Slashdot Mirror

← Back to Stories (view on slashdot.org)

Anywhere Computing Makes 2FA Insecure On iOS and Android (thestack.com)

Posted by msmash on from the 2FA-not-as-secure-as-you-think dept.

An anonymous reader writes: Academics from the VU University Amsterdam have identified a new class of vulnerabilities to two-factor authentication, commonly used to protect transactions involving financial and private information. The vulnerability leaves users of both Android and Apple mobile devices open to the theft of personal information by hackers. The researchers note the text (PDF). While anywhere computing is generally considered to be a good thing, the research claims that integration across multiple platforms essentially removes the gap between those platforms, and it is that gap that is required to make two-factor authentication secure. Without a gap between devices, a common hack called the man-in-the-browser attack can be elevated to intercept the one-time password generated for two-factor authentication, thereby rendering two-factor authentication useless.

38 of 69 comments (clear)

  1. Next up... by Lab+Rat+Jason · · Score: 3, Funny

    Three Factor Authentication!

    --
    Which has more power: the hammer, or the anvil?
    1. Re:Next up... by Anonymous Coward · · Score: 1

      Thank you very much, but I have a PIN calculator which has enough one time pad for about 2900 years of intensive use (battery will run out sooner), and it takes no input except its own 5-digit PIN from its very own keyboard. It conveniently fits in my pocket, and is slim enough to dispose of by crushing or burning with a lighter. :P

      It will provide me with my authentication for my banking purposes, and to be honest, I trust it a bit more than our clunky national ID card, about which nobody knows who the fck issued the private keys.

    2. Re:Next up... by U2xhc2hkb3QgU3Vja3M · · Score: 4, Funny

      Next up... Three Factor Authentication!

      Fuck everything, we're doing Five Factor Authentication!

    3. Re:Next up... by GameboyRMH · · Score: 1

      Later...

      "All three authentication steps have been breached!"

      "Oh, the fools! If only they'd built it with four-factor authentication! When will they learn?!?"

      --
      "When information is power, privacy is freedom" - Jah-Wren Ryel
    4. Re:Next up... by WarJolt · · Score: 1

      1. Don't use txt for 2FA.
      2. Generate authentication tokens in a trusted machine inside your cell phone (i.e. trust zone)

      Or

      Use a separate RSA token generator.

      Either way txt is the worst idea for 2FA.

      2FA only makes it harder for hackers. I'd like to see a the types of mass account compromises that we see with password auth alone.

      So let's calm down and don't go overboard

  2. Not all 2FA by The-Ixian · · Score: 1

    Only the 2FA that requires input from the user because the input dialogs can be spoofed.

    If you have a system that calls you and requires you to press 1 (for example) which then triggers the server side to continue the workflow, that should still be secure... right?

    --
    My eyes reflect the stars and a smile lights up my face.
    1. Re:Not all 2FA by dgatwood · · Score: 1

      Not necessarily. Sure, this article is strictly about malicious programmers taking advantage of text message sharing to let a compromised computer obtain the text messages sent to a phone, but with Apple's Continuity feature, it is also possible to take phone calls on your Mac or on other non-phone iOS devices, as long as the iPhone is on the same Wi-Fi network.

      If it is possible for someone writing a malicious Mac app to then control that audio stream, then in theory it would be possible for an attacker to do the same thing with callback-based two-factor. However, your phone would probably ring, so even if someone could pull that off, there's a good chance that users would quickly discover that they were being compromised, which would reduce (but not eliminate) the utility of this approach as a means of compromise.

      --

      Check out my sci-fi/humor trilogy at PatriotsBooks.

  3. This isn't new.. by Anonymous Coward · · Score: 3, Interesting

    I heard two stories just recently about people abusing 2FA. One guy was a contractor, who sub-contracted all of his work (for multiple employers at once!) to programmers in China.. he had mailed his RSA key to them so they could log into the VPN on his behalf and do his work. Funny thing is, they did quality work apparently, and the guy was winning awards for high productivity/quality in the companies he contracted for...

    Another story related how someone had just set up a webcam, again, pointing at an RSA token, so they could log in from anywhere. Hope their webcam was secure from 3rd party eyes! (not likely).

    Unless the 2FA is grafted into one's body and somehow detects duress too, it'll be susceptible to unauthorized use, just like anything else. It's really about estimating acceptable risk -- everything's hackable.

    1. Re:This isn't new.. by fuzzyfuzzyfungus · · Score: 1

      The trouble trouble with the app-based '2 factor' stuff is that there is a lot more room for non-obvious, automatic, exploitation; rather than just the occasional user deciding to do something questionably sensible.

      In both cases you mention, the users were acting in direct opposition to what their admins would want; but the authentication fobs dutifully performed exactly as the users expected them to. They didn't mail themselves to China, or just get caught clandestinely camwhoring.

      When the 'second factor' is some shoddy little app running on an internet connected computer along with who knows what else; conveniently correlated to your probably-infected desktop by being logged into all the same 'cloud' services; it's vastly more likely that the authentication token is going to go AWOL without the user doing anything atypically stupid, or even being able to tell.

      Implementing a 'secure' token in software on an internet connected computer that also runs god knows what else has always been a shoddy idea; popular purely because it's cheaper than dedicated hardware; and possibly not quite as awful as your average password. It's never been, or even pretended to be, an actually trustworthy approach.

    2. Re:This isn't new.. by dgatwood · · Score: 4, Insightful

      Implementing a 'secure' token in software on an internet connected computer that also runs god knows what else has always been a shoddy idea; popular purely because it's cheaper than dedicated hardware; and possibly not quite as awful as your average password. It's never been, or even pretended to be, an actually trustworthy approach.

      Exactly. And many of us have been saying that for years. The unfortunate problem is that many people see these sorts of technologies, and think to themselves, "This makes me secure", whereas in practice, the security benefit of any software-based second factor is zero if somebody has successfully 0wn3d your hardware. With that said, this statement doesn't go far enough. In practice, the security benefit of any second factor is zero if either communication endpoint is insecure, regardless of what the second factor is, and regardless of how many factors are involved.

      Suppose I'm an attacker. If I can compromise your browser, I can show a fake error page. Therefore, if I want to do a transaction on your account, I can just wait for you to perform one, use your OTP to perform some nefarious action, then issue an error page, forcing you to enter a new OTP, then let the user perform the action again and allow the action to go through. Even better, I could perform the user action first, show an error page to trick the user into providing a new OTP, and then perform the nefarious action second. That way, I can show the legitimate response page at the end, as though the nefarious action hadn't happened, hiding the fact that I just transferred your entire account balance to an account in Switzerland or whatever. A sufficiently sophisticated attacker could actually fake all of the response screens sufficiently to mask their actions until days or weeks later, when your bank sends you a snail-mail letter telling you that you're bouncing checks.

      That's why the first rule of computer security, IMO, should be, "If you can't trust both endpoints, you can't trust the data."

      The takeaway for anyone who wants to be more secure is this: Always use your landline phone as your second factor, and make sure that it is POTS-based and not a VoIP home phone. In some cases a POTS line can be trunked in a way that could make it possible to redirect calls somewhere else through software-based attacks, so for a truly skilled attacker, even that isn't 100% safe, but it is orders of magnitude safer than a cell phone.

      The takeaway for banks and other institutions is that Internet-connected devices make poor second factors, and they should really collaborate to come up with a common platform for second-factor authentication using shared hardware tokens (e.g. OATH with OTPs) and require their customers to use them. Ideally, they should do so in a way that the customer can use a single second factor for all their accounts at various banks, relying on the passwords to ensure that someone who steals the fob won't gain access to all of the user's accounts. And ideally, they should come up with a way to provide (with some reasonable degree of certainty) a hash check on the password to ensure that the user doesn't use the same password on multiple sites. This could be a good browser feature.

      The takeway for OS designers is pretty extensive; I'd recommend that anybody involved in any sort of operating-system security read the original white paper, because it would take too long to summarize the chain of attacks involved.

      --

      Check out my sci-fi/humor trilogy at PatriotsBooks.

    3. Re:This isn't new.. by Bengie · · Score: 1

      I can't purchase a non-VoIP landline around here. Everything is over fiber, copper is almost completely gutted out. Then I would need to pay to have it installed. Apartments don't have RJ11 already ran anymore. Typical rental agreements includes paying out of pocket if you want one installed, but they won't stop you.

  4. Yep by mattventura · · Score: 2

    I just love how Steam tries so hard to use their "mobile authenticator" thing, when all that accomplishes is giving someone who exploits your phone access to the Steam credentials, steam guard auth, and recovery email all in one go. At least with the Blizzard authenticator app, it didn't hold any account credentials, and you could buy hardware ones too.

    On top of that, even if you had 500-factor authentication, it wouldn't stop some luser from getting phished, since they'd just put their 500 authentication details into the fake page.

    1. Re:Yep by wardrich86 · · Score: 1

      I hate how they're pushing 2FA. Sometimes my kids want to play Lego games while I'm at work, but they can't because I have 2FA enabled. And if I disable 2FA, selling shit in the market becomes a burden.

  5. Ironically by The-Ixian · · Score: 1

    Anywhere Computing Makes 2FA Insecure On iOS and Android

    Windows Phone remains unaffected!

    --
    My eyes reflect the stars and a smile lights up my face.
    1. Re:Ironically by krisbrowne42 · · Score: 1

      Because there are no apps, or users, to be affected...

  6. 2-Step Auth != 2-Factor Auth by gti_guy · · Score: 1

    Knowing the difference makes all the difference in the world,

    1. Re:2-Step Auth != 2-Factor Auth by Bengie · · Score: 1

      Call it virtual 2 Factor Auth. Still is a second factor, but one should never communicate the second factor, it should be something you ALREADY have, not something you're about to have.

    2. Re:2-Step Auth != 2-Factor Auth by sexconker · · Score: 1

      This guy gets it.
      Real (physical) security is based on the model of something you have, something you are, and something you know being verified by the authenticating party.
      This is you walking into a bank and the teller or account manager looking at you, your government-issued photo id, and asking for you account number, pin, ssn, etc.

      They verify you are a early-twenties, 450 pound, balding, acne-riddled lump of a man. They verify you have a state id (but not a driver's license because you're useless) that matches that and lists the appropriate address of "mom's basement". They ask for your account number, ssn, or maybe the answer to your security question about who your favorite character on My Little Pony is or what anime character is your #1 true waifu.

      To get around what you are you'd need a disguise (and deodorant) able to pass inspection by a live human.
      To get around what you have you'd need a fake id that passes inspection by a live human AND a machine that looks it up.
      To get around what you know you'd need to know the private info and innermost desires of your target.

      Computer security only has one thing: Something you know. Smart cards, tokens, shit sent to a phone, anusprint scanners, etc. are all automated systems that simply tack on extra shit to the standard "something I know" piece (user/pass).

      We do this because we cannot manually inspect all authorization requests on the scale the internet requires. So you trust that the scanner generates a true hash and the true hash you got is from a trusted and uncompromised scanner and that it read a real anus and not a copy made form gummy bears. You trust that the SMS code you generate send to a phone number isn't intercepted on the phone itself (you have NO idea where that phone is) or over the air without the phone (very easy, SMS is SHIT). You trust that the algorithm the temporary password generator uses is "random" and secure and that the secret (seed) is secure within the hardware dongle, the generator application, hasn't been leaked from your database / the 3rd party's database, etc. and that the dongle/application are in the hands of the true user.

      We don't have 2-factor authentication on the internet. We have 2-step or, at best, 2-channel authentication.

  7. Just Stop by jetkust · · Score: 1

    I wish these companies would stop pushing all this stuff and let me protect my own account. I've been locked out of both Microsoft and Google accounts because of this type of crap. If I have my password, I want to get into my account. Gmail is almost useless now because of this. They just randomly decide they can't authenticate you're account whenever they want to and leave you with no access to your account and no way to contact customer support. Just a bogus recovery process that is designed to always fail. All at random.

    1. Re:Just Stop by Bengie · · Score: 1

      Google has a bunch of failure safeties, but they're opt in. A fall back is it can send an SMS to my phone, or my wife's phone, or I can use one of my 20 one time use printed off keys that I store somewhere.

    2. Re:Just Stop by jetkust · · Score: 1

      I'm pretty sure I didn't opt-in to google randomly locking me out of my account for no reason with no way to get it back. Probably something along the lines of "oooh, he's running Linux now. He can't be trusted."

    3. Re:Just Stop by jetkust · · Score: 1

      Yea, because Google doesn't have any services that you pay for, right?

  8. Windows license and Microsoft accounts by tepples · · Score: 1

    I've been locked out of both Microsoft and Google accounts

    Are you paying for the service?

    Yes. Services that use a Microsoft account are included in the price of a Windows license.

  9. Already vulnerable in many cases by Dan+Posluns · · Score: 1

    The approach requires a Man-in-the-Browser attack which assumes the hacker already has control over your PC/laptop/whatever you're syncing your phone to. But the way I (and I imagine most others who don't have a pressing need to be security paranoid) use 2FA we stay "authenticated" on most devices we already use, and only revoke access if we have reason to believe we've been compromised. So if you successfully hack my home computer I've probably already given up the ghost. For me the main appeal of 2FA is to defend against remote hacking from more random, opportunistic sources.

    1. Re:Already vulnerable in many cases by Bengie · · Score: 1

      They don't need control of your computer, just to do a cross-site attack and have your already established session to play.google.com to issue some web requests to remotely install malware on your phone.

  10. If someone else has your password by tepples · · Score: 1

    If I have my password, I want to get into my account.

    If someone else guesses your password, someone else wants to get into your account. If you reuse your password on another service, and someone else cracks said other service's password database, someone else wants to get into your account. How would you recommend to defend against these attacks other than through 2FA?

    1. Re:If someone else has your password by jetkust · · Score: 1

      If I have my password, I want to get into my account.

      If someone else guesses your password, someone else wants to get into your account. If you reuse your password on another service, and someone else cracks said other service's password database, someone else wants to get into your account. How would you recommend to defend against these attacks other than through 2FA?

      How about NOT doing any of those things you mentioned, and having a good password. 2FA may be good for people who actually need it. But for most people it just increases your change of getting locked out of your account. Some people don't want to give up their phone numbers and be "protected."

    2. Re:If someone else has your password by rthille · · Score: 1

      That's not at all what a yubikey is.
      Yubikeys generate OTPs, not static passwords (well, you can configure a static password, but it seems idiotic to pay >$10 for that).
      Here's the output from mine for 5 key presses (with spaces added to get around the filter). See if you can predict the 6th:
      ccccccdcbdtu fltbbccvutvidrkttrtuhdlcdftlihvu
      ccccccdcbdtu biulnjerdjgvduevjnbdvjettfunbigk
      ccccccdcbdtu cegcfgebcdflthefgnddfvrttvjrceel
      ccccccdcbdtu dhhvviiinktjjculbegjutncnftrhbtr
      ccccccdcbdtu ubjvvrkefcvechhhnniikthjtrubjgit

      --
      Awesome furniture, accessories and cabinetry in Santa Rosa, CA: http://humanity-home.com/
    3. Re:If someone else has your password by rthille · · Score: 1

      And the 6th:
      ccccccdcbdtu lndrhtuhvtdbngdcdnugikjefnlriein

      --
      Awesome furniture, accessories and cabinetry in Santa Rosa, CA: http://humanity-home.com/
    4. Re:If someone else has your password by rthille · · Score: 1

      My GF typed her gmail password into the kiosk computer at a nice hotel and got her account hacked. Some people will make use of computers that aren't safe. You may be "smarter" than that, but you aren't most of Google/Microsofts customers.

      --
      Awesome furniture, accessories and cabinetry in Santa Rosa, CA: http://humanity-home.com/
  11. spit by raymorris · · Score: 2

    When needed, spit the semen sample out. You can borrow some of mine.

    1. Re:spit by WarJolt · · Score: 1

      I really don't want to give women another excuse to bug me about email login issues. You know how exhausting it is to give out free samples all day.

  12. Please don't push us on to third party services... by chaoskitty · · Score: 1

    "The researchers note the text (PDF)."

    That link was NOT a PDF. Please don't assume that everyone wants to use their browser to read things. That's deceptive. The proper link is:

    http://fc16.ifca.ai/preproceed...

  13. The point is that exploiting the DESKTOP gets both by raymorris · · Score: 1

    The idea of these phone-based two factor schemes was that if a bad guy hacks your browser (ie you have Flash installed), they can't access your accounts without ALSO compromising your phone. They'd have to hack two devices, not just one.

    The researchers point out that the browser can use http://play.google.com/ to remotely compromise your phone. Compromising the desktop browser automatically means they can get the phone too. Therefore hacking just the browser is sufficient. "Two factor auth" is actually single factor, due to the browser-based app store.

  14. Hotmail Plus by tepples · · Score: 1

    Outlook.com works from android phones.

    Outlook.com has a $20/year paid tier that used to be called Hotmail Plus. And there are rumors of a forthcoming $48/year paid tier allowing a custom domain, comparable to Google's $60/year Google Apps for Work.

    So yes, it is possible for a mail user to be Microsoft's or Google's customer.

  15. Fuck everything, we're doing five blades by rsborg · · Score: 1

    Three Factor Authentication!

    Das Onion is always prescient:
    http://www.theonion.com/blogpo...

    --
    Make sure everyone's vote counts: Verified Voting
  16. Re:The point is that exploiting the DESKTOP gets b by sexconker · · Score: 1

    If you're logged into gmail on your desktop, you're logged into your google account, which means you're logged into play.google.com.

  17. 2FA will not protect you against social enginering by xiando · · Score: 2

    Years ago I sold some Bitcoins for a minor amounts on Localbitcoins. 2 years later I learned that someone paid using funds from some kind of hi-jacked back account when the criminal Swedish policemen Peter Fromén and Jan-Olof Berglund broke into my home and stole all my computer hardware and other electronics and some random papers and a few (luckily empty) Bitcoin paper wallets.

    From what I gather some scammer hi-jacked some Facebook page and used that to make the mark type in a code which appeared on the banks login page into a hardware 2FA device and tell the scammer what numbers appeared on the device.

    I eventually got my hardware back but I never saw the papers or the Bitcoin wallets they stole back, they didn't even register that as "confiscated" evidence (I put "confiscated" in quotes because they broke numerous laws required for something to actually be confiscated and they admitted this to the oversight body JO but that's alright because they said all their crimes were "mistakes").

    An important lesson one can learn from this is that even hardware 2FA solutions will not protect complete idiots from giving their credentials away and it will also not protect you from having gave crimes committed against you by the police as a consequence. (another lesson is that you should never accept a bank transfer as payment: it may come back and bite you years later).

    --
    9/11: Never forget it was a false-flag operation