Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security IT

Telegram Bots Are Trying To Steal Your One-time Passwords (zdnet.com) 12

Telegram-powered bots are being utilized to steal the one-time passwords required in two-factor authentication (2FA) security. From a report: The ransomware threat is growing: What needs to happen to stop attacks getting worse? On Wednesday, researchers from Intel 471 said that they have seen an "uptick" in the number of these services provided in the web's underground, and over the past few months, it appears the variety of 2FA circumvention solutions is expanding -- with bots becoming a firm favorite. [...] While 2FA can improve upon the use of passwords alone to protect our accounts, threat actors were quick to develop methods to intercept OTP, such as through malware or social engineering. According to Intel 471, since June, a number of 2FA-circumventing services are abusing the Telegram messaging service. Telegram is either being used to create and manage bots or as a 'customer support' channel host for cybercriminals running these types of operations. "In these support channels, users often share their success while using the bot, often walking away with thousands of dollars from victim accounts," the researchers say.
This discussion has been archived. No new comments can be posted.

Telegram Bots Are Trying To Steal Your One-time Passwords

Comments Filter:
  • This is exactly why I only call stuff like this "double 1FA".

    • by dgatwood ( 11270 )

      I prefer the term one-point-two-factor authentication. It is *slightly* stronger than just using a password, because users pick terrible passwords, so it reduces the odds of account compromise by random guessing. But it is nowhere near a true second factor.

  • Thank goodness the article provided some clear and actionable ideas about how to harden oneself against such attacks.

    https://hackernoon.com/how-to-... [hackernoon.com]

    https://blog.coinbase.com/phis... [coinbase.com]

  • (n) A small increase.

    I really wish people (the media) wouls dtop using words they don't know the meaning ot. If you mean "increase," say "increase." Upticks aren't generally newsworthy items.

  • My previous employer used YubiKey. It blew all the other garbage out of the water in terms of security and easy of use. My current employer *finally* stopped making SMS-based 2FA the only option and now offers an iOS/Android only "app". Slightly more security, but still brain dead. And it means 100% of the employees need either an Android of iOS device.

    My current company won't buy you a dedicated device, but they will pay for your personal device. Weird policy, and it means every device is compromised becau

    • The problem is yubikeys are not universal, at least in the Apple/Linux ecosystem. They should be, but that is hard.I would need one device for my iPhone, and a separate one for everything else.
       
        I need one device (plus a backup) for everything I use. The best way for that to happen is for Apple to support contactless transfer, and desktop/laptop to support usb-c.

      • I was using YubiKey on my work issued Linux/Debian system with the only "trick" being I installed Chrome instead of Chromium. And my coworkers were all Apple users. I'm pretty confident of the Apple/Linux support, I'm less confident of the Windows support because I never tried it.
        What is great is not only did it work with various 2FA browser logins, we had it set up to work correctly on SSH as well.

        I was issued TWO yubikeys. One that was a nano key for my laptop (USB-A) and one that was a keychain one for m

  • If you run a site that stores valuable information and doesn't support hardware keys for authentication, you're doing it wrong.

news: gotcha

Working...