Slashdot Mirror
Anywhere Computing Makes 2FA Insecure On iOS and Android (thestack.com)
An anonymous reader writes: Academics from the VU University Amsterdam have identified a new class of vulnerabilities to two-factor authentication, commonly used to protect transactions involving financial and private information. The vulnerability leaves users of both Android and Apple mobile devices open to the theft of personal information by hackers. The researchers note the text (PDF). While anywhere computing is generally considered to be a good thing, the research claims that integration across multiple platforms essentially removes the gap between those platforms, and it is that gap that is required to make two-factor authentication secure. Without a gap between devices, a common hack called the man-in-the-browser attack can be elevated to intercept the one-time password generated for two-factor authentication, thereby rendering two-factor authentication useless.
Three Factor Authentication!
Which has more power: the hammer, or the anvil?
This just in!
Anywhere Computing is now Nowhere Computing.
Yesterday's Technology, Tomorrow
Only the 2FA that requires input from the user because the input dialogs can be spoofed.
If you have a system that calls you and requires you to press 1 (for example) which then triggers the server side to continue the workflow, that should still be secure... right?
My eyes reflect the stars and a smile lights up my face.
I heard two stories just recently about people abusing 2FA. One guy was a contractor, who sub-contracted all of his work (for multiple employers at once!) to programmers in China.. he had mailed his RSA key to them so they could log into the VPN on his behalf and do his work. Funny thing is, they did quality work apparently, and the guy was winning awards for high productivity/quality in the companies he contracted for...
Another story related how someone had just set up a webcam, again, pointing at an RSA token, so they could log in from anywhere. Hope their webcam was secure from 3rd party eyes! (not likely).
Unless the 2FA is grafted into one's body and somehow detects duress too, it'll be susceptible to unauthorized use, just like anything else. It's really about estimating acceptable risk -- everything's hackable.
I just love how Steam tries so hard to use their "mobile authenticator" thing, when all that accomplishes is giving someone who exploits your phone access to the Steam credentials, steam guard auth, and recovery email all in one go. At least with the Blizzard authenticator app, it didn't hold any account credentials, and you could buy hardware ones too.
On top of that, even if you had 500-factor authentication, it wouldn't stop some luser from getting phished, since they'd just put their 500 authentication details into the fake page.
Anywhere Computing Makes 2FA Insecure On iOS and Android
Windows Phone remains unaffected!
My eyes reflect the stars and a smile lights up my face.
I don't hear about software security development using a very rigorous security logic chart that precludes "the obvious" in addition to the hidden faults.
Is there such a program/process? If so, it doesn't seem to be used well according to the dozens of recent posts of security flaws.
Knowing the difference makes all the difference in the world,
I wish these companies would stop pushing all this stuff and let me protect my own account. I've been locked out of both Microsoft and Google accounts because of this type of crap. If I have my password, I want to get into my account. Gmail is almost useless now because of this. They just randomly decide they can't authenticate you're account whenever they want to and leave you with no access to your account and no way to contact customer support. Just a bogus recovery process that is designed to always fail. All at random.
The too long didn't read for the article is: "If your computer is compromised bad things can happen to your phone."
Thanks for the paper guys.
What the fuck is going on here?! There was just a submission on the front page called Opinion: DevOps Is Dead. I was going to submit a comment but then the comment creation failed with a really vague "There was an unknown error in the submission." error! And now it 404s! What the fuck is going on here?! Where the hell did that submission go?! People had already commented on it, for crying out loud! What the hell is going on here?!
If you allow a rogue app to be installed on your device and have given it privileges to, say, intercept your SMS traffic or perform a covert capture of the QR code, then you should expect be compromised.
All this tells me is that better reviews of apps need to be done before allowing an app into the App Store to ensure rogue apps aren't installed on a user's device in the first place.
I've been locked out of both Microsoft and Google accounts
Are you paying for the service?
Yes. Services that use a Microsoft account are included in the price of a Windows license.
The approach requires a Man-in-the-Browser attack which assumes the hacker already has control over your PC/laptop/whatever you're syncing your phone to. But the way I (and I imagine most others who don't have a pressing need to be security paranoid) use 2FA we stay "authenticated" on most devices we already use, and only revoke access if we have reason to believe we've been compromised. So if you successfully hack my home computer I've probably already given up the ghost. For me the main appeal of 2FA is to defend against remote hacking from more random, opportunistic sources.
If I have my password, I want to get into my account.
If someone else guesses your password, someone else wants to get into your account. If you reuse your password on another service, and someone else cracks said other service's password database, someone else wants to get into your account. How would you recommend to defend against these attacks other than through 2FA?
As long as no hackers in the vicinity, you're safe!!1!
When needed, spit the semen sample out. You can borrow some of mine.
"The researchers note the text (PDF)."
That link was NOT a PDF. Please don't assume that everyone wants to use their browser to read things. That's deceptive. The proper link is:
http://fc16.ifca.ai/preproceed...
The idea of these phone-based two factor schemes was that if a bad guy hacks your browser (ie you have Flash installed), they can't access your accounts without ALSO compromising your phone. They'd have to hack two devices, not just one.
The researchers point out that the browser can use http://play.google.com/ to remotely compromise your phone. Compromising the desktop browser automatically means they can get the phone too. Therefore hacking just the browser is sufficient. "Two factor auth" is actually single factor, due to the browser-based app store.
This only talks about 2 factor authentication as something you know, and something you have. There are other options that have their own problems as well. I see them as:
1) Passwords - Something you know
Everyone hates these and they suck because they are easilly circumvented and often hard to remember.
2) Tokens / mobile devices / landlines - Something you have
Mobile phones can get malware that intercepts txt messages and mitms sessions. Landlines have their own security issues for targetted attacks. Tokens fail if the seed info is stolen (RSA anyone?)
3) Biometrics - Something you are
These stink because if the information that represents your iris, hand pattern, or other body part, is stolen, you cannot easily change this.
4) Body and pattern movements (typing rythyms, etc...) - Something you do.
I think this should be researched more. It would be hard to change though...much like Biometrics
So, maybe people suggesting 3 factor auth are not really off base with this. Combining three things increases the complexity of the attack. However, once you include biometrics you have other issues to deal with.
Outlook.com works from android phones.
Outlook.com has a $20/year paid tier that used to be called Hotmail Plus. And there are rumors of a forthcoming $48/year paid tier allowing a custom domain, comparable to Google's $60/year Google Apps for Work.
So yes, it is possible for a mail user to be Microsoft's or Google's customer.
And, to do so requires a rogue app be inserted in the applicable app store (which hasn't been verified and checked for unauthorized apis and dangerous permissions). Without the installation of the rogue app and giving it the necessary permissions to carry out the attack, the attack would fail.
The bigger news is that they could insert a rogue app into the app store undetected and force it's installation on the remote device. This isn't about a failing of TFA, but rather the safeguards intended to prevent the covert (or overt) installation of malicious software.
We all gripe and groan about the walled gardens. But, if they were properly enforced and apps actually checked, this would not be a vulnerability in the first place.
Three Factor Authentication!
Das Onion is always prescient:
http://www.theonion.com/blogpo...
Make sure everyone's vote counts: Verified Voting
Unless you don't login to play.google.com via your desktop. I mean who does that anyways?
If you're logged into gmail on your desktop, you're logged into your google account, which means you're logged into play.google.com.
Simple solution.. add password or biometric security to the Authenticator apps. Breaching the unified platform won't give you access to the authenticator app because it would effectively have root permissions and require authentication with each use.
Years ago I sold some Bitcoins for a minor amounts on Localbitcoins. 2 years later I learned that someone paid using funds from some kind of hi-jacked back account when the criminal Swedish policemen Peter Fromén and Jan-Olof Berglund broke into my home and stole all my computer hardware and other electronics and some random papers and a few (luckily empty) Bitcoin paper wallets.
From what I gather some scammer hi-jacked some Facebook page and used that to make the mark type in a code which appeared on the banks login page into a hardware 2FA device and tell the scammer what numbers appeared on the device.
I eventually got my hardware back but I never saw the papers or the Bitcoin wallets they stole back, they didn't even register that as "confiscated" evidence (I put "confiscated" in quotes because they broke numerous laws required for something to actually be confiscated and they admitted this to the oversight body JO but that's alright because they said all their crimes were "mistakes").
An important lesson one can learn from this is that even hardware 2FA solutions will not protect complete idiots from giving their credentials away and it will also not protect you from having gave crimes committed against you by the police as a consequence. (another lesson is that you should never accept a bank transfer as payment: it may come back and bite you years later).
9/11: Never forget it was a false-flag operation
As always - it boils down to a single password.
No matter how many "factors" you have, it will still get reduced to a single password.
However you fancy it up with key fobs, phones, biometrics... it still comes down to a password.
Please don't 'ass you and me' that people display PDFs in browser.
Thank the divines, Windows Phone is not affected.</sarcasm>