FBI Warns About Attacks That Bypass Multi-Factor Authentication (zdnet.com) 29
The US Federal Bureau of Investigation (FBI) last month sent a security advisory to private industry partners about the rising threat of attacks against organizations and their employees that can bypass multi-factor authentication (MFA) solutions. From a report: "The FBI has observed cyber actors circumventing multi-factor authentication through common social engineering and technical attacks," the FBI wrote in a Private Industry Notification (PIN) sent out on September 17. While nowadays there are multiple ways of bypassing MFA protections, the FBI alert specifically warned about SIM swapping, vulnerabilities in online pages handling MFA operations, and the use of transparent proxies like Muraen and NecroBrowser.
Old news (Score:4, Informative)
Why is the FBI just now issuing this alert? Even they acknowledge that this isn't new.
*checks date on FBI alert - September 17th*
Why is ZDNet just now getting around to mentioning this?
*checks date on FBI post again*
Why is Slashdot just now mentioning ... oh wait, this is the new slow Slashdot, nevermind.
A rant of my own (Score:4, Insightful)
Something that I perpetually wish for is for web sites to use two different e-mail address for me. One is for routine correspondence and the other is for password resets.
Why? I have my normal daily e-mail on my phone and it accesses it without asking me to login. Many devices are agrressive in forcing this "conveneince" on you. there's no "ask password" setting. ( Amazon kindles are perhaps the worst. If you use the kindle e-mail client with gmail, then it keeps you auto logged in. )
As a result I have to put all my financial stuff over on another e-mail that I don't have set up on my phone. I have to use a web interface if I want to access it. That way I force it to ask me a password to access that and the "bad guy" who steals my phone probably doesn't even know my user name for that obfuscated alternative account namne. let alone the password
Sadly however many websites are mixed mode. If I want to use google apps anfd google drive I can't have a separate e-mail for google pay. Same with apple's store and apple's services. I'm either logged into icloud or I'm not. So if I need a password reset on icloud it comes to my phone since it has the e-mail address.. Which of course is also my 2nd factor.
For example, I'd feel a lot more comfortable if my bank, paypal, etc... sent routine correspondence including fraud warnings to the address my phone so I see them. But if I want to do anything dangerous like a password reset then I want that to only go to my alternate e-mail not the one my phone knows.
Maybe this concept is too convoluted and tricky for consumers. Indeed there's a profound risk of forgetting the password on the seldom-used alternate account. And then you have to wonder about where the password reset on that account should be sent!
But phones basically screw up Two-factor because of this password reset problem. What saves your bacon is the phones also have their own access passwords. And yet, this means things like letting another person operate your phone for any casual reason is perilous.
Re: (Score:2)
My head nearly exploded form all the wrong things he told us.... SUCH AS--
1. Don't trust DFA.
2. DMARC is the cure for phishing cancer.
3. Stuxnet was created by terrorists.
4. Private cloud bad. Public cloud good.
I got some free micro-brew beer and bagels at least.
Be careful about taking security advice from the same guys who want backdoors in encryption and want to read all of
Re: (Score:2)
Dude, don't be silly. Not even being slow is new on /..
Why does Github host these toolsets? (Score:1)
it may be open source, but it is still malware, and please don't say penetration testing, it's clearly not being developed along those lines
It's going to be hosted somewhere. (Score:3)
Might as well let the good side see it too. Similar reasoning to going public with exploits... and eventually letting out more details (or threatening to) so that they are actually are noticed and patched.
Just because you don't see it doesn't mean it hasn't existed for a long time.
Proxies--teach me (Score:1)
I've wondered for some timeabout Proxies, transparent and visible.
Arethey a fully privledged Man in the Middle? Do they get to decrypt https? do VPNs help? Is there a way a server can detect a proxy is in front of the client and warn the client (e.g. a banking app?)
Re: (Score:1)
1) yes, if yes on #2
2) yes, and this is common for "reverse" proxies belonging to their own server cluster, but considered exceptionally bad behavior for anonymous middle-man proxies. still horrifically possible though.
3) only if they're not based on https... luckily that is not common
4) yes, but for some reason nobody bothers to do this where it matters. i really don't know why. maybe because in very large-scale hosting environments commonly use reverse proxies, making situation #2 snafus indistinguisha
Re: (Score:1)
thanks! could you elaborate on Reverse proxies?
Re: (Score:1)
It's basically a technique where they distribute load (your incoming connections) on the hosting cluster to internal proxies that are part of the cluster. Such proxies do typically also decrypt https when it is in use (otherwise there would be little point of doing this) but unfortunately this means the actual logic-carrying part of the web server never sees the https traffic so that makes it really a lot harder to know if it had been decrypted ahead of time by a malicious proxy upstream if the cluster is
Re: (Score:1)
Yep, and since that is a vulnerability within the remote service's cluster itself, this is one case a VPN can't save you from.
Limited to just SMS authentication? (Score:5, Interesting)
Unless I misread something, it looks like this attack vector is due to two factor authentication methods which use SMS for the second part. Banks and other institutions which use their own app, or Bog-standard TOTP are completely unaffected by this attack.
Of course, there are other attacks which can attack 2FA, mainly at the browser session level, but if one is using an authenticator, they should be OK, with the exception of places that offer recovery methods via SMS.
In any case, 2FA definitely raises the bar an attacker has to do, from passive sniffing/logging to active mischief.
Re: (Score:3)
The article discusses transparent proxies being used to hijack TOTP in addition to stealing SMS. A USB security key that supports FIDO2 or U2F would virtually eliminate the risk of phishing--the browser or user's computer would have to be compromised. However, even a SMS U2F would reduce hacking by 99%.
If your second factor is a phone, it's not 2FA (Score:5, Insightful)
If your second factor is a telephone, you don't actually have 2FA. After all, the second factor cannot be the same device that you're using to sign in, because that's the same physical device as the one with access to the first factor (the password).
Re: (Score:2)
Yet most major banks and cellular carriers heavily promote this method of access as their hip new preferred tech. People won't learn to be responsible about securing their communications while the business entities they take their cues from are openly encouraging such bad behavior on one hand and failing to do the necessary security auditing of their own systems and software on the other hand.
Re: (Score:3, Insightful)
My bank account is completely disconnected from my cellular phone. My bank kept asking me for my mobile number, and I kept refusing to give it to them. They only know my land line number. They have no business contacting me over such an insecure system as the mobile network.
I also never connect to my bank over my mobile. I refuse to use their stupid apps. My banking is done on a single computer that is set up solely for connecting to my sensitive accounts. I do not browse the web on it or do a
Re:If your second factor is a phone, it's not 2FA (Score:5, Informative)
My bank account is completely disconnected from my cellular phone. My bank kept asking me for my mobile number, and I kept refusing to give it to them.
Same here, and like you I always refuse. I don't want that shot on my phone- it's just a door through which Bad Things(tm) will come.
Bank of America tried to tell us that for my wife to have a Business account, she *had* to load the BOA mobile banking app on her phone. We (me, really) flat-out refused and shit got a little heated. Some BOA account reps actually think that it's a requirement and will try to force it on you.
I asked what would they do if all we had were dumb flip-phones, but they wouldn't back down because they didn't want to admit they were wrong.
Them: "You HAVE to have the banking app on your phone, or you can't do mobile banking!"
Me: "What if we just come in here and don't do any mobile banking?"
Them: (SHOCKED FACE OMG TERRORIST OMG OMG OMG)
We did finally get the bank account without having to install their malware, err I mean 'mobile banking app' but it took the threat of going across the street to Chase Bank or whatever.
Re: (Score:2)
It seems like all banks want mobile apps. :(
Re: (Score:2)
Nonsense. Let's say I accidentally type my password into a phishing site or I use an ancient password pwned in a previous leak (the two places I assume all of my passwords get compromised).
Now any random Joe, Cho or Juma on the planet can log into my account.
Add 2FA and they have to be physically holding my device. So yes if my phone is stolen the race is on to lock my device (if they snatched it while unlocked) before they can look up any pwned accounts linked to my phone but I feel good that I can probab
MFA is not a silver bullet (Score:3)
Yeah, right. (Score:3)
the FBI wrote in a Private Industry Notification (PIN)
Someone posing as the FBI sending me e-mail about my PIN. I deleted that without even opening it.
mfa? (Score:2)
I am already burdened by 2FA
Really? You don't say .. plaintext, weakhashed, .. (Score:2)
.. after we have educated non-tech people, that it is a bad idea to have the same password on all 100 accounts and perhaps even use multiple eMail-aliases, and perhaps not the same
And now after the introduction of a "second password" that of course, would change everything to the better, that is btw. the answer to a question, while the questions are asking for easily memorable things like your mothers maiden name,
we now need to educate people again, that it is generally bad to answer the truth on any questi
Re: (Score:3)
Well, educating non-tech people to have a different password on 100 accounts was a total failure. Because that was completely overlooking the fact that humans are not able to retain 100 password with any level of entropy that could survive an offline crack.
Hence 2FA. Not worse than before, not better. Most security "experts" at companies have no clue about security and just follow what the latest trend is, because it's just not their expertise, their last job was usually something totally unrelated. The on