identify two distinct shortcomings of invoking the PRF assumption alone: one leads to dist...

Phone features, e.g., 911 call, voicemail, and Do Not Disturb, are critical and necessary for all deployed VoIP systems. In this paper, we empirically investigate the security of these phone features. We have implemented a number of attacks and experimented with VoIP services by leading VoIP service providers Vonage, AT&T and Gizmo. Our experimental results demonstrate that a man-in-the-middle ...

The banking industry in Norway has developed a new security infrastructure for conducting commerce on the Internet. The initiative, called BankID, aims to become a national ID infrastructure supporting services such as authentication and digital signatures for the entire Norwegian population. This paper describes a man-in-the-middle vulnerability in online banking applications using BankID. An ...

We present a simple method for constructing identiication schemes resilient against impersonation and man-in-the-middle attacks. Though zero-knowledge or witness hiding protocols are known to withstand attacks of the rst kind, all such protocols previously proposed suuer from a weakness observed by Bengio et al. : a malicious veriier may simply act as a moderator between the prover and yet anot...

Recently, Tseng and Wu pointed out that the second protocol of Biswas’s two-party keys scheme based on the Diffie-Hellman technique has a security weakness and proposed a new protocol to remedy the weakness. In this article, we point out that Tseng-Wu’s protocol is vulnerable to a man-in-the-middle attack. An attacker could intercept, delete, or modify the communicated messages between two comm...

Bilinear pairings based mutual authentication scheme using smart card is presented. We propose a novel technique of using two different servers, one for registration and other for authentication. The scheme is resilient to replay, forgery, man-in-the-middle and insider attacks.

The increase in network connectivity has also resulted in several high-profile attacks on cyber-physical systems. An attacker that manages to access a local network could remotely affect control performance by tampering with sensor measurements delivered to the controller. Recent results have shown that with network-based attacks, such as Man-in-the-Middle attacks, the attacker can introduce an...

Recently, bio-information has been playing an important role in modern user authentication schemes. In 2004, Lin and Lai proposed a flexible biometrics remote user authentication scheme. However, their scheme is vulnerable and cannot provide mutual authentication between user and remote system. Hence, Khan and Zhang improved the security of a flexible biometrics remote user authentication schem...

Recently, Aydos et al. proposed an ECC-based wireless authentication protocol. Because their protocol is based on ECC, the protocol has significant advantage including lower computational burden, lower communication bandwidth and storage requirements. However, Mangipudi et al showed that the protocol is vulnerable to the man-inthe-middle attack from the attacker within the system and proposed a...