SoylentNews is people
SoylentNews
Submitted via IRC for Fnord666
If hackers can convince your phone company to turn over your number to them, they can defeat two-factor authentication that relies on text messaging.
Crypto investor Michael Terpin filed a $224 million lawsuit against AT&T in California federal court Wednesday alleging that the phone company’s negligence let hackers steal nearly $24 million in cryptocurrency from him, Reuters reports. He’s also seeking punitive damages.
Terpin says hackers were twice able to convince AT&T to connect his phone number to a SIM card they controlled, routing his calls and messages to them and enabling them to defeat two-factor authentication protections on his accounts. In one case, he says hackers also took control of his Skype account and convinced one of this clients to send money to them rather than Terpin.
The second hack came even after AT&T agreed to put an additional passcode on his account, when a fraudster visited an AT&T store in Connecticut and managed to hijack Terpin’s account without providing the code or a “scannable ID” as AT&T requires, he says.
(Score: 3, Insightful) by AndyTheAbsurd on Monday August 20 2018, @04:53PM (6 children)
This is why you should use hash-based message authentication codes (HMAC); and preferably HMAC-based one time pads.
These do require the sharing of a secret key, but it only needs to be shared once per device that will be generating one-time passwords, limiting the attack vectors.
Doing "two-factor authentication" via something so easily socially-engineered as a phone (even a text message) just seems...I don't know...sketchy?
Please note my username before responding. You may have been trolled.
(Score: 2) by Thexalon on Monday August 20 2018, @05:13PM (3 children)
It's an improvement over not doing any alternate verification at all. For instance, the Clinton 2016 campaign probably really wishes they had had even the text-message-based 2-factor authentication, because their staff's passwords were compromised via a spearphishing attack which wouldn't have worked had the text-message-code requirement been in place.
A much better solution is a hardware keyfob device, e.g. SecurID [rsa.com], where the code is changing every minute or so and in order to log in you need both that code and the user-generated password, and the system doesn't make it obvious to someone who wasn't told how to combine the password and the keyfob code. An intercepted or captured password still doesn't get you in, and it's relatively easy to replace a missing keyfob. It would of course get really inconvenient to have a separate keyfob for every single thing you need to be able to log into, though.
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 0) by Anonymous Coward on Monday August 20 2018, @05:28PM
It took a pretty spectacular, but ultimately rather basic, hack to own secureid. Are there any tokens around that do not need below mentioned gatekeeper scum to operate?
(Score: 3, Informative) by nitehawk214 on Monday August 20 2018, @06:06PM
I have always considered email or phone-based two-factor as "fake two-factor" authentication. It relies on something you know (your password) and something else you know (your phone password or your email address password).
A phone does not count as "something you have", as messages sent to it can be redirected pretty easily.
http://thedailywtf.com/articles/WTF-Factor-Authentication [thedailywtf.com]
"Don't you ever miss the days when you used to be nostalgic?" -Loiosh
(Score: 2) by legont on Tuesday August 21 2018, @01:24AM
There is an app for this https://play.google.com/store/apps/details?id=com.rsa.securidapp&hl=en_US [google.com]
"Wealth is the relentless enemy of understanding" - John Kenneth Galbraith.
(Score: 3, Informative) by KiloByte on Monday August 20 2018, @05:28PM (1 child)
The guy had multiple extra layers of protection above that. And, as even the summary states:
The second hack came even after AT&T agreed to put an additional passcode on his account, when a fraudster visited an AT&T store in Connecticut and managed to hijack Terpin’s account without providing the code or a “scannable ID” as AT&T requires, he says.
So AT&T ignored all the specifically requested and enabled protections, just because some random punk without any proof of identity came into a store, in a different state.
Ceterum censeo systemd esse delendam.
(Score: 0) by Anonymous Coward on Monday August 20 2018, @07:03PM
And how do you know that? Maybe he already had multiple IDs? It only says no "scannable ID", but it doesn't mean no ID.