Chinese hacker group caught, getting past two factor.

mat200

IPCT Contributor
Joined
Jan 17, 2017
Messages
13,667
Reaction score
22,771
FYI - for those following this subject..

Reddit Got Hacked Thanks to a Woefully Insecure Two-Factor Setup
The tech community has known about the risk of using SMS in two-factor authentication for years. Reddit appears to have missed the memo.
Reddit Got Hacked Thanks to a Woefully Insecure Two-Factor Setup


note - poor IT security practices exist, and often IT security is considered a "cost" not a "profit" for many companies - thus IT security missions may not get enough resources.
 

IAmATeaf

Known around here
Joined
Jan 13, 2019
Messages
3,287
Reaction score
3,252
Location
United Kingdom
Using an SMS has always been prone to risk due to how easy it is to clone a SIM card, worrying really as banks seems to think it’s OK to use. I refuse to bank with a bank where SMS is used to authenticate.
 

iseeker

Getting the hang of it
Joined
Nov 16, 2018
Messages
229
Reaction score
90
Location
TEXAS
For those interested in which banks or other sites have 2FA enabled - this site does a good job. Always surprises me which sites still use sms.
 
Joined
May 1, 2019
Messages
2,215
Reaction score
3,504
Location
Reno, NV
for those 2FA (2 factor authorization... like logging into bank and they send you text message with a code you must enter) noobies like myself... so using text messaging to receive the code is not a good idea? Should use email instead?
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,778
Location
Scotland
It depends on how thorough your bank is when validating the answers to the security questions asked when they get a phone call to say that you have changed your mobile number.
And also your phone provider when they are called to say you've broken your SIM and need another one. In other words, SIM hijacking.
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,778
Location
Scotland
Maybe just review and possibly update your security Q&A with your bank and mobile provider.
And assess how thorough they quiz you to be sure it's you.
 

smoothie

Pulling my weight
Joined
Dec 19, 2015
Messages
223
Reaction score
178
2FA or 2SV, two factor authentication or 2 step verification respectively, are excellent ways to increase security for digital accounts.

Computer security can be thought of as a triangle, the three points on the triangle are:
Something you know (password)
Something you have (RSA key, SMS code, hardware key, etc)
Something you are (fingerprint, retinal scan, vascular scan, etc)

The more points of the triangle involved in authentication the more secure the system and the harder it is to gain unauthorized access.

2FA/2SV it 2 points of the triangle, because of various reasons mostly technological the second factor of authentication is commonly "something you have" but can be "something you are". So if it isn't already obvious some systems allow you to have 3FA/3SV but they are uncommon.

Of the common forms of 2FA/2SV they are:
1) SMS or text message delivered code - This is better than nothing but with SIM card cloning or social engineering all you need is a means of having those texts/sms sent to an alternative device to defeat this system. Not easy but not hard either.
2) Voice call from an automated system - Same as 1 above but uses a voice call instead of a text/sms
3) Email code - This sends an email to the registered address on file with a 6 to 8 digit code. This system relies on the email account not being compromised and largely relies on the email servers being well maintained and the user having a strong password.
4) TOTP app on a smart phone - One of the most secure methods for 2FA/2SV. This uses an app to generate a 30 second rotating code which uses complex math to prevent prediction of the next code. Google Authenticator, Duo Security, Microsoft and a number of other organizations have these apps available for free download.
5) Hardware authentication key - this is a physical device commonly USB that is plugged into the computer or smartphone to provide the authentication. It is the most secure method commonly available. Google and a number of other companies offer such devices for sale.

TOTP stands for Time-based One Time Password. This system uses factoring of very large prime numbers along with other math to generate unpredictable codes. No matter how many previous codes you have you can never predict what the next code will be. The app on your smartphone and the server you are authenticating against both have the same "seed" number and the timing is important such that at any given moment of the day the matching code can be calculated on both devices simultaneously and thus can authenticate with each other. Because of the 30 second lifespan of the code, the unpredictable nature of the code and the unknown "seed" this method is highly secure. To compromise this method an attacker would need have your phone or know the initial seed. The initial seed is lost once the authentication is added to the app. The seed is commonly given as a QR code, one of those square barcode checkerboard patterns, which is scanned by the app using the smartphone camera at the time of setup. Once that QR code is gone from the computer screen it is irretrievable and so cannot be duplicated. The seed then exists only in the smartphone app and the authenticating server. TOTP is an extension of HOTP or HMAC-based One Time Password which in turn is based on HMAC or Hash-based Message Authentication Code. For the curious here are the Wikipedia articles on each:
TOTP - Time-based One-time Password algorithm - Wikipedia
HOTP - HMAC-based One-time Password algorithm - Wikipedia
HMAC - HMAC - Wikipedia

Hardware authentication keys are the most secure as they require the use of a physical device that is unique and cannot be duplicated. If the physical key is lost or destroyed the 2FA/2SV on that account must be removed and setup anew with a new hardware key. This is more common in businesses since there will be an IT department that can have administrator access and remove the 2FA/2SV. An individual using a personal @gmail.com account may have extensive difficulty in trying to recover an account with a lost hardware key.
Here is the link to the Google Titan Security Key store page -
Many systems such as Google allow for the creation of one time bypass codes. This is a set of about 8-10 numeric sequences that are meant to be printed on a page of paper and stored in a safe place. Should the 2FA/2SV device be lost/stolen/destroyed the user can authenticate using one of these codes. Each code is usable only once and the Google account shows if codes have been created and if any have been used.

While having 2FA/2SV on any and all systems that support it is highly valuable and increases your security dramatically it is vitally important to consider how you would regain access to these various accounts if you were to lose your PC, laptop, tablet, smartphone or hardware key.
 

iseeker

Getting the hang of it
Joined
Nov 16, 2018
Messages
229
Reaction score
90
Location
TEXAS
for those 2FA (2 factor authorization... like logging into bank and they send you text message with a code you must enter) noobies like myself... so using text messaging to receive the code is not a good idea? Should use email instead?
Good explanations already. Email/text probably on the same level for 2FA. I was referring more to the relative difference between using an app, like authy or lastpass Authenticator, vs text/email. I still use those when that is the only choice.

It befuddles me that companies like PayPal, to which many people give their debit card number, does not use a more secure form of 2FA. They authenticate 2FA through text message.
 

iseeker

Getting the hang of it
Joined
Nov 16, 2018
Messages
229
Reaction score
90
Location
TEXAS
@smoothie - great stuff. Is that original content? If so, kudos. If not, still really good stuff and would be interested in the link.
 

smoothie

Pulling my weight
Joined
Dec 19, 2015
Messages
223
Reaction score
178
@smoothie - great stuff. Is that original content? If so, kudos. If not, still really good stuff and would be interested in the link.
Thanks @iseeker yeah it was original content off the top of my head but I did have to look up the links I posted.

I agree that companies like Paypal are just being terribly lazy with their 2FA offerings. There are a great many that allow you use 3rd party TOTP apps such as GoDaddy allowing the use of Google Authenticator app. How PayPal hasn't done this is inexcusable but I guess they just don't have the motivation to do it. Hopefully one day they will.
 

smoothie

Pulling my weight
Joined
Dec 19, 2015
Messages
223
Reaction score
178
A pretty good way to build up your 2FA implementation with an out if you lose your device is build it around an @gmail.com with 2FA and print the codes, photocopy them and store the copies separately. For example one at your office and one at home. Or one with a trusted friend and one at home. Most systems will allow you to remove the 2FA if you have access to the master email account. By having a long and complicated password for your @gmail.com email with 2FA and backup codes you could type the password from memory and use a backup code. Once you are into your @gamil.com email you could remove 2FA from your LastPass which also has a password you memorized. Then between gmail and LastPass you could get back into all your online accounts and remove the 2FA as needed. Immediately replace your smartphone and rebuild all the 2FA. It is a serious chore to do but it is achievable with just the knowledge in your head and that piece of paper with the backup codes. If you really wanted to be an Uber-Geek you could memorize one of the backup codes as well.

I personally use LastPass with 2FA via the LastPass Authenticator App and I am very happy with it. The free version does everything except for sharing and emergency access. Sharing allows you to create one or more folders and share their contents with another premium LastPass user such as a spouse, any saved sites in the shared folder are accessible to both people and you can control if the other person can edit or just read. Emergency access allows you to nominate another premium LastPass user as your emergency access and you can set a time delay of minutes to days. If that other person requests emergency access it is granted to them after the delay (if any is set) elapses. This is useful to grant your spouse access if you are in a coma or abducted by aliens. Using the LastPass security audit gives you a good measure of how secure you have your online life setup. LastPass also has an app for smartphones and a browser plugin for most popular browsers.
 

iseeker

Getting the hang of it
Joined
Nov 16, 2018
Messages
229
Reaction score
90
Location
TEXAS
I personally use LastPass with 2FA via the LastPass Authenticator App and I am very happy with it.
Me too. 97% on the security test right now

on my app, i see security and emergency access. I didn’t go through all the steps but it seems like I could granted to someone. Two of my family members have granted me emergency access; and neither of them are premium users. I can also share an individual password securely to another lastpass user (but not a folder). I used to pay for the premium version but then they made the free one so great
 

smoothie

Pulling my weight
Joined
Dec 19, 2015
Messages
223
Reaction score
178
Impressive score, well done. Admittedly it has been awhile since I last looked at the premium versus free LastPass.
 
Top