{ "id": "d84b8b47-4b74-4446-9dec-7840225d2af3", "created_at": "2026-04-06T00:15:56.33841Z", "updated_at": "2026-04-10T03:21:10.689476Z", "deleted_at": null, "sha1_hash": "3a0a3d4d1380ab984e2c6dbfa003cf9ed3c89e59", "title": "AUT-0 · Mobile Threat Catalogue", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 35378, "plain_text": "AUT-0 · Mobile Threat Catalogue\r\nArchived: 2026-04-05 18:13:00 UTC\r\nMobile Threat Catalogue\r\nUse of Stolen Credentials\r\nContribute\r\nThreat Category: Authentication: User or Device to Remote Service\r\nID: AUT-0\r\nThreat Description: Attackers able to steal authorized credentials could potentially login to sensitive services or\r\ndevices, and gain unauthorized access to privileged information.\r\nThreat Origin\r\nMobile Threat Protection: A Holistic Approach to Securing Mobile Data and Devices 1\r\nExploit Examples\r\nCBS App \u0026 Mobility Website 2\r\nThe Fork 3\r\nStar Q8 4\r\nCorriere Della Sera App 5\r\nLaTribune 6\r\nCard Crypt 7\r\nStarbucks Caught Storing Mobile Passwords in Clear Text 8\r\nCVE Examples\r\nPossible Countermeasures\r\nEnterprise\r\nTo hinder an authentication attempt with a stolen credential, use anomaly detection based on user activity to detect\r\nabnormalities (e.g. authentication from new domains, unusual times, or to rarely-accessed services) and require\r\nadditional authentication steps before granting access.\r\nhttps://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-0.html\r\nPage 1 of 2\n\nTo mitigate an attacker’s ability to achieve authentication using a stolen credential, when possible, configure\r\nservices to use multi-factor authentication. Ideally, the additional factor should be provided by a separate device\r\nthan the one being used to perform primary authentication (e.g., laptop and mobile app). Further, avoid the use of\r\nSMS messages for 2FA codes, as SMS messages can be readily intercepted.\r\nTo limit the value of stolen credentials to an attacker, use centralized identity and access management tools that\r\npermit simultaneous revocation of stolen authentication credentials across all access control mechanisms and\r\nterminate active sessions based on those credentials.\r\nTo limit the value of stolen credentials, enforce a policy that limits the maximum age of credentials and limits the\r\nuse of identical or similar credentials.\r\nTo limit the value of stolen credentials, enforce an access policy that restricts the resources a user can access based\r\non location parameters (e.g. domain, IP address, MAC address, geolocation) of the authentication request.\r\nIncorporate the principle of least privilege to limit lateral movement by an attacker with stolen credentials.\r\nTo limit the potential for predictive attacks on new passwords, employ authentication mechanisms that utilizes\r\nrandomly generated one-time passwords or tokens for access from untrusted locations.\r\nTo prevent an attacker with a stolen password from locking out the legitimate user or defining new credentials,\r\nrequire 2-factor authentication mechanisms to change authentication credentials or credential recovery processes.\r\nMobile Device User\r\nTo mitigate an attacker’s ability to achieve authentication using a stolen credential, when possible, configure\r\nservices to use multi-factor authentication. Ideally, the additional factor should be provided by a separate device\r\nthan the one being used to perform primary authentication (e.g., laptop and mobile app). Further, avoid the use of\r\nSMS messages for 2FA codes, as SMS messages can be readily intercepted.\r\nReferences\r\nSource: https://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-0.html\r\nhttps://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-0.html\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-0.html" ], "report_names": [ "AUT-0.html" ], "threat_actors": [], "ts_created_at": 1775434556, "ts_updated_at": 1775791270, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/3a0a3d4d1380ab984e2c6dbfa003cf9ed3c89e59.pdf", "text": "https://archive.orkl.eu/3a0a3d4d1380ab984e2c6dbfa003cf9ed3c89e59.txt", "img": "https://archive.orkl.eu/3a0a3d4d1380ab984e2c6dbfa003cf9ed3c89e59.jpg" } }