Anywhere Computing Makes 2FA Insecure On iOS and Android (thestack.com) 69
An anonymous reader writes: Academics from the VU University Amsterdam have identified a new class of vulnerabilities to two-factor authentication, commonly used to protect transactions involving financial and private information. The vulnerability leaves users of both Android and Apple mobile devices open to the theft of personal information by hackers. The researchers note the text (PDF). While anywhere computing is generally considered to be a good thing, the research claims that integration across multiple platforms essentially removes the gap between those platforms, and it is that gap that is required to make two-factor authentication secure. Without a gap between devices, a common hack called the man-in-the-browser attack can be elevated to intercept the one-time password generated for two-factor authentication, thereby rendering two-factor authentication useless.
Next up... (Score:4, Funny)
Three Factor Authentication!
spit (Score:3)
When needed, spit the semen sample out. You can borrow some of mine.
Re: (Score:2)
I really don't want to give women another excuse to bug me about email login issues. You know how exhausting it is to give out free samples all day.
Re: (Score:1)
Thank you very much, but I have a PIN calculator which has enough one time pad for about 2900 years of intensive use (battery will run out sooner), and it takes no input except its own 5-digit PIN from its very own keyboard. It conveniently fits in my pocket, and is slim enough to dispose of by crushing or burning with a lighter. :P
It will provide me with my authentication for my banking purposes, and to be honest, I trust it a bit more than our clunky national ID card, about which nobody knows who the fck
Re:Next up... (Score:5, Funny)
Fuck everything, we're doing Five Factor Authentication!
Re: (Score:2)
1. Don't use txt for 2FA.
2. Generate authentication tokens in a trusted machine inside your cell phone (i.e. trust zone)
Or
Use a separate RSA token generator.
Either way txt is the worst idea for 2FA.
2FA only makes it harder for hackers. I'd like to see a the types of mass account compromises that we see with password auth alone.
So let's calm down and don't go overboard
Re: (Score:2)
Later...
"All three authentication steps have been breached!"
"Oh, the fools! If only they'd built it with four-factor authentication! When will they learn?!?"
Fuck everything, we're doing five blades (Score:2)
Three Factor Authentication!
Das Onion is always prescient:
http://www.theonion.com/blogpo... [theonion.com]
Not all 2FA (Score:2)
Only the 2FA that requires input from the user because the input dialogs can be spoofed.
If you have a system that calls you and requires you to press 1 (for example) which then triggers the server side to continue the workflow, that should still be secure... right?
Re: (Score:2)
Not necessarily. Sure, this article is strictly about malicious programmers taking advantage of text message sharing to let a compromised computer obtain the text messages sent to a phone, but with Apple's Continuity feature, it is also possible to take phone calls on your Mac or on other non-phone iOS devices, as long as the iPhone is on the same Wi-Fi network.
If it is possible for someone writing a malicious Mac app to then control that audio stream, then in theory it would be possible for an attacker t
This isn't new.. (Score:3, Interesting)
I heard two stories just recently about people abusing 2FA. One guy was a contractor, who sub-contracted all of his work (for multiple employers at once!) to programmers in China.. he had mailed his RSA key to them so they could log into the VPN on his behalf and do his work. Funny thing is, they did quality work apparently, and the guy was winning awards for high productivity/quality in the companies he contracted for...
Another story related how someone had just set up a webcam, again, pointing at an RSA token, so they could log in from anywhere. Hope their webcam was secure from 3rd party eyes! (not likely).
Unless the 2FA is grafted into one's body and somehow detects duress too, it'll be susceptible to unauthorized use, just like anything else. It's really about estimating acceptable risk -- everything's hackable.
Re: (Score:2)
In both cases you mention, the users were acting in direct opposition to what their admins would want; but the authentication fobs dutifully performed exactly as the users expected them to. They didn't mail themselves to China, or just get caught clandestinely camwhoring.
When the 'second fa
Re:This isn't new.. (Score:5, Insightful)
Exactly. And many of us have been saying that for years. The unfortunate problem is that many people see these sorts of technologies, and think to themselves, "This makes me secure", whereas in practice, the security benefit of any software-based second factor is zero if somebody has successfully 0wn3d your hardware. With that said, this statement doesn't go far enough. In practice, the security benefit of any second factor is zero if either communication endpoint is insecure, regardless of what the second factor is, and regardless of how many factors are involved.
Suppose I'm an attacker. If I can compromise your browser, I can show a fake error page. Therefore, if I want to do a transaction on your account, I can just wait for you to perform one, use your OTP to perform some nefarious action, then issue an error page, forcing you to enter a new OTP, then let the user perform the action again and allow the action to go through. Even better, I could perform the user action first, show an error page to trick the user into providing a new OTP, and then perform the nefarious action second. That way, I can show the legitimate response page at the end, as though the nefarious action hadn't happened, hiding the fact that I just transferred your entire account balance to an account in Switzerland or whatever. A sufficiently sophisticated attacker could actually fake all of the response screens sufficiently to mask their actions until days or weeks later, when your bank sends you a snail-mail letter telling you that you're bouncing checks.
That's why the first rule of computer security, IMO, should be, "If you can't trust both endpoints, you can't trust the data."
The takeaway for anyone who wants to be more secure is this: Always use your landline phone as your second factor, and make sure that it is POTS-based and not a VoIP home phone. In some cases a POTS line can be trunked in a way that could make it possible to redirect calls somewhere else through software-based attacks, so for a truly skilled attacker, even that isn't 100% safe, but it is orders of magnitude safer than a cell phone.
The takeaway for banks and other institutions is that Internet-connected devices make poor second factors, and they should really collaborate to come up with a common platform for second-factor authentication using shared hardware tokens (e.g. OATH with OTPs) and require their customers to use them. Ideally, they should do so in a way that the customer can use a single second factor for all their accounts at various banks, relying on the passwords to ensure that someone who steals the fob won't gain access to all of the user's accounts. And ideally, they should come up with a way to provide (with some reasonable degree of certainty) a hash check on the password to ensure that the user doesn't use the same password on multiple sites. This could be a good browser feature.
The takeway for OS designers is pretty extensive; I'd recommend that anybody involved in any sort of operating-system security read the original white paper, because it would take too long to summarize the chain of attacks involved.
Re: (Score:2)
Yep (Score:3)
On top of that, even if you had 500-factor authentication, it wouldn't stop some luser from getting phished, since they'd just put their 500 authentication details into the fake page.
Re: (Score:2)
Ironically (Score:2)
Anywhere Computing Makes 2FA Insecure On iOS and Android
Windows Phone remains unaffected!
Re: (Score:2)
2-Step Auth != 2-Factor Auth (Score:1)
Re: (Score:2)
Re: (Score:2)
This guy gets it.
Real (physical) security is based on the model of something you have, something you are, and something you know being verified by the authenticating party.
This is you walking into a bank and the teller or account manager looking at you, your government-issued photo id, and asking for you account number, pin, ssn, etc.
They verify you are a early-twenties, 450 pound, balding, acne-riddled lump of a man. They verify you have a state id (but not a driver's license because you're useless) that
Just Stop (Score:2)
Windows license and Microsoft accounts (Score:2)
I've been locked out of both Microsoft and Google accounts
Are you paying for the service?
Yes. Services that use a Microsoft account are included in the price of a Windows license.
Hotmail Plus (Score:2)
Outlook.com works from android phones.
Outlook.com has a $20/year paid tier [microsoft.com] that used to be called Hotmail Plus. And there are rumors of a forthcoming $48/year paid tier [techcrunch.com] allowing a custom domain, comparable to Google's $60/year Google Apps for Work [google.com].
So yes, it is possible for a mail user to be Microsoft's or Google's customer.
Re: (Score:2)
If someone else has your password (Score:2)
If I have my password, I want to get into my account.
If someone else guesses your password, someone else wants to get into your account. If you reuse your password on another service, and someone else cracks said other service's password database, someone else wants to get into your account. How would you recommend to defend against these attacks other than through 2FA?
Re: (Score:2)
That's not at all what a yubikey is.
Yubikeys generate OTPs, not static passwords (well, you can configure a static password, but it seems idiotic to pay >$10 for that).
Here's the output from mine for 5 key presses (with spaces added to get around the filter). See if you can predict the 6th:
ccccccdcbdtu fltbbccvutvidrkttrtuhdlcdftlihvu
ccccccdcbdtu biulnjerdjgvduevjnbdvjettfunbigk
ccccccdcbdtu cegcfgebcdflthefgnddfvrttvjrceel
ccccccdcbdtu dhhvviiinktjjculbegjutncnftrhbtr
ccccccdcbdtu ubjvvrkefcvechhhnniikthjt
Re: (Score:2)
And the 6th:
ccccccdcbdtu lndrhtuhvtdbngdcdnugikjefnlriein
Re: (Score:2)
If I have my password, I want to get into my account.
If someone else guesses your password, someone else wants to get into your account. If you reuse your password on another service, and someone else cracks said other service's password database, someone else wants to get into your account. How would you recommend to defend against these attacks other than through 2FA?
How about NOT doing any of those things you mentioned, and having a good password. 2FA may be good for people who actually need it. But for most people it just increases your change of getting locked out of your account. Some people don't want to give up their phone numbers and be "protected."
Re: (Score:2)
My GF typed her gmail password into the kiosk computer at a nice hotel and got her account hacked. Some people will make use of computers that aren't safe. You may be "smarter" than that, but you aren't most of Google/Microsofts customers.
Re: (Score:2)
Re: (Score:2)
The point is that exploiting the DESKTOP gets both (Score:2)
The idea of these phone-based two factor schemes was that if a bad guy hacks your browser (ie you have Flash installed), they can't access your accounts without ALSO compromising your phone. They'd have to hack two devices, not just one.
The researchers point out that the browser can use http://play.google.com/ [google.com] to remotely compromise your phone. Compromising the desktop browser automatically means they can get the phone too. Therefore hacking just the browser is sufficient. "Two factor auth" is actually
Re: (Score:2)
If you're logged into gmail on your desktop, you're logged into your google account, which means you're logged into play.google.com.
Already vulnerable in many cases (Score:1)
The approach requires a Man-in-the-Browser attack which assumes the hacker already has control over your PC/laptop/whatever you're syncing your phone to. But the way I (and I imagine most others who don't have a pressing need to be security paranoid) use 2FA we stay "authenticated" on most devices we already use, and only revoke access if we have reason to believe we've been compromised. So if you successfully hack my home computer I've probably already given up the ghost. For me the main appeal of 2FA is t
Re: (Score:2)
Please don't push us on to third party services... (Score:2)
"The researchers note the text (PDF)."
That link was NOT a PDF. Please don't assume that everyone wants to use their browser to read things. That's deceptive. The proper link is:
http://fc16.ifca.ai/preproceed... [fc16.ifca.ai]
2FA will not protect you against social enginering (Score:3)
From what I gather some scammer hi-jacked some Facebook page and used that to make the mark type in a code which appeared on the banks login page into a hardware 2FA device and tell the scammer what numbers appeared on the device.
I eventually got my hardware back but I never saw the papers or the Bitcoin wallets they stole back, they didn't even register that as "confiscated" evidence (I put "confiscated" in quotes because they broke numerous laws required for something to actually be confiscated and they admitted this to the oversight body JO but that's alright because they said all their crimes were "mistakes").
An important lesson one can learn from this is that even hardware 2FA solutions will not protect complete idiots from giving their credentials away and it will also not protect you from having gave crimes committed against you by the police as a consequence. (another lesson is that you should never accept a bank transfer as payment: it may come back and bite you years later).