Tag Archives: Two Factor Authentication

Don’t Want to Use Two Factor Authentication? You Might Want to Rethink that Decision

So you think two factor authentication is a pain?

Well it can be.

But let me suggest that decision can be a really bad idea and here is why.

Hackers are using two factor to BLOCK your ability to recover your account if it is hacked. This is already happening.

Here is how it works.

Hackers compromise an account. That could be done via password stuffing or any number of other methods.

Then the hackers turn on multifactor authentication and point that to a phone or email the hackers control.

Once you realize that your account has been compromised, you contact the provider. The web site says they will send a proof of ownership code to the phone or email registered to the account. Which is in the hands of the hacker.

At least some sites are saying tough luck. You are welcome to create a new account, but of course, you will lose all your data and in the meantime, if the hacker wants to extort you, they can put whatever THEY want on, say, what used to be your social media account. And there isn’t much that you can do. That could be any sort of nasty, reputation damaging stuff. And you have no way to tell visitors that it isn’t you.

You can sue the web site in court. Good luck with that one. In 2022.

In one case we just heard about, the hacker used a stolen xBox account to buy games with the former owner’s credit card. You can, of course, cancel the card if you think of it, but that is a pain.

Some sites will allow you to regain control. It may require that you send them copies of your identity documents. Assuming that the hacker didn’t change that information on your account after it was hacked. That can take a week or more. Depending on what the account is used for, well, that could be a problem in and of itself.

Bottom line – reconsider whether two factor authentication is really that much of a bother. Consider the alternative. Credit: Brian Krebs

News Bites for the Week Ending November 16, 2018

DEA and ICE buying Surveillance Cameras Hidden in Streetlights

I am not particularly surprised and it certainly is not illegal  in any way, but apparently DEA and ICE have purchased $50,000 of security cameras that record video and sound, hidden in streetlights.

If $50,000 is what they spent, it would cover a small number of cameras, so this is not “mass surveillance”.

DEA issued another solicitation for concealments to house a pan-tilt-zoom camera, cellular modem and video compression technology.  Again, not a big surprise.

Overall, this is just the government using tech that is out there and other governments, both friendly and not so friendly, have been doing this for years (think Britain and China, for example).

On the other hand, if you are planning on committing a crime – SMILE, you may be on candid camera.  Source: Quartz .


The Gov is Sharing (Some) of the Malware it Finds

In what most people would agree is something long overdue, Cyber Command is going to start sharing unclassified malware that it finds with the tech community.  It is going to upload those samples to Virus Total, the shared virus repository that the tech community uses, and tweet about it each time they do.  Some malware, of course, they won’t share, but this allows the anti virus vendors to make sure that they can detect these new malware samples.  Source: ZDNet.


HSBC Discloses Data Breach but Few Details

Megabank HSBC said that less than 1% of US customer account data was compromised, but didn’t say what the number is.  Information taken includes name, address, bank account information, transaction history and more.  As global privacy rules become more intense, getting away with “some bad guys got away with some stuff” will be harder for businesses to use as an acceptable disclosure.  Likely the bank is still trying to understand the scope of the breach.   *IF* EU customers were affected, then this would be a post-GDPR breach as well.

It appears that this may have been a situation where the bank’s employees were not protecting their passwords well enough.  We don’t know if the credentials taken were for an administrator or not.

This is why the *LAW* in states like New York require financial institution administrators to use two factor authentication.  Source BBC .


U.S. Aligns with Russia, China and North Korea by Not Signing the Paris Call for Trust and Security in Cyberspace

It is not often that the U.S. interests align with countries like North Korea, but when it comes to hacking in cyberspace, it apparently does.  The U.S. did not sign the Paris Call non-binding agreement this past weekend when over 50 other countries and hundreds of businesses signed it. Companies like Facebook, Google and Microsoft, who did sign the agreement, have a vested financial interest in having their customers think the Internet is safe and the companies actively support that.  The U.S. government has less direct incentives although most of the large Internet content companies are U.S. based.  It could be that countries like North Korea, China and the U.S. don’t want to be limited in who they hack and how.  In any case, it just shows that Cyberspace is still a bit of the wild west when it comes to security and, like in the old west, you better bring your cyber-gun to the party to protect yourself.  Source: Washington Post.


Google Outage Caused by Traffic “Accidentally” Being Routed Through China

Interesting timing.  Following on from my wild, wild west comment above —

BGP hijacking has become a well honed art form by China (and others).  BGP, the preferred routing protocol of all ISPs and many large companies, has no security in it and anyone can”advertise” that they own an IP address block with no current way to stop them.  After the fact – when the owner is down – it can recover from it.  If the attacker is stealthy, they capture the traffic and, after a really small delay, send it on its way.  They now own a copy of the traffic which they can try and decrypt at their leisure.  China is likely very good at decrypting traffic.

In this case, however, parts of Google went dark when some of their traffic was hijacked in a BGP attack and some users were down.   Google says this was an accident, which is possible.  Also possible is that it was made to look like an accident.

Curiously, this “error” started with a small ISP in Nigeria.  How hard would it be for China to compromise a small African ISP or even pay them to accidentally make a mistake?

Data compromised includes data from Google’s VPN service and their corporate backbone.  Again, a coincidence?

The Internet Engineering Task Force is working on securing BGP, but it will be years before that happens on any large scale.

What is for certain is that China now has a lot of data to decrypt.  Source: Ars Technica.


This is Getting Old – Patch Now!

IF you haven’t gotten patching religion yet, here are, quickly, some more reasons JUST from today. —

ZERO DAY exploits (previously unknown) found in the iPhone X, Samsung Galaxy S9 and Xiaomi Mi6 – details here.

As people start looking at the magic that allows computers to go fast, they are discovering that speed kills, figuratively speaking.  SO, we have *SEVEN*, yes seven new Meltdown and Spectre bugs that affect Intel, AMD and ARM chips – details here.  Some of these are mitigated by existing fixes but others are not.

*63* new Windows bugs, twelve of which are critical and some of which are zero days are patched this month – see details.  ONE OF THREE ZERO DAYS IS ALREADY BEING EXPLOITED IN THE WILD BY HACKERS.

And finally, a Facebook attack which allows an attacker to steal data from your Facebook search results, in the background, invisible to you.  Through the magic of the cloud, Facebook has already patched this, so you don’t need to do anything to fix it – details here.

Hackers Steal Millions in Bitcoin Using Only A Phone Number

Just after midnight on August 11th, Jered Kenna in Medellin, Columbia  was notified that two of his email accounts had their passwords reset.

He tried regaining control of the accounts by getting the services to send him a text, which he never received.

When he called his phone company (T-Mobile), they said that he didn’t have a phone with them, the number was transferred to another phone company.

It turns out that it is relatively simple, using a fake ID and some social engineering to steal someone’s phone account at a phone company.

Once you have control of someone’s phone number, you can reset account passwords since most websites will send you a text or email with a code or URL to reset your password.

After all, your phone is secure, right?

Not so much.

Within 7 minutes, his access to 30 accounts was lost.

Among the accounts that he lost control of were two bank accounts, a Paypal account, two Bitcoin services and his Windows account, which locked him out of his PC.  This is one reason why I tell people NEVER use a Microsoft Online account to log in to your PC at home, even though Microsoft actually makes it difficult for you not to use one (there is a trick to it).  The hacker can’t lock you out of your PC remotely if you do not use a Microsoft Online password.

Kenna was an early Bitcoin miner, having millions in Bitcoin.  For security, the Bitcoin had been stored offline, but for some stupid reason, a few weeks earlier he had brought the Bitcoin online to move them to a more secure service.

Apparently not.

Suffice it to say, he lost millions of dollars.

He says he now has only about 60 Bitcoin (worth something less than $60,000).

He still doesn’t have his phone number back.

In January 2016, there over 2,000 Bitcoin theft reports filed with the FTC.  Remember that 99+% of the time, if you lose your Bitcoin, they are gone forever.  No way to get them back.  No insurance.  No recourse.

Coinbase, the highest volume cryptocurrency exchange, says the number of cryptocurrency fraud cases is on track to double between November and December.

It would seem that this attack was very specifically targeted at Kenna.

The fundamental problem here is that ALL service providers think customer service first, security second.

So when someone contacts your phone company pretending to be you, even though you (AKA they) violate all of the security protocols, the prime directive prevails – CUSTOMER SERVICE FIRST, SECURITY LAST.

In this case, it cost someone millions of dollars.

If you lost access to your phone number, then your email(s), then your bank accounts then:

  • What would you do?
  • What would the consequences be?

In the case of bank accounts, it is likely that you will be able to eventually get your money back.

In the case of other digital assets, the story is not so clear.  If someone gains access to say, your iTunes account, you MAY, EVENTUALLY, get it back, but the attacker likely still has all of your data.  If you recall the event called “The Fappening” a couple of years ago, a number of celebrities lost control of their iTunes accounts and thousands of nude photos appeared on the Internet.  Try to get that genie back in the bottle.

Many service providers from Facebook to banks offer an extra level of security called two factor authentication.  Only 10 percent, at most, of people use two factor authentication.  It is a little bit complicated and it is a little inconvenient.   But it is also a little inconvenient to lose all the money in your bank or brokerage account.

When convenience bumps up against security, in almost all cases, convenience wins.  Many banks use text messages as the second factor but if you lose control of your phone, that doesn’t help because the hacker gets the text messsages.  The government (NIST) says that SMS text messages as the second factor is not sufficiently secure and they want people to stop using it and replace it with encrypted, data based second factor authenticators.

Still, using SMS as the second factor is WAY more secure than not having a second factor.

In this case, it was millions of dollars of Bitcoin.

Who knows what the next case is.

So when Marissa Mayer, CEO of Yahoo (who seems to have lost control of 1.7 billion user accounts) says it is too inconvenient to put a password on her phone, I get it.  After all, compared to 1.7 billion accounts, what could she lose that is more valuable than that?

And remember, even though you MAY, EVENTUALLY, get control back of your email, your bank accounts, your phone number, it may take weeks and you may have to expend a LOT of time and money to do so.

So when you say who would want to steal my stuff, you might want to reconsider that statement.  I am sure that Jered Kenna wishes he did some things differently.

And when it comes to corporate intellectual property, it is likely that you will never be able to undo the damage unless the crook is very stupid or you are very lucky.

Food for thought.

Information for this post came from Forbes.