Kitz ADSL Broadband Information
adsl spacer  
Support this site
Home Broadband ISPs Tech Routers Wiki Forum
 
     
   Compare ISP   Rate your ISP
 
Please login or register.

Login with username, password and session length
Advanced search  

News:

Pages: [1] 2

Author Topic: Hackers Find Clever Way to Bypass Google's Gmail Two-Factor Authentication  (Read 2491 times)

RayW

  • Member
  • **
  • Posts: 42
Logged

sevenlayermuddle

  • Helpful
  • Kitizen
  • *
  • Posts: 3276

Must say, while I was I initially enthusiastic about 2FA when it was introduced, I'm no longer too sure.

Too many vulnerabilities coming to light.   :(
Logged

Ronski

  • Helpful
  • Kitizen
  • *
  • Posts: 2309

Like most things common sense needs to be applied.
Logged

sevenlayermuddle

  • Helpful
  • Kitizen
  • *
  • Posts: 3276

Common sense is not to blame for some of the shortfalls.  For example, where the villain persuades the mobile operator to send a replacement sim, istr a few customers of the banks were getting caught out by that one not long ago?

And in these days of 'uncrackable' smart phones, we probably all have a password/pin locking the handset data.   But how many people still bother with an additional sim PIN lock as, without it, a phone thief merely needs to swap the sim over to a different handset, and thereby gain access to 2FA texts..?

Not sure about the others, but Google encourage registering a second phone, which may be a landline,  for receiving the texts, in case the usual one is not available.   Which doubles the risks and in many cases leads to the code being sent over unencrypted analog.

One of the biggest problems though, in my view, is the providers often allow the 2FA code mechanism to be used for account recovery for password recovery.   That's not 2FA any more, it's just a single factor - and a rather weak factor at that, for reasons above...
Logged

Dray

  • Kitizen
  • ****
  • Posts: 2244

Why would anyone send an authentication code FROM Google TO Google? Doesn't make sense.
Logged

sevenlayermuddle

  • Helpful
  • Kitizen
  • *
  • Posts: 3276

Why would anyone send an authentication code FROM Google TO Google? Doesn't make sense.

Any time you login using 2FA, that's exactly what you do.   Google send you a random code in a text message and, if you can quote it back to them, it 'proves' you are in physical possession of the mobile phone which thus becomes a personal dongle.

I agree many people will see through this partricular exploit, but many others, with just average awareness, would not.   The first SMS is fake but the text message from Google would be absolutely genuine.   It really comes from Google, which might make it all quite convincing for a fair percentage of the population...

And I'd assume the same tactic can be deployed against banks that encourage similar 2FA logins.
Logged

Dray

  • Kitizen
  • ****
  • Posts: 2244

no you don't text it back to them
Logged

sevenlayermuddle

  • Helpful
  • Kitizen
  • *
  • Posts: 3276

no you don't text it back to them

I did not mean to suggest we text it as part of a normal login.   I was simply pointing out that is in essence exactly the mechanism by which 2FA works.   Google send you a code and you send it back again.  Yes, you send it as data on an html page, but you are still sending the same code back nonetheless. 

In this case the scammer is hoping people will be willing to send it as SMS rather than html and
I can well imagine some people will fall for that.   To non-computer savvy folks, even if moderately intelligent, it could all make a good deal sense...
Logged

Dray

  • Kitizen
  • ****
  • Posts: 2244

The problem is that computers were never meant for non-computer savvy folk
Logged

petef

  • Member
  • **
  • Posts: 55

2FA is a second line of defence. The exploiter in this instance already had the victimís gmail address and password. So your ordinary user would already be pwned by this stage.

That said, 2FA is only really 1ĹFA on a smartphone. If someone is into your phone then they can probably access email, SMS, Authenticator app, etc. For true 2FA the authentication factors should be independent.

--
Pete Forman
https://payg-petef.rhcloud.com/
Logged

Dray

  • Kitizen
  • ****
  • Posts: 2244

How can they get into your phone? The FBI paid more than $1.3 million to break into San Bernardino iPhone.
Logged

sevenlayermuddle

  • Helpful
  • Kitizen
  • *
  • Posts: 3276

The exploiter in this instance already had the victimís gmail address and password.

Are you sure of that?

I was assuming that the user had also enabled account recovery by text message, whereby If you forget your password, a recovery code is texted to your phone, allowing you to choose a new password and login, without knowing the old password.   I've not yet tried it, so unsure of the detail, but that's my understanding...

The villain does of course still need your email and your phone number, all the more reason for not sharing them on social media.
Logged

petef

  • Member
  • **
  • Posts: 55

How can they get into your phone? The FBI paid more than $1.3 million to break into San Bernardino iPhone.

By stealing it. There must be many who do not bother to lock their phones or use an easy passcode.

The FBI might have been able to save themselves a lot of cash if the San Berdanino County officials had not reset the iCloud account.

--
Pete Forman
https://payg-petef.rhcloud.com/
Logged

Dray

  • Kitizen
  • ****
  • Posts: 2244

I don't think stealing it would be enough. The FBI had access to the phone and couldn't get into it. I doubt the odd thief would be able to.
Logged

petef

  • Member
  • **
  • Posts: 55

Are you sure of that?

I was assuming that the user had also enabled account recovery by text message, whereby If you forget your password, a recovery code is texted to your phone, allowing you to choose a new password and login, without knowing the old password.   I've not yet tried it, so unsure of the detail, but that's my understanding...

The villain does of course still need your email and your phone number, all the more reason for not sharing them on social media.

According to the Softpedia article cited by the OP this was not an account recovery. It was an otherwise valid attempt to access an account from a new device. If you do not have 2FA turned then Google will notify you by email (spot the hole there) but permit the new device . With 2FA you must accept the new device from a trusted device or pass on a verification code.

--
Pete Forman
https://payg-petef.rhcloud.com/
Logged
Pages: [1] 2
 

anything