Trouble in Paradise as Cyber Attackers Circumvent 2FA

Discussion in 'privacy technology' started by ronjor, Sep 14, 2017.

  1. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    67,548
    Location:
    Texas
    By Markus Jakobsson on September 14, 2017
     
  2. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,690
    Location:
    UK
    Not all 2FA is equal. Everyone knows SMS (and biometrics) is a disaster area.

    Yet the adoption of the cheap and relatively privacy friendly U2F dongle (Fido, which is not just Google), has been glacial in the market. And the reason for this is that the corporates desperately want your mobile phone number and hopefully face-print and finger-print, because they then "have" you. With a U2F dongle they don't - who cares that their schemes are inadequate because they don't get hit with sufficient liability claims.
     
  3. RockLobster

    RockLobster Registered Member

    Joined:
    Nov 8, 2007
    Posts:
    1,804
    When you turn a new iphone on for the first time it is like being arrested.
    Put your thumb here. Turn your thumb this way turn your thumb that way.
    Hold the phone while it takes your picture.
    Speak this phrase into the phone so it can collect your voice sample.
    Its almost funny, but not.
     
  4. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    2,113

    U2F all the way!
     
  5. mattdocs12345

    mattdocs12345 Registered Member

    Joined:
    Mar 23, 2013
    Posts:
    1,879
    Location:
    US
    I use Yubikey.
     
  6. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    10,313
    Location:
    .
  7. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    11,127
    Location:
    The Netherlands
  8. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    9,439
    Cracking 2FA: How It's Done and How to Stay Safe
    Two-factor authentication is a common best security practice but not ironclad. Here's how it can be bypassed, and how you can improve security.
    May 17, 2018

    https://www.darkreading.com/endpoint/cracking-2fa-how-its-done-and-how-to-stay-safe/d/d-id/1331835
     
  9. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    9,439
    Amnesty International reveals how 2FA is being bypassed automatically
    December 20, 2018
    https://www.theinquirer.net/inquire...veals-how-2fa-is-being-bypassed-automatically
     
  10. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,690
    Location:
    UK
    The routine cracking of SMS and TOTP codes is unfortunately illustrative of the problem with the "low-hanging fruit" argument. Due to the industrialisation of attack tools by LE and others, one can no longer assume that middle-level precautions will be any better than none against these adversaries.

    It makes the pathetic adoption of U2F, and the additional confusion of Webauthn (virtually unsupported by websites currently), exceptionally annoying. We know how to do it better, but it's not happening (which I suspect is because of its effectiveness against both mitm and privacy attacks).
     
  11. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    2,113
    First of all the TOTP codes should never be sent to you, ever. In the case mentioned above the hackers would have access to such an account ONCE since any subsequent logins would require a different TOTP code, which they could NOT generate. That is unless you once again fell prey to their MITM fake site. SMS while better than nothing is very weak because it requires a transmission to the user, which can be picked off in transit. As DeBoetie mentioned U2F is the current way to go. I use it on almost all my real name accounts OR I move/cancel where I can to setup accounts that have U2F. Plain and simple, you can't get U2F universally but if a competitor offers it and you don't, well I am gone!
     
  12. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    9,439
    New tool automates phishing attacks that bypass 2FA
    January 9, 2019
    https://www.zdnet.com/article/new-tool-automates-phishing-attacks-that-bypass-2fa/
     
  13. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    11,127
    Location:
    The Netherlands
  14. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    9,439
    Injecting of code isn't needed. A token which has been entered on the phishing domain is intercepted and the attacker can use it.
    (of course credentials will also be intercepted)
    The attack is ineffective against hardware security keys.
     
  15. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    11,127
    Location:
    The Netherlands
    Yes, but this tool still needs to run on the attacked machine right? So if it doesn't need to inject code, it will still need to be in control of network connections, so shouldn't a firewall be able to block it? Weird that they never mention this kind of stuff.
     
  16. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    9,439
    No, it doesn't need to be run on the attacked machine, it doesn't work that way.

    Victims are connecting to the (prepared from the attacker) modlishka server (which is hosting the phishing domain).
    The attacker can login to the modlishka backend panel and is able to see all collected credentials.
     
  17. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    9,439
    Yet Another Bypass: Is 2FA Broken? Authentication Experts Weigh In
    January 11, 2019
    https://threatpost.com/2fa-broken-authentication/140776/
     
  18. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    2,113
    Interesting reading. Once again we need to "emphasize" that U2F remains untouchable, which is the only solid 2FA approach.
     
  19. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,690
    Location:
    UK
    Untouchable is perhaps a bit strong! It is still possible to MiTM if you have a valid CA cert, and if ChannelIDs are not supported by the browser.

    The more annoying aspect is the dearth of browsers and sites supporting U2F keys; and now, we have the dismal prospect of waiting till Fido2 and Webauthn is ratified and tested and implements (dodgy ECC and all), till anyone else will likely support it. And hope that the backwards compatibility with Fido 1 actually works. And hope that there's an implementation of nfc-based hardware token authentication on smartphones - not the rubbish biometric stuff they foist on an unsuspecting public.

    Me? I think it's absurd this is not yet fixed and implemented. It's not primarily a technical or cost-to-implement problem, it reflects the lack of power and protection of consumers from the privacy destroying corporates and websites.
     
  20. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    2,113
    I actually use that with my Android, but the sites that support that process are so limited.

    deBoetie, do you have a link leading to a valid MITM where a user such as myself is using full blown U2F elements? I am not visualizing how that is possible.
     
  21. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,690
    Location:
    UK
    I'm not aware of Android allowing authentication to the phone itself using an nfc key - I thought both Android and ios were both resolutely biometric + pin. Of course, authentication to different websites can be done on Android with nfc token which is great.

    The discussion which described a MiTM with U2F was:

    https://security.stackexchange.com/questions/157756/mitm-attacks-on-fido-uaf-and-u2f

    This relies on a) getting a valid but dodgy CA, and b) downgrading ChannelID. Quite feasible for a nation state. Of course this is nearly 2 years ago, and who knows what's changed since, and whether Webauthn will be better or worse.
     
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.