• Adding Extra Authentication Layers May Not Make You More Secure

    Home » Forums » Cyber Security Information and Advisories » Code Red – Security/Privacy advisories » Adding Extra Authentication Layers May Not Make You More Secure

    Tags:

    Author
    Topic
    Kirsty
    Manager
    May 17, 2017 at 2:10 am #115843

    Biometrics have been touted as increasing security, but recent articles give pause for thought.

    ESET Security/Welivesecurity.com’s article ‘Fingerprint Security: Three Myths Busted” highlights that fingerprints can be stolen, copied and used to bypass today’s readers, so passwords are unlikely to become obsolete any time soon.

    And Security Research Labs headline reads “Fingerprints are not fit for secure device unlocking”!

    Fingerprint Security: Three Myths Busted

    Spoofing Fingerprints

     
    Even Voice Recognition won’t create foolproof security, with new technology that clones vocal pitch, “accurately enough to make him or her say anything you want. The potential risks are obvious: If your phone requires your voice to unlock it, an attacker with some audio of your voice could do it.
    … biometrics can still be an effective layer of security if, as FIDO standards specify they are, “limited in scope to only the first of a two-step process that also requires physical possession of the authorized user’s personal device.”

    “Because voice transformation technologies are increasingly available, it is becoming harder to detect whether a voice has been faked,””

    Vocal Theft On The Horizon

     
    So you might think a text is safe for two-factor authentication? Think again on that too…

    It’s not, as detailed in a Wired.com article:
    “SMS text messages are often the weakest link in two-step logins … it can be intercepted. And that means you’re potentially at some level of risk.

    Those attacks aren’t exactly easy to pull off, and likely require the attacker to figure out the user’s cell phone number in addition to the password that they’ve stolen, guessed, or reused after being compromised in a data breach from another hacked service. But for anyone who might be a target of sophisticated hackers, all of those techniques mean SMS should be avoided when possible for anything login-related.”

    Hey, Stop Using Texts For Two Factor Authentication

     
    It seems like the perfect solution has yet to be found.

    2 users thanked author for this post.
    Elly, MrBrian
    Reply | Quote
    Viewing 4 reply threads
    Author
    Replies
    • Kirsty
      Manager
      May 17, 2017 at 8:20 pm #116023

      @troyhunt has tweeted a link to his blogpost:

      Reckon you’ve seen some stupid security things? Here, hold my beer…
      28 April 2017

      It contains some classic examples of security-fails, and is well worth reading. Stupid may be something of an understatement.
      (NB some language may offend)

      1 user thanked author for this post.
      Elly
      Reply | Quote
    • Kirsty
      Manager
      May 23, 2017 at 4:41 pm #117908

      LastPass Authenticator’s Cloud Backup option explained
      By Martin Brinkmann | May 23, 2017

      LastPass Authenticator is a free application for Android and iOS devices that can generate two-factor authentication codes for you.

      The application is compatible with LastPass accounts, but works also with other services that support two-factor authentication such as Google or LogMeIn. The app supports all services or apps that use Google Authenticator, or TOTP-based two-factor authentication.

      Once you have added an account to the app, it either generates two-factor authentication codes continuously when open, or displays confirmation prompts that you need to respond to, to sign-in to the selected service.

      LastPass Authenticator is compatible with the company’s password manager application, but does not require it. Some functionality is limited however when you don’t connect LastPass Authenticator to a LastPass Account.

       
      Read the full article here

      Reply | Quote
    • Kirsty
      Manager
      June 2, 2017 at 12:10 am #119043

      Here Is How Hackers Bypass Google’s Two-Factor Authentication

      DitigalMunition.me | May 26th, 2017

       
      You may have read reports of Gmail accounts being hacked despite the user having enabled the famed Google 2FA or two-factor authentication. This is because hackers are employing a new strategy to lure gullible users to hand over the 2FA code.

      Some people can be tricked into disclosing their two-factor authentication code to criminals, as there is a new sly trick that makes them think that are in fact protecting their accounts while doing so.

      Mainly, the attackers were mentally preparing the victim to receive the 2FA verification code, in order to facilitate the following illegal login attempt they were about to perform. The criminals were going to access MacCaw’s account, and when his 2FA system would commence, MacCaw would act to lock his account by sending the “verification code to Google.” In fact, MacCaw would be sending the 2FA code to the criminal, who would then enter it in the login page and access his account, with his help.

       
      Read the full article here to see how this happens.

      Reply | Quote
    • Kirsty
      Manager
      July 12, 2017 at 1:07 am #124449

      Two-factor authentication is a mess
      It was supposed to be a one-stop security fix. What happened?

      by Russell Brandom @russellbrandom | Jul 10, 2017

       
      The promise of two-factor began to unravel early on. By 2014, criminals targeting Bitcoin services were finding ways around the extra security, either by intercepting software tokens or more elaborate account-recovery schemes. In some cases, attackers went after phone carrier accounts directly, setting up last-minute call-forwarding arrangements to intercept codes in transit. Drawn by the possibility of thousand-dollar payouts, criminals were willing to go further than the average hacker.
      ..
      Outside of Bitcoin, it’s become clear that most two-factor systems don’t stand up against sophisticated users. Documents published this month by The Intercept show Russian groups targeting US election officials had a ready-made plan for accounts with two-factor, harvesting confirmation codes using the same methods they used to grab passwords.

      In most cases, the problem isn’t two-factor itself, but everything around it. If you can break through anything next to that two-factor login — whether it’s the account-recovery process, trusted devices, or the underlying carrier account — then you’re home free.

      Two-factor’s trickiest weak point? Wireless carriers.

       
      Read the full article on theverge.com

      1 user thanked author for this post.
      MrBrian
      Reply | Quote
    • Kirsty
      Manager
      October 6, 2017 at 12:13 am #135552
      Kirsty wrote:

      Further on the subject of email security and U2F (Universal 2nd Factor)…

      u2f

      Google Reportedly Plans Stronger Authentication Options
      Experts Welcome ‘Advanced Protection Program’ Involving Physical USB Keys
      Mathew J. Schwartz (euroinfosec) • October 4, 2017

      Google’s two-step verification setting, for example, sends a one-time login code to a user via SMS or a voice call, or a user can tap the Google Authenticator app to generate the code.

      But these additional log-in factors can be intercepted by attackers.

      “SMS is the weakest and not considered secure, especially for high profile users,” Chester Wisniewski, principal research scientist at British anti-virus firm Sophos, tells Information Security Media Group. “Time-based tokens like Google Authenticator are good, but can be phished. Google also offers push notifications to Android users, which are reasonably secure, but nothing really beats a physical token.”

      Sean Sullivan, a security adviser at Finnish anti-virus firm F-Secure, tells ISMG that phishing attackers can send victims to sites that collect their Gmail login usernames and passwords, as well as their SMS codes or one-time tokens. Working quickly, attackers can log in to victims’ accounts before the codes or tokens expire.

       
      Read the full article here

      Reply | Quote
    Viewing 4 reply threads
    Reply To: Adding Extra Authentication Layers May Not Make You More Secure

    You can use BBCodes to format your content.
    Your account can't use all available BBCodes, they will be stripped before saving.

    Your information:




DON'T MISS OUT!
Subscribe to the Free Newsletter
We promise not to spam you. Unsubscribe at any time.
Invalid email address

View the Forum

  • Recent Replies
  • My Replies
  • My Active Topics
  • New Posts in the Last day
  • Private Messages
  • Knowledge Base
  • How to use the Forums
  • All Forums

    • Recent Topics

    My Profile

    May 2025
    S M T W T F S
     123
    45678910
    11121314151617
    18192021222324
    25262728293031

    Remembering Woody

     

    Want to Advertise in the free newsletter? How about a gift subscription in honor of a birthday? Send an email to sb@askwoody.com to ask how.

    Mastodon profile for DefConPatch
    Mastodon profile for AskWoody

     

    Home About FAQ Posts & Privacy Forums My Account
    Register Free Newsletter Plus Membership Gift Certificates MS-DEFCON Alerts

    Copyright ©2004-2025 by AskWoody Tech LLC. All Rights Reserved.