Discussion in 'privacy technology' started by ronjor, Sep 14, 2017.
By Markus Jakobsson on September 14, 2017
Not all 2FA is equal. Everyone knows SMS (and biometrics) is a disaster area.
Yet the adoption of the cheap and relatively privacy friendly U2F dongle (Fido, which is not just Google), has been glacial in the market. And the reason for this is that the corporates desperately want your mobile phone number and hopefully face-print and finger-print, because they then "have" you. With a U2F dongle they don't - who cares that their schemes are inadequate because they don't get hit with sufficient liability claims.
When you turn a new iphone on for the first time it is like being arrested.
Put your thumb here. Turn your thumb this way turn your thumb that way.
Hold the phone while it takes your picture.
Speak this phrase into the phone so it can collect your voice sample.
Its almost funny, but not.
U2F all the way!
I use Yubikey.
Hacker Kevin Mitnick shows how to bypass 2FA
Haven't read everything yet, but isn't this how banking trojans operate?
Cracking 2FA: How It's Done and How to Stay Safe
Two-factor authentication is a common best security practice but not ironclad. Here's how it can be bypassed, and how you can improve security.
May 17, 2018
Amnesty International reveals how 2FA is being bypassed automatically
December 20, 2018
The routine cracking of SMS and TOTP codes is unfortunately illustrative of the problem with the "low-hanging fruit" argument. Due to the industrialisation of attack tools by LE and others, one can no longer assume that middle-level precautions will be any better than none against these adversaries.
It makes the pathetic adoption of U2F, and the additional confusion of Webauthn (virtually unsupported by websites currently), exceptionally annoying. We know how to do it better, but it's not happening (which I suspect is because of its effectiveness against both mitm and privacy attacks).
First of all the TOTP codes should never be sent to you, ever. In the case mentioned above the hackers would have access to such an account ONCE since any subsequent logins would require a different TOTP code, which they could NOT generate. That is unless you once again fell prey to their MITM fake site. SMS while better than nothing is very weak because it requires a transmission to the user, which can be picked off in transit. As DeBoetie mentioned U2F is the current way to go. I use it on almost all my real name accounts OR I move/cancel where I can to setup accounts that have U2F. Plain and simple, you can't get U2F universally but if a competitor offers it and you don't, well I am gone!
New tool automates phishing attacks that bypass 2FA
January 9, 2019
It's not clear to me if it needs to run inside browser memory? If so it will have to inject code, I suppose?
Injecting of code isn't needed. A token which has been entered on the phishing domain is intercepted and the attacker can use it.
(of course credentials will also be intercepted)
The attack is ineffective against hardware security keys.
Yes, but this tool still needs to run on the attacked machine right? So if it doesn't need to inject code, it will still need to be in control of network connections, so shouldn't a firewall be able to block it? Weird that they never mention this kind of stuff.
No, it doesn't need to be run on the attacked machine, it doesn't work that way.
Victims are connecting to the (prepared from the attacker) modlishka server (which is hosting the phishing domain).
The attacker can login to the modlishka backend panel and is able to see all collected credentials.
Yet Another Bypass: Is 2FA Broken? Authentication Experts Weigh In
January 11, 2019
Interesting reading. Once again we need to "emphasize" that U2F remains untouchable, which is the only solid 2FA approach.
Untouchable is perhaps a bit strong! It is still possible to MiTM if you have a valid CA cert, and if ChannelIDs are not supported by the browser.
The more annoying aspect is the dearth of browsers and sites supporting U2F keys; and now, we have the dismal prospect of waiting till Fido2 and Webauthn is ratified and tested and implements (dodgy ECC and all), till anyone else will likely support it. And hope that the backwards compatibility with Fido 1 actually works. And hope that there's an implementation of nfc-based hardware token authentication on smartphones - not the rubbish biometric stuff they foist on an unsuspecting public.
Me? I think it's absurd this is not yet fixed and implemented. It's not primarily a technical or cost-to-implement problem, it reflects the lack of power and protection of consumers from the privacy destroying corporates and websites.
I actually use that with my Android, but the sites that support that process are so limited.
deBoetie, do you have a link leading to a valid MITM where a user such as myself is using full blown U2F elements? I am not visualizing how that is possible.
I'm not aware of Android allowing authentication to the phone itself using an nfc key - I thought both Android and ios were both resolutely biometric + pin. Of course, authentication to different websites can be done on Android with nfc token which is great.
The discussion which described a MiTM with U2F was:
This relies on a) getting a valid but dodgy CA, and b) downgrading ChannelID. Quite feasible for a nation state. Of course this is nearly 2 years ago, and who knows what's changed since, and whether Webauthn will be better or worse.
Separate names with a comma.