Kitz Forum
Computer Software => Security => Topic started by: RayW on June 13, 2016, 08:17:50 AM
-
Hackers now texting as Google to GMail users for access verification codes ...
http://news.softpedia.com/news/hackers-find-clever-way-to-bypass-google-s-two-factor-authentication-505138.shtml
-
Must say, while I was I initially enthusiastic about 2FA when it was introduced, I'm no longer too sure.
Too many vulnerabilities coming to light. :(
-
Like most things common sense needs to be applied.
-
Common sense is not to blame for some of the shortfalls. For example, where the villain persuades the mobile operator to send a replacement sim, istr a few customers of the banks were getting caught out by that one not long ago?
And in these days of 'uncrackable' smart phones, we probably all have a password/pin locking the handset data. But how many people still bother with an additional sim PIN lock as, without it, a phone thief merely needs to swap the sim over to a different handset, and thereby gain access to 2FA texts..?
Not sure about the others, but Google encourage registering a second phone, which may be a landline, for receiving the texts, in case the usual one is not available. Which doubles the risks and in many cases leads to the code being sent over unencrypted analog.
One of the biggest problems though, in my view, is the providers often allow the 2FA code mechanism to be used for account recovery for password recovery. That's not 2FA any more, it's just a single factor - and a rather weak factor at that, for reasons above...
-
Why would anyone send an authentication code FROM Google TO Google? Doesn't make sense.
-
Why would anyone send an authentication code FROM Google TO Google? Doesn't make sense.
Any time you login using 2FA, that's exactly what you do. Google send you a random code in a text message and, if you can quote it back to them, it 'proves' you are in physical possession of the mobile phone which thus becomes a personal dongle.
I agree many people will see through this partricular exploit, but many others, with just average awareness, would not. The first SMS is fake but the text message from Google would be absolutely genuine. It really comes from Google, which might make it all quite convincing for a fair percentage of the population...
And I'd assume the same tactic can be deployed against banks that encourage similar 2FA logins.
-
no you don't text it back to them
-
no you don't text it back to them
I did not mean to suggest we text it as part of a normal login. I was simply pointing out that is in essence exactly the mechanism by which 2FA works. Google send you a code and you send it back again. Yes, you send it as data on an html page, but you are still sending the same code back nonetheless.
In this case the scammer is hoping people will be willing to send it as SMS rather than html and
I can well imagine some people will fall for that. To non-computer savvy folks, even if moderately intelligent, it could all make a good deal sense...
-
The problem is that computers were never meant for non-computer savvy folk
-
2FA is a second line of defence. The exploiter in this instance already had the victim’s gmail address and password. So your ordinary user would already be pwned by this stage.
That said, 2FA is only really 1½FA on a smartphone. If someone is into your phone then they can probably access email, SMS, Authenticator app, etc. For true 2FA the authentication factors should be independent.
--
Pete Forman
https://payg-petef.rhcloud.com/
-
How can they get into your phone? The FBI paid more than $1.3 million to break into San Bernardino iPhone.
-
The exploiter in this instance already had the victim’s gmail address and password.
Are you sure of that?
I was assuming that the user had also enabled account recovery by text message, whereby If you forget your password, a recovery code is texted to your phone, allowing you to choose a new password and login, without knowing the old password. I've not yet tried it, so unsure of the detail, but that's my understanding...
The villain does of course still need your email and your phone number, all the more reason for not sharing them on social media.
-
How can they get into your phone? The FBI paid more than $1.3 million to break into San Bernardino iPhone.
By stealing it. There must be many who do not bother to lock their phones or use an easy passcode.
The FBI might have been able to save themselves a lot of cash if the San Berdanino County officials had not reset the iCloud account.
--
Pete Forman
https://payg-petef.rhcloud.com/
-
I don't think stealing it would be enough. The FBI had access to the phone and couldn't get into it. I doubt the odd thief would be able to.
-
Are you sure of that?
I was assuming that the user had also enabled account recovery by text message, whereby If you forget your password, a recovery code is texted to your phone, allowing you to choose a new password and login, without knowing the old password. I've not yet tried it, so unsure of the detail, but that's my understanding...
The villain does of course still need your email and your phone number, all the more reason for not sharing them on social media.
According to the Softpedia article cited by the OP this was not an account recovery. It was an otherwise valid attempt to access an account from a new device. If you do not have 2FA turned then Google will notify you by email (spot the hole there) but permit the new device . With 2FA you must accept the new device from a trusted device or pass on a verification code.
--
Pete Forman
https://payg-petef.rhcloud.com/
-
I don't think stealing it would be enough. The FBI had access to the phone and couldn't get into it. I doubt the odd thief would be able to.
I did not say that all phones are easy to hack and certainly not the San Bernadino one. I was asserting that many people are not bothered by security and may not have as much as a screen lock. Even if you do take basic precautions there must be a method for phone shops to unlock where their customers have forgotten their passcode. If they can be sure that the bad guys will be able too.
--
Pete Forman
https://payg-petef.rhcloud.com/
-
Looks like it was debunked here http://www.sorinmustaca.com/how-clever-social-engineering-can-overcome-two-factor-authentication/
-
I do agree it was reported as a 2FA attack with known password, but I tend to take reporting accuracy with a large pinch of salt.
Certainly in the cases of bank customers a few months ago, although it was widely reported as 2FA, the only way I could make any sense of the stories on the Beeb and in the papers was to assume a reporting error and that it was actually account recovery, using the same text interface as 2FA.
Otherwise, as Pete infers, the real story would have been 'how did they get the password?'
-
@Dray I don’t think that Sorin Mustaca was debunking Alex MacCaw’s story, rather offering a strong argument that the password was already compromised.
@sevenlayermuddle the password may have come from a Post-it note, re-use on a fake or hacked website, or in many other ways.
--
Pete Forman
https://payg-petef.rhcloud.com/
-
I just tried it, using an ancient gmail account I no longer use.
I ticked 'forgot my password'.
It asked for the last password I could remember, I ticked "don't know"
It offered me recovery via SMS and presented me with the last three digits of my phone number, inviting me to provide the number in full.
A few seconds later my watch beeped with a new message 'your Google verification code is...'
I entered the code in the box on screen and, after choosing a new password, had access to the account.
So, armed only with the mobile phone number and a way of intercepting text messages, it does appear trivial to hack a gmail account.
-
I should add that when I tried the same on my main email address, which is a member of a Google Apps organisation, I was told to (words to the effect of ) 'contact an administrator for my organisation'.
When I tried it for my Google Apps administrator's login it appeared that it would work but I only got as far as a caution, inferring that Google would need to think about it for a few days, and suggesting I might want to rconsider. Which I did. :D
-
So, armed only with the mobile phone number and a way of intercepting text messages, it does appear trivial to hack a gmail account.
That's a big only
-
That's a big only
That's what I used to think, and why I used to be a fan of 2FA.
Since then, multiple exploits have emerged, from convincing the mobile phone company to divert calls and texts, or to send out a replacement SIM in the post, or just to steal the phone and swap the SIM to another phone. And now this new exploit.
I'd not worry if it were just gmail, but banks are increasingly adopting 2FA as well. :o
-
Classic 3FA is something you know, something you have and something you are. E.g. password, SIM card, fingerprint. 2FA is two of those, usually the first.
In both the original article and @sevenlevelmuddle’s old account reset one authentication factor had been broken through losing or forgetting the password. The second factor, the SIM card, is given elevated trust as a result. No factor is 100% perfect but combining them gets you closer.
--
Pete Forman
https://payg-petef.rhcloud.com/
-
My iPhone has a fingerprint reader so I suppose that's 3fa
-
In both the original article and @sevenlevelmuddle’s old account reset one authentication factor had been broken through losing or forgetting the password.
I don't agree. The first factor has not been 'broken', it has been dismissed by the provider in the interests of providing continued service whilst minimising customer support overheads. Security is then reduced to single factor, and an incredibly weak factor at that - much weaker than a simple password requirement.
A far more useful 'second factor', for account recovery, is a letter sent in the post to the home address of the account. Some of the more serious UK financial institutions, as well as HMRC, do so. The delay so caused is a further disincentive against any attempt to abuse it. But can you imagine Google, or the money-grabbing mainstream banks, really wanting the bother of communicating with their customers that way?
It is worth stressing that, despite screaming headlines in newspapers, password 'hacking' is very, very rare. Most passwords are 'stolen' either by hacking the provider, or phishing techniques.
-
Alright, I could have used a better word than ‘broken’.
For something you have, a postbox on your house is more secure than a SIM card but even that is not infallible. Witness the recent fake postboxes in Manchester.
Resetting an account is not the canonical case of multi-factor authentication. This topic was about Gmail which in the cited articles was enforcing 2FA where both factors must be satisfied for a new device. Account recovery involves using alternative avenues of trust where the usual factors are unavailable.
Loosely speaking, n-factor authentication can be used at its most secure when all n factors are satisfied. To be pragmatic fewer are called for when, for example, the server has established trusted devices. It may also happen that 3FA is set up but access is allowed for 2 out of 3.
--
Pete Forman
https://payg-petef.rhcloud.com/
-
what people need to realise is that there is no such thing as 100% security, if you expect that, then you already have the wrong mindset.
At the same time there also usually has to be a balance with useability.
With that said tho I have never been a fan of SMS been used for authentication, in my mind the perfect thing to pair with a password is using a authentication key.
-
That just shifts responsibility to a 3rd party CA who you have to trust
-
authentication keys dont use a CA.
is just a private and public key pair used to authenticate.