EmailDiscussions.com - View Single Post - Necessary Security Discussion to start 2019 right

ChinaLamb · 6 Jan 2019, 11:12 AM

Check this out... Hackers targeting journalists, including those using 2FA (which is simple 2 factor authentication -- ie. authenticator codes)...

https://mashable.com/article/hackers.../#K6LfewCAGOql

The group also investigated how the hackers were creating their phishing schemes and noticed that the mysterious group accidentally made public an online directory they were using to host their attacks. The information revealed the hackers were using web application testing tools to automate the phishing process.

"Essentially, they built an 'auto-pilot' system that would launch Chrome and use it [to] automatically submit the login details phished from the user to the targeted service, including two-step verification codes sent for example via SMS," said Claudio Guarnieri, a technologist at Amnesty, in a tweet.

The hackers' automated process is important because it lets them input the special one-time passcode into the real Google or Yahoo login page, before the time limit on the passcode runs out.

Typically those concerned about getting 2FA codes via SMS can also do so via an authenticator app, which serves up codes that change every few seconds. Amnesty did not immediately respond to PCMag's request for comment about whether this affects such apps, but a technologist there told Motherboard that "the same approach could potentially be used to phish codes from a 2FA app such as Google Authenticator."

If you have extra money to spend, you can also invest in a security key to protect your online accounts. They work by substituting the two-factor authentication process with a hardware-based device, which needs to be inserted into your PC to log into the protected account. The big plus of a security key is that it's pretty hard for a hacker to steal; to do so, the attacker has to personally come and physically take it from you.

You can learn more about how they work here. Unfortunately, one key can cost between $25 to $50. Not every online service supports them either. But you can use them to protect your accounts on Google, Facebook, Dropbox, and Twitter.

Yes, U2F, FIDO was designed to thwart this kind of attack...

6 Jan 2019, 11:12 AM	#23
ChinaLamb The "e" in e-mail Join Date: Dec 2004 Location: a virtually impossible but finitely improbable position Posts: 2,320	Check this out... Hackers targeting journalists, including those using 2FA (which is simple 2 factor authentication -- ie. authenticator codes)... https://mashable.com/article/hackers.../#K6LfewCAGOql The group also investigated how the hackers were creating their phishing schemes and noticed that the mysterious group accidentally made public an online directory they were using to host their attacks. The information revealed the hackers were using web application testing tools to automate the phishing process. "Essentially, they built an 'auto-pilot' system that would launch Chrome and use it [to] automatically submit the login details phished from the user to the targeted service, including two-step verification codes sent for example via SMS," said Claudio Guarnieri, a technologist at Amnesty, in a tweet. The hackers' automated process is important because it lets them input the special one-time passcode into the real Google or Yahoo login page, before the time limit on the passcode runs out. Typically those concerned about getting 2FA codes via SMS can also do so via an authenticator app, which serves up codes that change every few seconds. Amnesty did not immediately respond to PCMag's request for comment about whether this affects such apps, but a technologist there told Motherboard that "the same approach could potentially be used to phish codes from a 2FA app such as Google Authenticator." If you have extra money to spend, you can also invest in a security key to protect your online accounts. They work by substituting the two-factor authentication process with a hardware-based device, which needs to be inserted into your PC to log into the protected account. The big plus of a security key is that it's pretty hard for a hacker to steal; to do so, the attacker has to personally come and physically take it from you. You can learn more about how they work here. Unfortunately, one key can cost between $25 to $50. Not every online service supports them either. But you can use them to protect your accounts on Google, Facebook, Dropbox, and Twitter. Yes, U2F, FIDO was designed to thwart this kind of attack...