"We learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept,"
They're just learning this??
In a Wednesday mea culpa, Reddit – the online chat board that got a little out of hand and became the sixth most-visited website on the internet – has admitted it was raided by hackers unknown. For four days, specifically June 14 to June 18, miscreants managed to break into the website's cloud hosting and source-code …
"We learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept,"
They're just learning this??
Some companies are still blind to this issue. My bank has confirmed that Visa is implementing an "industry-wide switch" to SMS 2FA. They believe it "has proven more effective in preventing fraud attempts than the current system." Namely Verified by Visa.
So are they painting a big target onto all Visa customers?
I'm not saying that Verified by Visa sucked, but it could take the chrome off a trailer hitch. SMS as second factor is... a touch more secure than that. (to make a clothing comparison, VbV was a string bikini, and SMS2 is at least a jacket or a thick t-shirt.)
and TBH, 2FA is a pain in the butt no matter how you slice it, but it's one of those 'how much risk can we accept' things.
my bank is a little to trusting with that they only need Chip and pin to take out large amounts of money at the desk (even though its policy to show 2 forms of ID, they they do know who i am witch mite be why they skip it but still said chip and pin is enough at the desk)
but 2FA for SMS is just because they believe using the authenticator app for 30 second codes is to hard for Joe public
VbV was always a complete load of cobblers.
Why can't they use the chip on the card's own signing as verification? We all have the little pin machines now that do challenge-response authentication.
I was kind of astonished when I found out my bank was more or less unique in using the "identify" time based password mode on those things for access to online banking, and they're still not using the challenge response mode for access to telephone banking, just a PIN.
"We all have the little pin machines now that do challenge-response authentication."
I certainly don't have any such thing, and will not.
VbV shows up doing online transactions sometimes, which usually causes me to abandon the transaction.
And I do not use SMS, nor do I intend to convert my phone to a smartphone.
The bad ideas just keep on coming.
its for most part quite easy to do "SS7" (all SMS show on a web page)
or they hijack the phone accounts (sim swap so they have a sim card with there number so can get the SMS codes) typically they convenience they are you and get them to do a sim swap (seen some mobile companies Reactivate a sim card after it was reported by the owner as hijacked account stolen a lot of money from someone's account)
SMS is very insecure for someone who is targeting you
they should be using a 2FA APP or RSA keys
i wish Google would Let me not use a email or number for 1FA account recovery (they do have a locked down account mode where you have to use 2 U2F keys (one is U2F bluetooth/NFC push button, second one is backup and account recovery), even if i have 2FA enabled on my account,
if i remove the recovery options i run the risk of never been able to get into my account if its locked out for some reason, as it asks for things that i don't know (my phone it self should be the ultimate trusted source but that can be Delinked from the google account)
It does make one wonder about how many other times they've penetrated.
That's very Zen of you! Assuming the stuff is hosted externally how would anyone know that someone else got read access?
The aphorism is that there are two types of victims of hacking: those that know they've been hacked…
If they hadn't hired an InfoSec guy would they even have announced this breech?
If they hadn't hired an InfoSec guy, would they even have known - that's a scarier question.
And why on earth are they keeping ten year old backups anyway? That makes me suspicious.
"It does make one wonder about how many other times they've penetrated"
I would say that it approaches a certainty that there was at least one. The criminals who get caught are the ones who are stupid and/or sloppy. You almost never hear about the ones who are actually competent.
“U2F Explained: How Google and Other Companies Are Creating a Universal Security Token”
If it can be mathematically reduced to "something you know" and every hardware token can be, it is not 2FA in the formal sense. In my case I have a list of token IDs in a database. If they get stolen, then whoever stole them can pretend to be any hardware token I've issued.
The real problem is that any proper 2FA system needs to integrate into older hardware. Sysadmins need to log into things like switches and routers and firewalls and many of them just don't have proper hooks and many that do can be tricked with things like fake radius servers. Most 2FA solutions are windows only or support a very limited amount of hardware. The old OATH and HOTP systems could be done on just about anything but like the old RSA tokens, once you have the secret keys, it isn't anything other than an annoying one time password.
Then they'll just hack the source and reverse-engineer the implementation. Then you can clone. What man can create, man can RE-create. Isn't that what the attack on RSA was about?
And as for the whole "something you know, etc." business, there's still no practical solution for people with such bad memories that at least "something you know" can't be relied upon. And yes, they exist. I deal with them every day, yet they're too proud to ask for help when they MUST go online to check their bank accounts, benefits, etc.
> Then they'll just hack the source and reverse-engineer the implementation.
There is no source or implementation to attack, the dongle runs on a Field Programmable Gate Array (with added noise circuit to prevent side channel attacks) with any number of permutations to provide functionality. Each U2F token contains a unique key. Reverse-engineering one key provides no usable information on any other. If the token gets lost or stolen then the key is revoked.
"there's still no practical solution for people with such bad memories that at least "something you know" can't be relied upon"
To this day, I can't get that annual free credit report that credit companies are legally required to provide me, because I can't remember enough details about my more distant past to be able to answer their authentication questions.
I would really like to know what your definition of "something you have" is, or alternatively what is in your opinion "not something you know", seeing as how even a physical lock's key (or your fingerprints) are nothing but "something you know" as soon as anyone has e.g. a suitably detailed photo of either (or the manufacturer's bitting code for that key). In that respect, modern hardware tokens are far more "uncopiable" considering their secret key is supposed to be stored inside and not retrievable. I have my own issues with them, but I'm hard pressed to think of something more "something you have" than they are, for all practical purposes...
Sometimes focusing on passwords and 2FA ignores other solutions (or helpers). Restrict access to known IPs or networks and make everyone who needs to access stuff use a VPN on top of their own credentials. A well-configured and maintained VPN should detect intruders before they can access any systems.
This is basically what we do.
All our repo's, file/build archive, Jenkins, Kibana etc are all behind VPN, no direct access from anywhere, not even on our own LAN.
The VPN uses client auth TLS, (so should only work from devices with the correct cert), plus to log in, you need to use a user username + password + a generated token code (from mobile app) to login (and no option to remember me, or SMS option).
This is what I do in my own home network, too. Even if you're entirely behind my firewall, if you aren't connecting through my VPN then you can't access any other machines or services on my LAN. Although my reason for this is ensure that all traffic is encrypted rather than for authentication.
I even run two different VPNs -- one for access from behind my firewall and one for access from outside my firewall.
"I guess this must be standard accepted practice."
It's completely standard and expected practice -- I'd be willing to be there isn't a single major online social media outfit that isn't full of sockpuppets. That's one of the reasons why you can't believe any metrics about the number of users on any of these services.
But I don't think it's "accepted" by anybody aside from the services themselves.
... has been as much about getting another one of your identifying numbers* in marketers databases as actual security.
*Ask for a Social Security Number as a link between multiple databases and most people will balk. Ask for a phone number (when everyone lives through their phone) and 'No problem'.
Pointless story about a failed companies with idiots in charge.
Write one about phishing being stopped 100% with U2F security tokens with Google
Oh it's been done, lol..
Wake up SHEEP, been out for years.
https://www.youtube.com/watch?v=Vja-SC791E8
Yeah, but what about direct pwning of client machines where the devices are plugged in? As I recall, even FIDO admits there's no real solution for a pwned user interface (a Man-In-The-Browser attack) unless the device has its own interface...and once it has an interface, it itself becomes a target.
Plus, according to this WIRED article, if there is an alternate way to reach the USB stack, there can still be a way for a phishing site to trick a U2F device.
So basically, something like U2F is another factor, but there's nothing preventing ALL the factors being targeted at the same time. And if it exists, it can probably be targeted.