Kitz ADSL Broadband Information
adsl spacer  
Support this site
Home Broadband ISPs Tech Routers Wiki Forum
 
     
   Compare ISP   Rate your ISP
   Glossary   Glossary
 
Please login or register.

Login with username, password and session length
Advanced search  

News:

Pages: [1] 2

Author Topic: Hackers Find Clever Way to Bypass Google's Gmail Two-Factor Authentication  (Read 9619 times)

RayW

  • Member
  • **
  • Posts: 42
Logged

sevenlayermuddle

  • Helpful
  • Addicted Kitizen
  • *
  • Posts: 5369

Must say, while I was I initially enthusiastic about 2FA when it was introduced, I'm no longer too sure.

Too many vulnerabilities coming to light.   :(
Logged

Ronski

  • Helpful
  • Kitizen
  • *
  • Posts: 4300

Like most things common sense needs to be applied.
Logged
Formerly restrained by ECI and ali,  now surfing along at 390/36  ;D

sevenlayermuddle

  • Helpful
  • Addicted Kitizen
  • *
  • Posts: 5369

Common sense is not to blame for some of the shortfalls.  For example, where the villain persuades the mobile operator to send a replacement sim, istr a few customers of the banks were getting caught out by that one not long ago?

And in these days of 'uncrackable' smart phones, we probably all have a password/pin locking the handset data.   But how many people still bother with an additional sim PIN lock as, without it, a phone thief merely needs to swap the sim over to a different handset, and thereby gain access to 2FA texts..?

Not sure about the others, but Google encourage registering a second phone, which may be a landline,  for receiving the texts, in case the usual one is not available.   Which doubles the risks and in many cases leads to the code being sent over unencrypted analog.

One of the biggest problems though, in my view, is the providers often allow the 2FA code mechanism to be used for account recovery for password recovery.   That's not 2FA any more, it's just a single factor - and a rather weak factor at that, for reasons above...
Logged

Dray

  • Kitizen
  • ****
  • Posts: 2361

Why would anyone send an authentication code FROM Google TO Google? Doesn't make sense.
Logged

sevenlayermuddle

  • Helpful
  • Addicted Kitizen
  • *
  • Posts: 5369

Why would anyone send an authentication code FROM Google TO Google? Doesn't make sense.

Any time you login using 2FA, that's exactly what you do.   Google send you a random code in a text message and, if you can quote it back to them, it 'proves' you are in physical possession of the mobile phone which thus becomes a personal dongle.

I agree many people will see through this partricular exploit, but many others, with just average awareness, would not.   The first SMS is fake but the text message from Google would be absolutely genuine.   It really comes from Google, which might make it all quite convincing for a fair percentage of the population...

And I'd assume the same tactic can be deployed against banks that encourage similar 2FA logins.
Logged

Dray

  • Kitizen
  • ****
  • Posts: 2361

no you don't text it back to them
Logged

sevenlayermuddle

  • Helpful
  • Addicted Kitizen
  • *
  • Posts: 5369

no you don't text it back to them

I did not mean to suggest we text it as part of a normal login.   I was simply pointing out that is in essence exactly the mechanism by which 2FA works.   Google send you a code and you send it back again.  Yes, you send it as data on an html page, but you are still sending the same code back nonetheless. 

In this case the scammer is hoping people will be willing to send it as SMS rather than html and
I can well imagine some people will fall for that.   To non-computer savvy folks, even if moderately intelligent, it could all make a good deal sense...
Logged

Dray

  • Kitizen
  • ****
  • Posts: 2361

The problem is that computers were never meant for non-computer savvy folk
Logged

petef

  • Reg Member
  • ***
  • Posts: 135

2FA is a second line of defence. The exploiter in this instance already had the victim’s gmail address and password. So your ordinary user would already be pwned by this stage.

That said, 2FA is only really 1½FA on a smartphone. If someone is into your phone then they can probably access email, SMS, Authenticator app, etc. For true 2FA the authentication factors should be independent.

--
Pete Forman
https://payg-petef.rhcloud.com/
Logged

Dray

  • Kitizen
  • ****
  • Posts: 2361

How can they get into your phone? The FBI paid more than $1.3 million to break into San Bernardino iPhone.
Logged

sevenlayermuddle

  • Helpful
  • Addicted Kitizen
  • *
  • Posts: 5369

The exploiter in this instance already had the victim’s gmail address and password.

Are you sure of that?

I was assuming that the user had also enabled account recovery by text message, whereby If you forget your password, a recovery code is texted to your phone, allowing you to choose a new password and login, without knowing the old password.   I've not yet tried it, so unsure of the detail, but that's my understanding...

The villain does of course still need your email and your phone number, all the more reason for not sharing them on social media.
Logged

petef

  • Reg Member
  • ***
  • Posts: 135

How can they get into your phone? The FBI paid more than $1.3 million to break into San Bernardino iPhone.

By stealing it. There must be many who do not bother to lock their phones or use an easy passcode.

The FBI might have been able to save themselves a lot of cash if the San Berdanino County officials had not reset the iCloud account.

--
Pete Forman
https://payg-petef.rhcloud.com/
Logged

Dray

  • Kitizen
  • ****
  • Posts: 2361

I don't think stealing it would be enough. The FBI had access to the phone and couldn't get into it. I doubt the odd thief would be able to.
Logged

petef

  • Reg Member
  • ***
  • Posts: 135

Are you sure of that?

I was assuming that the user had also enabled account recovery by text message, whereby If you forget your password, a recovery code is texted to your phone, allowing you to choose a new password and login, without knowing the old password.   I've not yet tried it, so unsure of the detail, but that's my understanding...

The villain does of course still need your email and your phone number, all the more reason for not sharing them on social media.

According to the Softpedia article cited by the OP this was not an account recovery. It was an otherwise valid attempt to access an account from a new device. If you do not have 2FA turned then Google will notify you by email (spot the hole there) but permit the new device . With 2FA you must accept the new device from a trusted device or pass on a verification code.

--
Pete Forman
https://payg-petef.rhcloud.com/
Logged
Pages: [1] 2
 

anything