Account and Session Hijacking
The general threat is the ability of an attacker to take control of an account or communication session. The vulnerabilities are manifested in different ways at the DFS provider and the MNO.
Affected Entity: DFS Provider
Risk: Data exposure and modification
Vulnerability: Inadequate controls on dormant accounts
Risk: Unauthorized account takeover
Vulnerability: Inadequate controls on dormant accounts
Risk: User impersonation
Vulnerability Failure to perform geographical location validation (SD: Communication security)
Vulnerability: Inadequate user verification of preferred user communication channels for DFS services (SD: Communication security)
Risk: Unauthorised access to user data and credentials
Vulnerability: Replay session based on tokens intercepted (SD: communication security)
Vulnerability: Weak encryption algorithms for password storage (SD: data confidentiality)
Affected Entity: MNO
Risk: Impersonation of authorised users occurs because of the following vulnerability
Vulnerability: Session timeouts not specified for DFS services
Risk: Unauthorized access to user data and credentials
Vulnerability: User credentials for DFS application are sent in inherently insecure ways like SMS or through agents (SD: data confidentiality)
Last updated