Not all 2FA is equal. Everyone knows SMS (and biometrics) is a disaster area. Yet the adoption of the cheap and relatively privacy friendly U2F dongle (Fido, which is not just Google), has been glacial in the market. And the reason for this is that the corporates desperately want your mobile phone number and hopefully face-print and finger-print, because they then "have" you. With a U2F dongle they don't - who cares that their schemes are inadequate because they don't get hit with sufficient liability claims.
When you turn a new iphone on for the first time it is like being arrested. Put your thumb here. Turn your thumb this way turn your thumb that way. Hold the phone while it takes your picture. Speak this phrase into the phone so it can collect your voice sample. Its almost funny, but not.
Hacker Kevin Mitnick shows how to bypass 2FA https://techcrunch.com/2018/05/10/hacker-kevin-mitnick-shows-how-to-bypass-2fa/
Cracking 2FA: How It's Done and How to Stay Safe Two-factor authentication is a common best security practice but not ironclad. Here's how it can be bypassed, and how you can improve security. May 17, 2018 https://www.darkreading.com/endpoint/cracking-2fa-how-its-done-and-how-to-stay-safe/d/d-id/1331835
Amnesty International reveals how 2FA is being bypassed automatically December 20, 2018 https://www.theinquirer.net/inquire...veals-how-2fa-is-being-bypassed-automatically
The routine cracking of SMS and TOTP codes is unfortunately illustrative of the problem with the "low-hanging fruit" argument. Due to the industrialisation of attack tools by LE and others, one can no longer assume that middle-level precautions will be any better than none against these adversaries. It makes the pathetic adoption of U2F, and the additional confusion of Webauthn (virtually unsupported by websites currently), exceptionally annoying. We know how to do it better, but it's not happening (which I suspect is because of its effectiveness against both mitm and privacy attacks).
First of all the TOTP codes should never be sent to you, ever. In the case mentioned above the hackers would have access to such an account ONCE since any subsequent logins would require a different TOTP code, which they could NOT generate. That is unless you once again fell prey to their MITM fake site. SMS while better than nothing is very weak because it requires a transmission to the user, which can be picked off in transit. As DeBoetie mentioned U2F is the current way to go. I use it on almost all my real name accounts OR I move/cancel where I can to setup accounts that have U2F. Plain and simple, you can't get U2F universally but if a competitor offers it and you don't, well I am gone!
New tool automates phishing attacks that bypass 2FA January 9, 2019 https://www.zdnet.com/article/new-tool-automates-phishing-attacks-that-bypass-2fa/
It's not clear to me if it needs to run inside browser memory? If so it will have to inject code, I suppose?
Injecting of code isn't needed. A token which has been entered on the phishing domain is intercepted and the attacker can use it. (of course credentials will also be intercepted) The attack is ineffective against hardware security keys.
Yes, but this tool still needs to run on the attacked machine right? So if it doesn't need to inject code, it will still need to be in control of network connections, so shouldn't a firewall be able to block it? Weird that they never mention this kind of stuff.
No, it doesn't need to be run on the attacked machine, it doesn't work that way. Victims are connecting to the (prepared from the attacker) modlishka server (which is hosting the phishing domain). The attacker can login to the modlishka backend panel and is able to see all collected credentials.
Yet Another Bypass: Is 2FA Broken? Authentication Experts Weigh In January 11, 2019 https://threatpost.com/2fa-broken-authentication/140776/
Interesting reading. Once again we need to "emphasize" that U2F remains untouchable, which is the only solid 2FA approach.
Untouchable is perhaps a bit strong! It is still possible to MiTM if you have a valid CA cert, and if ChannelIDs are not supported by the browser. The more annoying aspect is the dearth of browsers and sites supporting U2F keys; and now, we have the dismal prospect of waiting till Fido2 and Webauthn is ratified and tested and implements (dodgy ECC and all), till anyone else will likely support it. And hope that the backwards compatibility with Fido 1 actually works. And hope that there's an implementation of nfc-based hardware token authentication on smartphones - not the rubbish biometric stuff they foist on an unsuspecting public. Me? I think it's absurd this is not yet fixed and implemented. It's not primarily a technical or cost-to-implement problem, it reflects the lack of power and protection of consumers from the privacy destroying corporates and websites.
I actually use that with my Android, but the sites that support that process are so limited. deBoetie, do you have a link leading to a valid MITM where a user such as myself is using full blown U2F elements? I am not visualizing how that is possible.
I'm not aware of Android allowing authentication to the phone itself using an nfc key - I thought both Android and ios were both resolutely biometric + pin. Of course, authentication to different websites can be done on Android with nfc token which is great. The discussion which described a MiTM with U2F was: https://security.stackexchange.com/questions/157756/mitm-attacks-on-fido-uaf-and-u2f This relies on a) getting a valid but dodgy CA, and b) downgrading ChannelID. Quite feasible for a nation state. Of course this is nearly 2 years ago, and who knows what's changed since, and whether Webauthn will be better or worse.
OK, so the attacker still needs to lure the victim onto the phishing site? To be honest, I'm surprised this stuff is new, because I always thought that banking trojans worked in the same way. With the difference that they take control of the PC, and are able to manipulate the browser. So the user logs in with username and password and OTP, and the hacker records this stuff via the trojan. But, I assume this stuff doesn't work if the online bank requires a one time password for every transaction.
Google's Mark Risher: New types of 2FA are 'game changers' https://searchsecurity.techtarget.c...ark-Risher-New-types-of-2FA-are-game-changers
Minimalist, that was a really nice read! I switched my Google stuff over to their "Advanced Protection" mode quite awhile ago. If I lose my (both of them actually) security key there will be NO access. All recovery modes other than U2F keys are disabled by Google. I wish I had the same level of protection on every site I go to, even this one! I cannot stress how important it is in understanding how this ELIMINATES all phishing possibilities. The bad guys are getting so good at making users think they are logging into the actual site but in fact its an imposter.
