Great summary of how your phone and 2 factor doesn’t always protect you.
Full Article Here:
Here’s how two-factor authentication is supposed to work: You log in to your bank account or email inbox, and after correctly entering your password, you are prompted to confirm the login through an app on your cellphone, a one-time code sent to you via text message or email, a physical YubiKey device or even a phone call. That app, text message, email, YubiKey or phone call is your “second factor,” intended to ensure that even if the person trying to log in isn’t really you, he or she still can’t gain access to your accounts without access to your phone or YubiKey.
You might find two-factor authentication mildly irritating, and there’s a chance you might not even notice the extra step in the login process anymore. Regardless, you probably feel a certain comfort in the idea that at least your money or your inbox is well protected. But like so many other commonly accepted best practices in computer security, we actually know very little about how well two-factor authentication works.
In December, Amnesty International released a report describing an easy-to-apply technique being used to compromise accounts protected by two-factor authentication. The hackers whom Amnesty International investigated, who were targeting accounts belonging to individuals in the Middle East and North Africa, set up phishing pages that captured not only users’ passwords but also the one-time authentication codes generated by their two-factor services.
Setting up phishing websites that look like the login pages for well-known web services is a common way to steal passwords online. Here’s the way it works: Someone designs a website that looks almost exactly like Bank of America’s website and then emails you a message, purporting to be from Bank of America, warning you that your account is about to expire, or your information needs to be updated, and directing you to a fake site where you believe you’re logging into your bank account but instead are just typing your password into a website owned by scammers.
This type of phishing is precisely the kind of threat that two-factor authentication is supposed to protect you against. Unlike so-called dictionary attacks — in which hackers try to guess your password by running through a dictionary of possible choices — forcing people to develop more complicated or longer passwords (a minimum of eight characters with uppercase and lowercase letters, and at least one symbol and one number) does not help at all when someone steals your password via phishing. So the password-complexity requirements that have reigned as a common (and irritating) best practice in every workplace for years are increasingly supplemented by two-factor authentication, to protect you against both dictionary attacks and phishing attacks.
But it turns out that the one-time codes generated by people’s smartphones or sent via text message and email can also be phished. If you’re the hacker, all it takes is adding a component to your fake Bank of America website so that after you prompt someone for his password, you try to log in to his real Bank of America account using the password he has just provided, triggering a second-factor alert that doesn’t alarm him because he thinks he’s signing into Bank of America too. Then, on your fake phishing site, you prompt him to enter his second-factor code and use it to complete the login.
The activity in Amnesty International’s report is not even the first time that two-factor authentication has been compromised in that manner. In 2014, an F.B.I. special agent, Elliott Peterson, described how malware distributed by the botnet GameOver Zeus could compromise two-factor authentication protecting bank accounts in the same way.
The fact that two-factor authentication can be compromised through fairly straightforward, widely used tactics is no reason to stop using it. After all, no security tool is perfect. As long as it significantly decreases the likelihood of account compromises, two-factor authentication is still worth using. But we don’t know a lot about how much two-factor authentication actually helps protect your accounts.
Google has offered its optional two-step verification system to Gmail users since 2011 but has never released any data about its effectiveness at driving down account compromises. In fact, last year Google switched all of its employees from using the Google Authenticator app for two-factor authentication to physical security-key devices that need to be inserted into a computer port to complete a login. Since making that switch, Google announced last July, none of its employee accounts have been compromised. The announcement seems to imply that the security provided through the app was not regarded as sufficient by the company for its internal accounts, even though it is what many Google users rely on. Should we all be using physical security keys? How much less effective is the Google Authenticator app? We still don’t know (though presumably, Google does)
In the absence of any empirical evidence about how well two-factor authentication works, organizations have been rushing to institute it in recent years for fear of falling behind their peers. Even the federal government started rolling out two-factor authentication late last year to federal and state employees. The two-factor provider Duo Security saw its annual recurring revenue pass the $100 million mark in 2017, after increasing 135 percent in 2016. Last year Cisco purchased Duo for $2.35 billion, indicating just how valuable and ubiquitous this technology has become.
The rapid rise of two-factor authentication is not a bad thing. In fact, it’s probably a good thing, but we can’t know that for sure until we learn something about how well it’s working. It makes logical sense that requiring more pieces of information to log in to an account would serve to better protect that account, but relying on common-sense justifications for computer security has misled us before. For instance, many companies require employees to change their passwords every year or every 90 days. For years, this has been commonly accepted as a best practice for security based on the idea that it makes it more difficult for hackers to use old, stolen passwords. But in fact, those mandatory password changes might sometimes do more harm than good unless the password has been compromised.
Many computer security practices are propagated through misguided notions of “best practices” that businesses decide to adopt because they see everyone around them doing something and assume it must be the right choice. But just copying what everyone else is doing and calling it best practice does not actually help strengthen the security of our accounts or data. To do that, we need to be able to measure the impact of these practices using concrete data about whether they reduce instances of account compromises or stolen funds or intellectual property theft. We need the companies that operate and implement these security practices to track those metrics and be willing to release them, even when that data may not paint them in the best — or most secure — light. Otherwise, we’re left blindly adhering to supposed best practices without knowing what really works for cybersecurity.
If you haven’t changed your password after one of the countless data breaches over the past few years, the time is now.
Nearly 773 million records, including email addresses and passwords were exposed in a data breach publicized by security researcher Troy Hunt this week. Hunt said this large collection of files, which could be the largest breach yet to be made public, were collected from a number of breaches and uploaded to popular cloud service MEGA. That platform has since removed the data, which was promoted on popular hacking forums.
‘In terms of scale, this enormous trove of email addresses and unique passwords is monumental. Hackers could have accessed this data at any point.’
It’s not clear how long the sensitive records have been public, but the breach is wide-reaching. The list includes log-in credentials from more than 2,000 websites. The records were viewable to anyone with an internet connection. Troy Hunt, a web security expert and Australian regional director for Microsoft securityMSFT, +1.50% was alerted to the breach this week and independently verified the data.
“The unique email addresses totalled 772,904,991,” Hunt wrote on his website. “This is the headline you’re seeing as this is the volume of data that has now been loaded into Have I Been Pwned (HIBP). It’s after as much clean-up as I could reasonably do and per the previous paragraph, the source data was presented in a variety of different formats and levels of ‘cleanliness.’ This number makes it the single largest breach ever to be loaded into HIBP.”
You can check if your email, password, or other data appears on the list for free through his site. Hunt said even his own data appeared in the giant trove of stolen emails and passwords, despite his intensive security practices as a privacy professional.
“In terms of scale, this enormous trove of email addresses and unique passwords is monumental. Hackers could have accessed this data at any point,” said Ruchika Mishra, director of products and solutions at Balbix, a security firm in San Jose, Calif.
Large breaches like these are often used for “data-stuffing attacks,” in which hackers use bots to automatically test millions of emails and password combinations across many website login pages until they gain access. This means if you use the same password across different websites, you could be at risk of being compromised, even at sites that weren’t hacked.
‘While it’s important that individual web users have strong, secure logins, the onus is on the businesses to detect and block malicious bot traffic.’
“Password dumps create a ripple effect of organizations spending precious time and resources on damage control,” said Rami Essaid, co-founder of the bot mitigation company Distil Networks. “While it’s important that individual web users have strong, secure logins, the onus is on the businesses to detect and block malicious bot traffic before large-scale password hacks can occur.”
The breach is yet another reminder that the best way to protect your privacy is to use a password manager and two-factor authentication, said Bill Evans, a vice president at California security firm One Identity.
He added that businesses have no excuse not to offer two-factor authentication, which requires users to input a code sent to their phone or email for log in, adding an extra layer of security. “For individuals, if your bank offers it, enable it,” he said. “If your bank does not offer it, change banks.”
You can check whether your bank and any other website you use offers two-factor authentication at 2FA. Evans also suggested all individuals start using a password manager like LastPass, 1Password, or Dashlane. If you already use one of these services, consider changing all the passwords stored in it because they could have been exposed in this latest breach.
Some managers, like LastPass, allow users to do this easily through a feature called “auto change.” Hunt noted that anyone who doesn’t trust a digital manager should at least consider physically writing down passwords in a notebook — anything is better than using the same password across multiple websites.
“The real risk posed by incidents like this is password reuse and you need to avoid that to the fullest extent possible,” he wrote.