Article image

Mobile phone 'account takeover' scams have become a major concern

In the dynamic world of digital security, a breakthrough from computer science researchers offers new insights into protecting online accounts from takeover attacks.

As mobile devices evolve into complex ecosystems of software and apps, the risk of such attacks increases, with potentially severe consequences for users.

“The ruse of looking over someone’s shoulder to find out their PIN is well known,” explains Dr. Luca Arnaboldi of the University of Birmingham’s School of Computer Science.

“However, the end game for the attacker is to gain access to the Apps, which store a wealth of personal information and can provide access to accounts such as Amazon, Google, X, Apple Pay, and even bank accounts,” Arnaboldi explains.

Creating a model to prevent takeover attacks

To combat these threats, Dr. Arnaboldi collaborated with Professor David Aspinall from the University of Edinburgh, Dr. Christina Kolb from the University of Twente, and Dr. Sasa Radomirovic from the University of Surrey.

Their objective was to understand and prevent such attacks by adopting the mindset of a hacker, who often combines smaller tactical steps into a complex assault.

Previously, security vulnerabilities were studied using ‘account access graphs’, demonstrating how phones, SIM cards, apps, and security features interconnect.

However, these graphs fell short in modeling account takeovers, where an attacker might, for instance, transfer a SIM card to another device, gaining access to SMS-driven password recovery methods.

Addressing this gap, the researchers developed a new model to understand how account access changes when devices, SIM cards, or Apps are disconnected from the ecosystem.

Their innovative approach utilizes formal logic, a tool used by mathematicians and philosophers, to capture the decision-making process of a hacker with access to a mobile phone and its PIN.

From theory to real-world application

This research offers valuable insights for device manufacturers and app developers to catalog vulnerabilities and comprehend complex hacking strategies.

It also includes an analysis of claims from a Wall Street Journal report about potential attack strategies on iPhones and Android devices.

The research found that Android’s connection to a Google account provides some protection against these attacks and proposed a security enhancement for iPhones.

“The results of our simulations showed the attack strategies used by iPhone hackers to access Apple Pay could not be used to access Android Pay on Android, due to security features on the Google account,” Dr. Arnaboldi said.

“The simulations also suggested a security fix for iPhone — requiring the use of a previous password as well as a pin, a simple choice that most users would welcome.” 

Preventing takeover attacks in the future

Following this, Apple implemented a fix, enhancing protection for iPhone users. Further testing on various devices revealed vulnerabilities specific to manufacturer accounts, despite the safety of Google accounts.

Additionally, personal experiments by the researchers uncovered unexpected security gaps, like compromised security through a shared iCloud account, despite individual robust security measures.

Currently, Dr. Arnaboldi is applying this important research in his academic consultancy, working with major corporations and internet-based companies to fortify their defenses against hacking.

In summary, the pioneering research led by Dr. Luca Arnaboldi and his team marks a significant advancement in cybersecurity, offering a novel approach to understanding and preventing account takeover attacks.

This work exposes the intricate tactics of hackers while underscoring the need for continuous innovation in digital security.

As Dr. Arnaboldi applies these insights in his consultancy, his contributions are shaping a safer digital future, highlighting the critical importance of staying ahead in the ever-evolving battle against cyber threats.

The full study was published in the Proceedings of the 28th European Symposium on Research in Computer Security (ESORICS 23).


Like what you read? Subscribe to our newsletter for engaging articles, exclusive content, and the latest updates.


Check us out on EarthSnap, a free app brought to you by Eric Ralls and


News coming your way
The biggest news about our planet delivered to you each day