EmailDiscussions.com  

Go Back   EmailDiscussions.com > Email Service Provider-specific Forums > Runbox Forum
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read
Stay in touch wirelessly

Runbox Forum Everything related to Runbox should go here: suggestions, comments, complaints, questions, technical issues, etc.

Reply
 
Thread Tools
Old 2 Jul 2017, 09:32 PM   #1
gecko
Senior Member
 
Join Date: Feb 2010
Posts: 107
Security considerations

To avoid misunderstandings -- I greatly appreciate the efforts Runbox has undertaken to deliver the current 2FA implementation and I am sure the current 2FA is of huge value.

However, the security part of my brain is always thinking some steps ahead. While the current implementation certainly protects against non-targeted password theft (e.g. when logging in from a compromised public computer), I can see a couple of more sophisticated attack scenarios in which the current 2FA is non-effective.

IMHO, the main threat is that an attacker has control over the computer or the browser in real time while one is reading their email via the web interface. This could for instance very well be the case in cyber cafes. In this case we would have to assume that the password has already been compromised. Then e.g. the following could happen if the attacker was able to take over your session:

1) Set up email forwarding to an account controlled by the attacker.

2) Create a new method for 2FA, e.g. a new OTP start code / TOTP list, thus allowing the attacker to log in at his discretion and locking the owner out of his account.

While the latter would be immediately detected when the legitimate account owner tries to log into his account the next time, the former might go undetected for a long time.

As an effective way to counteract these threats, security-related settings could be secured by having to enter another (T)OTP for them to become effective. Not sure how easy this is to implement.

BR,
gecko

Last edited by gecko : 2 Jul 2017 at 09:35 PM. Reason: Minor changes
gecko is offline   Reply With Quote

Reply


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Forum Jump


All times are GMT +9. The time now is 04:58 PM.

 

Copyright EmailDiscussions.com 1998-2022. All Rights Reserved. Privacy Policy