search

Account and Session Hijacking

The general threat is the ability of an attacker to take control of an account or communication session. The vulnerabilities are manifested in different ways at the DFS provider and the MNO.

hashtag
Affected Entity: DFS Provider

hashtag
Risk: Data exposure and modification

  • Vulnerability: Inadequate controls on dormant accounts

hashtag
Risk: Unauthorized account takeover

  • Vulnerability: Inadequate controls on dormant accounts

hashtag
Risk: User impersonation

  • Vulnerability Failure to perform geographical location validation (SD: Communication security)

  • Vulnerability: Inadequate user verification of preferred user communication channels for DFS services (SD: Communication security)

hashtag
Risk: Unauthorised access to user data and credentials

  • Vulnerability: Replay session based on tokens intercepted (SD: communication security)

  • Vulnerability: Weak encryption algorithms for password storage (SD: data confidentiality)

hashtag
Affected Entity: MNO

hashtag
Risk: Impersonation of authorised users occurs because of the following vulnerability

  • Vulnerability: Session timeouts not specified for DFS services

hashtag
Risk: Unauthorized access to user data and credentials

  • Vulnerability: User credentials for DFS application are sent in inherently insecure ways like SMS or through agents (SD: data confidentiality)

PreviousDFS security vulnerabilities, threats and mitigation Measures In order to systematicalNextAttacks against systems and platforms

Last updated