Archive for the ‘two-factor authentication’ Category

I’ll be passing on Google’s new 2fa for logins on iPhones and iPads. Here’s why

June 12th, 2019
I’ll be passing on Google’s new 2fa for logins on iPhones and iPads. Here’s why

Enlarge (credit: Google)

Google is expanding its new Android-based two-factor authentication (2fa) to people logging in to Google and Google Cloud services on iPhones and iPads. While Google deserves props for trying to make stronger authentication available to more users, I’ll be avoiding it in favor of 2fa methods Google has had in place for years. I’ll explain why later. First, here’s some background.

Google first announced Android’s built-in security key in April, when it went into beta, and again in May, when it became generally available. The idea is to make devices running Android 7 and up users’ primary 2fa device. When someone enters a valid password into a Google account, the phone displays a message alerting the account owner. Users then tap a "yes" button if the login is legitimate. If it's an unauthorized attempt, the user can block the login from going through.

The system aims to tighten account security in a meaningful way. One of the key causes of account breaches is passwords that are compromised in phishing attacks or other types of data thefts. Google has been a leader when it comes to two-factor protections that by definition require something in addition to a password for someone to gain access to an account.

Read 9 remaining paragraphs | Comments

Posted in 2FA, Android, Biz & IT, google, iOS, iPads, iPhones, two-factor authentication | Comments (0)

Google warns Bluetooth Titan security keys can be hijacked by nearby hackers

May 15th, 2019
Google warns Bluetooth Titan security keys can be hijacked by nearby hackers

Enlarge (credit: Google)

Google is warning that the Bluetooth Low Energy version of the Titan security key it sells for two-factor authentication can be hijacked by nearby attackers, and the company is advising users to get a free replacement device that fixes the vulnerability.

A misconfiguration in the key’s Bluetooth pairing protocols makes it possible for attackers within 30 feet to either communicate with the key or with the device it’s paired with, Google Cloud Product Manager Christiaan Brand wrote in a post published on Wednesday.

The Bluetooth-enabled devices are one variety of low-cost security keys that, as Ars reported in 2016, represent the single most effective way to prevent account takeovers for sites that support the protection. In addition to the account password entered by the user, the key provides secondary “cryptographic assertions” that are just about impossible for attackers to guess or phish. Security keys that use USB or Near Field Communication are unaffected.

Read 7 remaining paragraphs | Comments

Posted in 2FA, Biz & IT, Bluetooth Low Energy, google, titan security keys, two-factor authentication | Comments (0)

U.S. Charges 9 ‘SIM Swapping’ Attackers For Stealing $2.5 Million

May 10th, 2019
The U.S. Department of Justice today announced charges against nine individuals, 6 of which are members of a hacking group called "The Community" and other 3 are former employees of mobile phone providers who allegedly helped them steal roughly $2.5 million worth of the cryptocurrency using a method known as "SIM Swapping." According to the 15-count indictment unsealed today, five Americans

Posted in cryptocurrency, Cyber Criminal, cyber security, hacking news, Sim Card Cloning, Sim hacking, sim swap, SIM Swapping, SIM Swapping Attacker, SIM Swapping Hacker, two-factor authentication | Comments (0)

Android Gets FIDO2 Certification—Now Supports Secure Passwordless Logins

February 25th, 2019
Great news. If you have already installed the latest update of Google Play Services released earlier today, and your Android device is running Android version 7.0 Nougat or above—Congratulations! Your device is now FIDO2 Certified. Are you thinking… what the heck that actually means? It means, instead of remembering complex passwords for your online accounts, you can now actually use your

Posted in Android, cyber security, FIDO Alliance, FIDO U2F, FIDO Universal 2nd Factor Authentication, FIDO2 Protocol, hacking news, password security, passwordless, two-factor authentication, WebAuthn | Comments (0)

Iranian phishers bypass 2fa protections offered by Yahoo Mail and Gmail

December 13th, 2018
Iranian phishers bypass 2fa protections offered by Yahoo Mail and Gmail

Enlarge

A recent phishing campaign targeting US government officials, activists, and journalists is notable for using a technique that allowed the attackers to bypass two-factor authentication protections offered by services such as Gmail and Yahoo Mail, researchers said Thursday. The event underscores the risks of 2fa that relies on one-tap logins or one-time passwords, particularly if the latter are sent in SMS messages to phones.

Attackers working on behalf of the Iranian government collected detailed information on targets and used that knowledge to write spear-phishing emails that were tailored to the targets’ level of operational security, researchers with security firm Certfa Lab said in a blog post. The emails contained a hidden image that alerted the attackers in real time when targets viewed the messages. When targets entered passwords into a fake Gmail or Yahoo security page, the attackers would almost simultaneously enter the credentials into a real login page. In the event targets’ accounts were protected by 2fa, the attackers redirected targets to a new page that requested a one-time password.

“In other words, they check victims’ usernames and passwords in realtime on their own servers, and even if 2 factor authentication such as text message, authenticator app or one-tap login are enabled they can trick targets and steal that information too,” Certfa Lab researchers wrote.

Read 7 remaining paragraphs | Comments

Posted in 2FA, Biz & IT, google, security keys, SMS, Text, two-factor authentication | Comments (0)

Database leak exposes millions of two-factor codes and reset links sent by SMS

November 16th, 2018
2FA via SMS happens worldwide, all.

Enlarge / 2FA via SMS happens worldwide, all. (credit: Raimond Spekking)

Millions of SMS text messages—many containing one-time passcodes, password reset links, and plaintext passwords—were exposed in an Internet-accessible database that could be read or monitored by anyone who knew where to look, TechCrunch has reported.

The discovery comes after years of rebukes from security practitioners that text messages are a woefully unsuitable medium for transmitting two-factor authentication (2FA) data. Despite those rebukes, SMS-based 2FA continues to be offered by banks such as Bank of America, cellular carriers such as T-Mobile, and a host of other businesses.

The leaky database belonged to Voxox, a service that claims to process billions of calls and text messages monthly. TechCrunch said that Berlin-based researcher Sébastien Kaul used the Shodan search engine for publicly available devices and databases to find the messages. The database stored texts that were sent through a gateway Voxox provided to businesses that wanted an automated way to send data for password resets and other types of account management by SMS. The database provided a portal that showed two-factor codes and resent links being sent in near real-time, making it potentially possible for attackers who accessed the server to obtain data that would help them hijack other people’s accounts.

Read 5 remaining paragraphs | Comments

Posted in 2FA, Biz & IT, Data breaches, SMS, Text, two-factor authentication | Comments (0)

Google Announces 5 Major Security Updates for Chrome Extensions

October 2nd, 2018
Google has made several new announcements for its Chrome Web Store that aims at making Chrome extensions more secure and transparent to its users. Over a couple of years, we have seen a significant rise in malicious extensions that appear to offer useful functionalities, while running hidden malicious scripts in the background without the user's knowledge. However, the best part is that

Posted in browser hacking, browser security, chrome extension, chrome extension development, Chrome security, cybersecurity, Google Chrome, Google Chrome Extension, Google Security, two-factor authentication | Comments (0)