Kitz ADSL Broadband Information
adsl spacer  
Support this site
Home Broadband ISPs Tech Routers Wiki Forum
 
     
   Compare ISP   Rate your ISP
 
Please login or register.

Login with username, password and session length
Advanced search  

News:

Pages: 1 [2]

Author Topic: Hackers Find Clever Way to Bypass Google's Gmail Two-Factor Authentication  (Read 2273 times)

petef

  • Member
  • **
  • Posts: 51

I don't think stealing it would be enough. The FBI had access to the phone and couldn't get into it. I doubt the odd thief would be able to.

I did not say that all phones are easy to hack and certainly not the San Bernadino one. I was asserting that many people are not bothered by security and may not have as much as a screen lock. Even if you do take basic precautions there must be a method for phone shops to unlock where their customers have forgotten their passcode. If they can be sure that the bad guys will be able too.

--
Pete Forman
https://payg-petef.rhcloud.com/
« Last Edit: June 13, 2016, 09:21:13 PM by petef »
Logged

sevenlayermuddle

  • Helpful
  • Kitizen
  • *
  • Posts: 3209

I do agree it was reported as a 2FA attack with known password, but I tend to take reporting accuracy with a large pinch of salt.

Certainly in the cases of bank customers a few months ago, although it was widely reported as 2FA, the only way I could make any sense of the stories on the Beeb and in the papers was to assume a reporting error and that it was actually account recovery, using the same text interface as 2FA.

Otherwise, as Pete infers, the real story would have been 'how did they get the password?'
Logged

petef

  • Member
  • **
  • Posts: 51

@Dray I don’t think that Sorin Mustaca was debunking Alex MacCaw’s story, rather offering a strong argument that the password was already compromised.

@sevenlayermuddle the password may have come from a Post-it note, re-use on a fake or hacked website, or in many other ways.

--
Pete Forman
https://payg-petef.rhcloud.com/
Logged

sevenlayermuddle

  • Helpful
  • Kitizen
  • *
  • Posts: 3209

I just tried it, using an ancient gmail account I no longer use.

I ticked 'forgot my password'.

It asked for the last password I could remember, I ticked "don't know"

It offered me recovery via SMS and presented me with the last three digits of my phone number, inviting me to provide the number in full.

A few seconds later my watch beeped with a new message 'your Google verification code is...'

I entered the code in the box on screen and, after choosing a new password, had access to the account.

So, armed only with the mobile phone number and a way of intercepting text messages, it does appear trivial to hack a gmail account.
Logged

sevenlayermuddle

  • Helpful
  • Kitizen
  • *
  • Posts: 3209

I should add that when I tried the same on my main email address, which is a member of a Google Apps organisation, I was told to (words to the effect of ) 'contact an administrator for my organisation'.

When I tried it for my Google Apps administrator's login it appeared that it would work but I only got as far as a caution, inferring that Google would need to think about it for a few days, and suggesting I might want to rconsider.   Which I did. :D
Logged

Dray

  • Kitizen
  • ****
  • Posts: 2126

So, armed only with the mobile phone number and a way of intercepting text messages, it does appear trivial to hack a gmail account.
That's a big only
Logged

sevenlayermuddle

  • Helpful
  • Kitizen
  • *
  • Posts: 3209

That's a big only

That's what I used to think, and why I used to be a fan of 2FA.

Since then, multiple exploits have emerged, from convincing the mobile phone company to divert calls and texts, or to send out a replacement SIM in the post, or just to steal the phone and swap the SIM to another phone.  And now this new exploit.

I'd not worry if it were just gmail, but banks are increasingly adopting 2FA as well.   :o
Logged

petef

  • Member
  • **
  • Posts: 51

Classic 3FA is something you know, something you have and something you are. E.g. password, SIM card, fingerprint. 2FA is two of those, usually the first.

In both the original article and @sevenlevelmuddle’s old account reset one authentication factor had been broken through losing or forgetting the password. The second factor, the SIM card, is given elevated trust as a result. No factor is 100% perfect but combining them gets you closer.

--
Pete Forman
https://payg-petef.rhcloud.com/
Logged

Dray

  • Kitizen
  • ****
  • Posts: 2126

My iPhone has a fingerprint reader so I suppose that's 3fa
Logged

sevenlayermuddle

  • Helpful
  • Kitizen
  • *
  • Posts: 3209

In both the original article and @sevenlevelmuddle’s old account reset one authentication factor had been broken through losing or forgetting the password.

I don't agree.   The first factor has not been 'broken', it has been dismissed by the provider in the interests of providing continued service whilst minimising customer support overheads.  Security is then reduced to single factor, and an incredibly weak factor at that - much weaker than a simple password requirement.

A far more useful 'second factor', for account recovery, is a letter sent in the post to the home address of the account.   Some of the more serious UK financial institutions, as well as HMRC, do so.  The delay so caused is a further disincentive against any attempt to abuse it.   But can you imagine Google, or the money-grabbing mainstream banks, really wanting the bother of communicating with their customers that way?   

It is worth stressing that, despite screaming headlines in newspapers, password 'hacking' is very, very rare.  Most passwords are 'stolen' either by hacking the provider, or phishing techniques.
Logged

petef

  • Member
  • **
  • Posts: 51

Alright, I could have used a better word than ‘broken’.

For something you have, a postbox on your house is more secure than a SIM card but even that is not infallible. Witness the recent fake postboxes in Manchester.

Resetting an account is not the canonical case of multi-factor authentication. This topic was about Gmail which in the cited articles was enforcing 2FA where both factors must be satisfied for a new device. Account recovery involves using alternative avenues of trust where the usual factors are unavailable.

Loosely speaking, n-factor authentication can be used at its most secure when all n factors are satisfied. To be pragmatic fewer are called for when, for example, the server has established trusted devices. It may also happen that 3FA is set up but access is allowed for 2 out of 3.

--
Pete Forman
https://payg-petef.rhcloud.com/
Logged

Chrysalis

  • Content Team
  • Kitizen
  • *
  • Posts: 4791

what people need to realise is that there is no such thing as 100% security, if you expect that, then you already have the wrong mindset.

At the same time there also usually has to be a balance with useability.

With that said tho I have never been a fan of SMS been used for authentication, in my mind the perfect thing to pair with a password is using a authentication key.
Logged
Sky Fiber Pro - Billion 8800NL bridge & PFSense BOX running PFSense 2.4 - ECI Cab

Dray

  • Kitizen
  • ****
  • Posts: 2126

That just shifts responsibility to a 3rd party CA who you have to trust
Logged

Chrysalis

  • Content Team
  • Kitizen
  • *
  • Posts: 4791

authentication keys dont use a CA.

is just a private and public key pair used to authenticate.
Logged
Sky Fiber Pro - Billion 8800NL bridge & PFSense BOX running PFSense 2.4 - ECI Cab
Pages: 1 [2]
 

anything