Slashdot Mirror

← Back to Stories (view on slashdot.org)

Anywhere Computing Makes 2FA Insecure On iOS and Android (thestack.com)

Posted by msmash on from the 2FA-not-as-secure-as-you-think dept.

An anonymous reader writes: Academics from the VU University Amsterdam have identified a new class of vulnerabilities to two-factor authentication, commonly used to protect transactions involving financial and private information. The vulnerability leaves users of both Android and Apple mobile devices open to the theft of personal information by hackers. The researchers note the text (PDF). While anywhere computing is generally considered to be a good thing, the research claims that integration across multiple platforms essentially removes the gap between those platforms, and it is that gap that is required to make two-factor authentication secure. Without a gap between devices, a common hack called the man-in-the-browser attack can be elevated to intercept the one-time password generated for two-factor authentication, thereby rendering two-factor authentication useless.

7 of 69 comments (clear)

  1. Next up... by Lab+Rat+Jason · · Score: 3, Funny

    Three Factor Authentication!

    --
    Which has more power: the hammer, or the anvil?
    1. Re:Next up... by U2xhc2hkb3QgU3Vja3M · · Score: 4, Funny

      Next up... Three Factor Authentication!

      Fuck everything, we're doing Five Factor Authentication!

  2. This isn't new.. by Anonymous Coward · · Score: 3, Interesting

    I heard two stories just recently about people abusing 2FA. One guy was a contractor, who sub-contracted all of his work (for multiple employers at once!) to programmers in China.. he had mailed his RSA key to them so they could log into the VPN on his behalf and do his work. Funny thing is, they did quality work apparently, and the guy was winning awards for high productivity/quality in the companies he contracted for...

    Another story related how someone had just set up a webcam, again, pointing at an RSA token, so they could log in from anywhere. Hope their webcam was secure from 3rd party eyes! (not likely).

    Unless the 2FA is grafted into one's body and somehow detects duress too, it'll be susceptible to unauthorized use, just like anything else. It's really about estimating acceptable risk -- everything's hackable.

    1. Re:This isn't new.. by dgatwood · · Score: 4, Insightful

      Implementing a 'secure' token in software on an internet connected computer that also runs god knows what else has always been a shoddy idea; popular purely because it's cheaper than dedicated hardware; and possibly not quite as awful as your average password. It's never been, or even pretended to be, an actually trustworthy approach.

      Exactly. And many of us have been saying that for years. The unfortunate problem is that many people see these sorts of technologies, and think to themselves, "This makes me secure", whereas in practice, the security benefit of any software-based second factor is zero if somebody has successfully 0wn3d your hardware. With that said, this statement doesn't go far enough. In practice, the security benefit of any second factor is zero if either communication endpoint is insecure, regardless of what the second factor is, and regardless of how many factors are involved.

      Suppose I'm an attacker. If I can compromise your browser, I can show a fake error page. Therefore, if I want to do a transaction on your account, I can just wait for you to perform one, use your OTP to perform some nefarious action, then issue an error page, forcing you to enter a new OTP, then let the user perform the action again and allow the action to go through. Even better, I could perform the user action first, show an error page to trick the user into providing a new OTP, and then perform the nefarious action second. That way, I can show the legitimate response page at the end, as though the nefarious action hadn't happened, hiding the fact that I just transferred your entire account balance to an account in Switzerland or whatever. A sufficiently sophisticated attacker could actually fake all of the response screens sufficiently to mask their actions until days or weeks later, when your bank sends you a snail-mail letter telling you that you're bouncing checks.

      That's why the first rule of computer security, IMO, should be, "If you can't trust both endpoints, you can't trust the data."

      The takeaway for anyone who wants to be more secure is this: Always use your landline phone as your second factor, and make sure that it is POTS-based and not a VoIP home phone. In some cases a POTS line can be trunked in a way that could make it possible to redirect calls somewhere else through software-based attacks, so for a truly skilled attacker, even that isn't 100% safe, but it is orders of magnitude safer than a cell phone.

      The takeaway for banks and other institutions is that Internet-connected devices make poor second factors, and they should really collaborate to come up with a common platform for second-factor authentication using shared hardware tokens (e.g. OATH with OTPs) and require their customers to use them. Ideally, they should do so in a way that the customer can use a single second factor for all their accounts at various banks, relying on the passwords to ensure that someone who steals the fob won't gain access to all of the user's accounts. And ideally, they should come up with a way to provide (with some reasonable degree of certainty) a hash check on the password to ensure that the user doesn't use the same password on multiple sites. This could be a good browser feature.

      The takeway for OS designers is pretty extensive; I'd recommend that anybody involved in any sort of operating-system security read the original white paper, because it would take too long to summarize the chain of attacks involved.

      --

      Check out my sci-fi/humor trilogy at PatriotsBooks.

  3. Yep by mattventura · · Score: 2

    I just love how Steam tries so hard to use their "mobile authenticator" thing, when all that accomplishes is giving someone who exploits your phone access to the Steam credentials, steam guard auth, and recovery email all in one go. At least with the Blizzard authenticator app, it didn't hold any account credentials, and you could buy hardware ones too.

    On top of that, even if you had 500-factor authentication, it wouldn't stop some luser from getting phished, since they'd just put their 500 authentication details into the fake page.

  4. spit by raymorris · · Score: 2

    When needed, spit the semen sample out. You can borrow some of mine.

  5. 2FA will not protect you against social enginering by xiando · · Score: 2

    Years ago I sold some Bitcoins for a minor amounts on Localbitcoins. 2 years later I learned that someone paid using funds from some kind of hi-jacked back account when the criminal Swedish policemen Peter Fromén and Jan-Olof Berglund broke into my home and stole all my computer hardware and other electronics and some random papers and a few (luckily empty) Bitcoin paper wallets.

    From what I gather some scammer hi-jacked some Facebook page and used that to make the mark type in a code which appeared on the banks login page into a hardware 2FA device and tell the scammer what numbers appeared on the device.

    I eventually got my hardware back but I never saw the papers or the Bitcoin wallets they stole back, they didn't even register that as "confiscated" evidence (I put "confiscated" in quotes because they broke numerous laws required for something to actually be confiscated and they admitted this to the oversight body JO but that's alright because they said all their crimes were "mistakes").

    An important lesson one can learn from this is that even hardware 2FA solutions will not protect complete idiots from giving their credentials away and it will also not protect you from having gave crimes committed against you by the police as a consequence. (another lesson is that you should never accept a bank transfer as payment: it may come back and bite you years later).

    --
    9/11: Never forget it was a false-flag operation