Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Android Security IOS Privacy

Anywhere Computing Makes 2FA Insecure On iOS and Android (thestack.com) 69

An anonymous reader writes: Academics from the VU University Amsterdam have identified a new class of vulnerabilities to two-factor authentication, commonly used to protect transactions involving financial and private information. The vulnerability leaves users of both Android and Apple mobile devices open to the theft of personal information by hackers. The researchers note the text (PDF). While anywhere computing is generally considered to be a good thing, the research claims that integration across multiple platforms essentially removes the gap between those platforms, and it is that gap that is required to make two-factor authentication secure. Without a gap between devices, a common hack called the man-in-the-browser attack can be elevated to intercept the one-time password generated for two-factor authentication, thereby rendering two-factor authentication useless.
This discussion has been archived. No new comments can be posted.

Anywhere Computing Makes 2FA Insecure On iOS and Android

Comments Filter:
  • Next up... (Score:4, Funny)

    by Lab Rat Jason ( 2495638 ) on Friday April 08, 2016 @12:38PM (#51869291)

    Three Factor Authentication!

    • by Anonymous Coward

      Thank you very much, but I have a PIN calculator which has enough one time pad for about 2900 years of intensive use (battery will run out sooner), and it takes no input except its own 5-digit PIN from its very own keyboard. It conveniently fits in my pocket, and is slim enough to dispose of by crushing or burning with a lighter. :P

      It will provide me with my authentication for my banking purposes, and to be honest, I trust it a bit more than our clunky national ID card, about which nobody knows who the fck

    • by U2xhc2hkb3QgU3Vja3M ( 4212163 ) on Friday April 08, 2016 @01:37PM (#51869769)

      Next up... Three Factor Authentication!

      Fuck everything, we're doing Five Factor Authentication!

      • by WarJolt ( 990309 )

        1. Don't use txt for 2FA.
        2. Generate authentication tokens in a trusted machine inside your cell phone (i.e. trust zone)

        Or

        Use a separate RSA token generator.

        Either way txt is the worst idea for 2FA.

        2FA only makes it harder for hackers. I'd like to see a the types of mass account compromises that we see with password auth alone.

        So let's calm down and don't go overboard

    • Later...

      "All three authentication steps have been breached!"

      "Oh, the fools! If only they'd built it with four-factor authentication! When will they learn?!?"

    • Three Factor Authentication!

      Das Onion is always prescient:
      http://www.theonion.com/blogpo... [theonion.com]

  • Only the 2FA that requires input from the user because the input dialogs can be spoofed.

    If you have a system that calls you and requires you to press 1 (for example) which then triggers the server side to continue the workflow, that should still be secure... right?

    • by dgatwood ( 11270 )

      Not necessarily. Sure, this article is strictly about malicious programmers taking advantage of text message sharing to let a compromised computer obtain the text messages sent to a phone, but with Apple's Continuity feature, it is also possible to take phone calls on your Mac or on other non-phone iOS devices, as long as the iPhone is on the same Wi-Fi network.

      If it is possible for someone writing a malicious Mac app to then control that audio stream, then in theory it would be possible for an attacker t

  • This isn't new.. (Score:3, Interesting)

    by Anonymous Coward on Friday April 08, 2016 @12:44PM (#51869353)

    I heard two stories just recently about people abusing 2FA. One guy was a contractor, who sub-contracted all of his work (for multiple employers at once!) to programmers in China.. he had mailed his RSA key to them so they could log into the VPN on his behalf and do his work. Funny thing is, they did quality work apparently, and the guy was winning awards for high productivity/quality in the companies he contracted for...

    Another story related how someone had just set up a webcam, again, pointing at an RSA token, so they could log in from anywhere. Hope their webcam was secure from 3rd party eyes! (not likely).

    Unless the 2FA is grafted into one's body and somehow detects duress too, it'll be susceptible to unauthorized use, just like anything else. It's really about estimating acceptable risk -- everything's hackable.

    • The trouble trouble with the app-based '2 factor' stuff is that there is a lot more room for non-obvious, automatic, exploitation; rather than just the occasional user deciding to do something questionably sensible.

      In both cases you mention, the users were acting in direct opposition to what their admins would want; but the authentication fobs dutifully performed exactly as the users expected them to. They didn't mail themselves to China, or just get caught clandestinely camwhoring.

      When the 'second fa
      • by dgatwood ( 11270 ) on Friday April 08, 2016 @02:58PM (#51870455) Homepage Journal

        Implementing a 'secure' token in software on an internet connected computer that also runs god knows what else has always been a shoddy idea; popular purely because it's cheaper than dedicated hardware; and possibly not quite as awful as your average password. It's never been, or even pretended to be, an actually trustworthy approach.

        Exactly. And many of us have been saying that for years. The unfortunate problem is that many people see these sorts of technologies, and think to themselves, "This makes me secure", whereas in practice, the security benefit of any software-based second factor is zero if somebody has successfully 0wn3d your hardware. With that said, this statement doesn't go far enough. In practice, the security benefit of any second factor is zero if either communication endpoint is insecure, regardless of what the second factor is, and regardless of how many factors are involved.

        Suppose I'm an attacker. If I can compromise your browser, I can show a fake error page. Therefore, if I want to do a transaction on your account, I can just wait for you to perform one, use your OTP to perform some nefarious action, then issue an error page, forcing you to enter a new OTP, then let the user perform the action again and allow the action to go through. Even better, I could perform the user action first, show an error page to trick the user into providing a new OTP, and then perform the nefarious action second. That way, I can show the legitimate response page at the end, as though the nefarious action hadn't happened, hiding the fact that I just transferred your entire account balance to an account in Switzerland or whatever. A sufficiently sophisticated attacker could actually fake all of the response screens sufficiently to mask their actions until days or weeks later, when your bank sends you a snail-mail letter telling you that you're bouncing checks.

        That's why the first rule of computer security, IMO, should be, "If you can't trust both endpoints, you can't trust the data."

        The takeaway for anyone who wants to be more secure is this: Always use your landline phone as your second factor, and make sure that it is POTS-based and not a VoIP home phone. In some cases a POTS line can be trunked in a way that could make it possible to redirect calls somewhere else through software-based attacks, so for a truly skilled attacker, even that isn't 100% safe, but it is orders of magnitude safer than a cell phone.

        The takeaway for banks and other institutions is that Internet-connected devices make poor second factors, and they should really collaborate to come up with a common platform for second-factor authentication using shared hardware tokens (e.g. OATH with OTPs) and require their customers to use them. Ideally, they should do so in a way that the customer can use a single second factor for all their accounts at various banks, relying on the passwords to ensure that someone who steals the fob won't gain access to all of the user's accounts. And ideally, they should come up with a way to provide (with some reasonable degree of certainty) a hash check on the password to ensure that the user doesn't use the same password on multiple sites. This could be a good browser feature.

        The takeway for OS designers is pretty extensive; I'd recommend that anybody involved in any sort of operating-system security read the original white paper, because it would take too long to summarize the chain of attacks involved.

        • by Bengie ( 1121981 )
          I can't purchase a non-VoIP landline around here. Everything is over fiber, copper is almost completely gutted out. Then I would need to pay to have it installed. Apartments don't have RJ11 already ran anymore. Typical rental agreements includes paying out of pocket if you want one installed, but they won't stop you.
  • by mattventura ( 1408229 ) on Friday April 08, 2016 @12:47PM (#51869371) Homepage
    I just love how Steam tries so hard to use their "mobile authenticator" thing, when all that accomplishes is giving someone who exploits your phone access to the Steam credentials, steam guard auth, and recovery email all in one go. At least with the Blizzard authenticator app, it didn't hold any account credentials, and you could buy hardware ones too.

    On top of that, even if you had 500-factor authentication, it wouldn't stop some luser from getting phished, since they'd just put their 500 authentication details into the fake page.
    • I hate how they're pushing 2FA. Sometimes my kids want to play Lego games while I'm at work, but they can't because I have 2FA enabled. And if I disable 2FA, selling shit in the market becomes a burden.
  • Anywhere Computing Makes 2FA Insecure On iOS and Android

    Windows Phone remains unaffected!

  • Knowing the difference makes all the difference in the world,
    • by Bengie ( 1121981 )
      Call it virtual 2 Factor Auth. Still is a second factor, but one should never communicate the second factor, it should be something you ALREADY have, not something you're about to have.
    • This guy gets it.
      Real (physical) security is based on the model of something you have, something you are, and something you know being verified by the authenticating party.
      This is you walking into a bank and the teller or account manager looking at you, your government-issued photo id, and asking for you account number, pin, ssn, etc.

      They verify you are a early-twenties, 450 pound, balding, acne-riddled lump of a man. They verify you have a state id (but not a driver's license because you're useless) that

  • I wish these companies would stop pushing all this stuff and let me protect my own account. I've been locked out of both Microsoft and Google accounts because of this type of crap. If I have my password, I want to get into my account. Gmail is almost useless now because of this. They just randomly decide they can't authenticate you're account whenever they want to and leave you with no access to your account and no way to contact customer support. Just a bogus recovery process that is designed to alway
    • If I have my password, I want to get into my account.

      If someone else guesses your password, someone else wants to get into your account. If you reuse your password on another service, and someone else cracks said other service's password database, someone else wants to get into your account. How would you recommend to defend against these attacks other than through 2FA?

      • by jetkust ( 596906 )

        If I have my password, I want to get into my account.

        If someone else guesses your password, someone else wants to get into your account. If you reuse your password on another service, and someone else cracks said other service's password database, someone else wants to get into your account. How would you recommend to defend against these attacks other than through 2FA?

        How about NOT doing any of those things you mentioned, and having a good password. 2FA may be good for people who actually need it. But for most people it just increases your change of getting locked out of your account. Some people don't want to give up their phone numbers and be "protected."

        • by rthille ( 8526 )

          My GF typed her gmail password into the kiosk computer at a nice hotel and got her account hacked. Some people will make use of computers that aren't safe. You may be "smarter" than that, but you aren't most of Google/Microsofts customers.

    • by Bengie ( 1121981 )
      Google has a bunch of failure safeties, but they're opt in. A fall back is it can send an SMS to my phone, or my wife's phone, or I can use one of my 20 one time use printed off keys that I store somewhere.
      • by jetkust ( 596906 )
        I'm pretty sure I didn't opt-in to google randomly locking me out of my account for no reason with no way to get it back. Probably something along the lines of "oooh, he's running Linux now. He can't be trusted."
  • The approach requires a Man-in-the-Browser attack which assumes the hacker already has control over your PC/laptop/whatever you're syncing your phone to. But the way I (and I imagine most others who don't have a pressing need to be security paranoid) use 2FA we stay "authenticated" on most devices we already use, and only revoke access if we have reason to believe we've been compromised. So if you successfully hack my home computer I've probably already given up the ghost. For me the main appeal of 2FA is t

    • by Bengie ( 1121981 )
      They don't need control of your computer, just to do a cross-site attack and have your already established session to play.google.com to issue some web requests to remotely install malware on your phone.
  • "The researchers note the text (PDF)."

    That link was NOT a PDF. Please don't assume that everyone wants to use their browser to read things. That's deceptive. The proper link is:

    http://fc16.ifca.ai/preproceed... [fc16.ifca.ai]

  • Years ago I sold some Bitcoins for a minor amounts on Localbitcoins. 2 years later I learned that someone paid using funds from some kind of hi-jacked back account when the criminal Swedish policemen Peter Fromén and Jan-Olof Berglund broke into my home and stole all my computer hardware and other electronics and some random papers and a few (luckily empty) Bitcoin paper wallets.

    From what I gather some scammer hi-jacked some Facebook page and used that to make the mark type in a code which appeared on the banks login page into a hardware 2FA device and tell the scammer what numbers appeared on the device.

    I eventually got my hardware back but I never saw the papers or the Bitcoin wallets they stole back, they didn't even register that as "confiscated" evidence (I put "confiscated" in quotes because they broke numerous laws required for something to actually be confiscated and they admitted this to the oversight body JO but that's alright because they said all their crimes were "mistakes").

    An important lesson one can learn from this is that even hardware 2FA solutions will not protect complete idiots from giving their credentials away and it will also not protect you from having gave crimes committed against you by the police as a consequence. (another lesson is that you should never accept a bank transfer as payment: it may come back and bite you years later).

Unix: Some say the learning curve is steep, but you only have to climb it once. -- Karl Lehenbauer

Working...