101010.pl

Erik van Straten<a href="https://mastodon.laurenweinstein.org/@lauren" class="u-url mention" rel="nofollow noopener" target="_blank">@lauren</a> : in 2020 I wrote a "Secure SMS 2FA Proposal" (<a href="https://security.nl/posting/638976" rel="nofollow noopener" translate="no" target="_blank">https://security.nl/posting/638976</a>) - there's English and Dutch text.The main idea is for the recipient to modify the received code using a shared secret, before entering it as the second factor.Of course weak 2FA (without E2EE channel binding) is not phishing proof, but my proposal should prevent successful SIM-swap attacks (and redirecting calls and messages by manipulating the telco backbone as shown in <a href="https://www.youtube.com/watch?v=wVyu7NB7W6Y" rel="nofollow noopener" translate="no" target="_blank">https://www.youtube.com/watch?v=wVyu7NB7W6Y</a>).I cannot change anything in those postings anymore (and I'm in no way related to security.nl apart from being a regular -unpaid- contributor).Feel free to pass this idea to your contacts at Google as an alternative to QR-codes - from which I fail to understand how they'd improve security. In fact, the unprotected channel from screen with QR-code to the camera recording it, allows for all kinds of (AitM) phishing attacks.<a href="https://sfba.social/@not2b" class="u-url mention" rel="nofollow noopener" target="_blank">@not2b</a> <a href="https://infosec.exchange/tags/SMS" class="mention hashtag" rel="nofollow noopener" target="_blank">#SMS</a> <a href="https://infosec.exchange/tags/2FA" class="mention hashtag" rel="nofollow noopener" target="_blank">#2FA</a> <a href="https://infosec.exchange/tags/MFA" class="mention hashtag" rel="nofollow noopener" target="_blank">#MFA</a> <a href="https://infosec.exchange/tags/Weak2FA" class="mention hashtag" rel="nofollow noopener" target="_blank">#Weak2FA</a> <a href="https://infosec.exchange/tags/WeakMFA" class="mention hashtag" rel="nofollow noopener" target="_blank">#WeakMFA</a> <a href="https://infosec.exchange/tags/NotPhishingResistant" class="mention hashtag" rel="nofollow noopener" target="_blank">#NotPhishingResistant</a>

Erik van Straten<a href="https://infosec.exchange/@patrickcmiller" class="u-url mention" rel="nofollow noopener" target="_blank">@patrickcmiller</a> : oops, from <a href="https://www.csoonline.com/article/3810936/us-takes-aim-at-healthcare-cybersecurity-with-proposed-hipaa-changes.html" rel="nofollow noopener" translate="no" target="_blank">https://www.csoonline.com/article/3810936/us-takes-aim-at-healthcare-cybersecurity-with-proposed-hipaa-changes.html</a>:"the rollout of multi-factor authentication as a defense against phishing"What part of <a href="https://infosec.exchange/tags/Evil" class="mention hashtag" rel="nofollow noopener" target="_blank">#Evil</a> <a href="https://infosec.exchange/tags/Proxy" class="mention hashtag" rel="nofollow noopener" target="_blank">#Proxy</a> do these people not understand?<a href="https://infosec.exchange/tags/EvilProxy" class="mention hashtag" rel="nofollow noopener" target="_blank">#EvilProxy</a> <a href="https://infosec.exchange/tags/PhaaS" class="mention hashtag" rel="nofollow noopener" target="_blank">#PhaaS</a> <a href="https://infosec.exchange/tags/EvilGinx2" class="mention hashtag" rel="nofollow noopener" target="_blank">#EvilGinx2</a> <a href="https://infosec.exchange/tags/Weak2FA" class="mention hashtag" rel="nofollow noopener" target="_blank">#Weak2FA</a> <a href="https://infosec.exchange/tags/WeakMFA" class="mention hashtag" rel="nofollow noopener" target="_blank">#WeakMFA</a> <a href="https://infosec.exchange/tags/2FA" class="mention hashtag" rel="nofollow noopener" target="_blank">#2FA</a> <a href="https://infosec.exchange/tags/MFA" class="mention hashtag" rel="nofollow noopener" target="_blank">#MFA</a> <a href="https://infosec.exchange/tags/Phishing" class="mention hashtag" rel="nofollow noopener" target="_blank">#Phishing</a> <a href="https://infosec.exchange/tags/TwoStepVerification" class="mention hashtag" rel="nofollow noopener" target="_blank">#TwoStepVerification</a> <a href="https://infosec.exchange/tags/FakeWebsite" class="mention hashtag" rel="nofollow noopener" target="_blank">#FakeWebsite</a> <a href="https://infosec.exchange/tags/AitM" class="mention hashtag" rel="nofollow noopener" target="_blank">#AitM</a> <a href="https://infosec.exchange/tags/MitM" class="mention hashtag" rel="nofollow noopener" target="_blank">#MitM</a>

Erik van Straten<a href="https://infosec.exchange/@_r_netsec" class="u-url mention" rel="nofollow noopener" target="_blank">@_r_netsec</a> : Alex Weinert (Identity Security VP at Microsoft) already knew about this in 2019.His recommendation: just keep using Microsoft Authenticator...<a href="https://infosec.exchange/tags/MicrosoftAuthenticator" class="mention hashtag" rel="nofollow noopener" target="_blank">#MicrosoftAuthenticator</a> <a href="https://infosec.exchange/tags/WeakMFA" class="mention hashtag" rel="nofollow noopener" target="_blank">#WeakMFA</a> <a href="https://infosec.exchange/tags/AitM" class="mention hashtag" rel="nofollow noopener" target="_blank">#AitM</a> <a href="https://infosec.exchange/tags/Evilginx2" class="mention hashtag" rel="nofollow noopener" target="_blank">#Evilginx2</a> <a href="https://infosec.exchange/tags/Weak2FA" class="mention hashtag" rel="nofollow noopener" target="_blank">#Weak2FA</a> <a href="https://infosec.exchange/tags/NumberMatching" class="mention hashtag" rel="nofollow noopener" target="_blank">#NumberMatching</a> <a href="https://infosec.exchange/tags/TOTP" class="mention hashtag" rel="nofollow noopener" target="_blank">#TOTP</a> <a href="https://infosec.exchange/tags/AuthenticatorApps" class="mention hashtag" rel="nofollow noopener" target="_blank">#AuthenticatorApps</a> <a href="https://infosec.exchange/tags/MissingDomainNameCheck" class="mention hashtag" rel="nofollow noopener" target="_blank">#MissingDomainNameCheck</a> <a href="https://infosec.exchange/tags/WeakAuthentication" class="mention hashtag" rel="nofollow noopener" target="_blank">#WeakAuthentication</a> <a href="https://infosec.exchange/tags/Authentication" class="mention hashtag" rel="nofollow noopener" target="_blank">#Authentication</a> <a href="https://infosec.exchange/tags/Impersonation" class="mention hashtag" rel="nofollow noopener" target="_blank">#Impersonation</a>

Erik van Straten<a href="https://infosec.exchange/@adamshostack" class="u-url mention" rel="nofollow noopener" target="_blank">@adamshostack</a> : not taking into account that I strongly advise against using weak MFA (because it it not phishing-resistant and comes with a lot of disadvantages "security experts" want nobody to know about):yes.See <a href="https://www.oasis.security/resources/blog/oasis-security-research-team-discovers-microsoft-azure-mfa-bypass" rel="nofollow noopener" translate="no" target="_blank">https://www.oasis.security/resources/blog/oasis-security-research-team-discovers-microsoft-azure-mfa-bypass</a> (yesterday). Source: <a href="https://infosec.exchange/@AAKL/113634744971043868" rel="nofollow noopener" translate="no" target="_blank">https://infosec.exchange/@AAKL/113634744971043868</a>In short (if I understand correctly) Microsoft's servers would accept codes in a time window for upto 3 minutes. This enabled the researchers to conduct a brute force attack.<a href="https://infosec.exchange/tags/WeakMFA" class="mention hashtag" rel="nofollow noopener" target="_blank">#WeakMFA</a> <a href="https://infosec.exchange/tags/Weak2FA" class="mention hashtag" rel="nofollow noopener" target="_blank">#Weak2FA</a> <a href="https://infosec.exchange/tags/TOTP" class="mention hashtag" rel="nofollow noopener" target="_blank">#TOTP</a> <a href="https://infosec.exchange/tags/SMS" class="mention hashtag" rel="nofollow noopener" target="_blank">#SMS</a> <a href="https://infosec.exchange/tags/Voice" class="mention hashtag" rel="nofollow noopener" target="_blank">#Voice</a> <a href="https://infosec.exchange/tags/MFA" class="mention hashtag" rel="nofollow noopener" target="_blank">#MFA</a> <a href="https://infosec.exchange/tags/2FA" class="mention hashtag" rel="nofollow noopener" target="_blank">#2FA</a> <a href="https://infosec.exchange/tags/AitM" class="mention hashtag" rel="nofollow noopener" target="_blank">#AitM</a> <a href="https://infosec.exchange/tags/MitM" class="mention hashtag" rel="nofollow noopener" target="_blank">#MitM</a> <a href="https://infosec.exchange/tags/EvilProxy" class="mention hashtag" rel="nofollow noopener" target="_blank">#EvilProxy</a> <a href="https://infosec.exchange/tags/Evilginx2" class="mention hashtag" rel="nofollow noopener" target="_blank">#Evilginx2</a>

Erik van Straten<a href="https://cyberplace.social/@GossiTheDog" class="u-url mention" rel="nofollow noopener" target="_blank">@GossiTheDog</a> : it's not the lack of MFA that is the problem.Problem 1) is that a SPOF (*) is permitted access to data of millions (either directly or indirectly). This risk includes compromise of client devices.2) Weak MFA (+) does not prevent these attacks, because the SPOF may be phished into entering their credentials in a third party page that imitates the intended Citrix Netscaler.Please do not promote a flawed fix for bad passwords (2019: <a href="https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/all-your-creds-are-belong-to-us/ba-p/855124" rel="nofollow noopener" translate="no" target="_blank">https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/all-your-creds-are-belong-to-us/ba-p/855124</a>).(*) Single Point Of Failure(+) SMS, Voice, TOTP, Number Matchting, Location<a href="https://infosec.exchange/tags/AllYourCredsAreBelongToUs" class="mention hashtag" rel="nofollow noopener" target="_blank">#AllYourCredsAreBelongToUs</a> <a href="https://infosec.exchange/tags/MFAHadFailed" class="mention hashtag" rel="nofollow noopener" target="_blank">#MFAHadFailed</a> <a href="https://infosec.exchange/tags/AlexWeinert" class="mention hashtag" rel="nofollow noopener" target="_blank">#AlexWeinert</a> <a href="https://infosec.exchange/tags/MFA" class="mention hashtag" rel="nofollow noopener" target="_blank">#MFA</a> <a href="https://infosec.exchange/tags/2FA" class="mention hashtag" rel="nofollow noopener" target="_blank">#2FA</a> <a href="https://infosec.exchange/tags/WeakMFA" class="mention hashtag" rel="nofollow noopener" target="_blank">#WeakMFA</a> <a href="https://infosec.exchange/tags/NumberMatching" class="mention hashtag" rel="nofollow noopener" target="_blank">#NumberMatching</a> <a href="https://infosec.exchange/tags/AlexWeinert" class="mention hashtag" rel="nofollow noopener" target="_blank">#AlexWeinert</a> <a href="https://infosec.exchange/tags/Weinert" class="mention hashtag" rel="nofollow noopener" target="_blank">#Weinert</a> <a href="https://infosec.exchange/tags/SMS" class="mention hashtag" rel="nofollow noopener" target="_blank">#SMS</a> <a href="https://infosec.exchange/tags/TOTP" class="mention hashtag" rel="nofollow noopener" target="_blank">#TOTP</a> <a href="https://infosec.exchange/tags/EvilGinx2" class="mention hashtag" rel="nofollow noopener" target="_blank">#EvilGinx2</a> <a href="https://infosec.exchange/tags/EvilProxy" class="mention hashtag" rel="nofollow noopener" target="_blank">#EvilProxy</a> <a href="https://infosec.exchange/tags/PhaaS" class="mention hashtag" rel="nofollow noopener" target="_blank">#PhaaS</a>

Erik van StratenEven more secure, use a password manager (*) that recognizes the domain name of the current website, and proposes credentials associated with that domain name (see the screenshot below for Android).(*) On Android, iOS and iPadOS helped by the "Autofill" OS functionality.In addition:• Check by yourself that the connection uses https before you log in.• If your password manager does *not* propose credentials for a website that *looks* like the one you have an account on: it probably is a phishing website. Do *not* search the password manager's database, and in any case: do *not* log in (here's why: <a href="https://www.bleepingcomputer.com/news/security/new-mamba-2fa-bypass-service-targets-microsoft-365-accounts/" rel="nofollow noopener" translate="no" target="_blank">https://www.bleepingcomputer.com/news/security/new-mamba-2fa-bypass-service-targets-microsoft-365-accounts/</a>).• Make backups (preferably offline too) of the password manager's database (regularly and/or after each modification).• As Ian said, let the password manager generate a long random password for each account.Note to <a href="https://eupolicy.social/@1br0wn" class="u-url mention" rel="nofollow noopener" target="_blank">@1br0wn</a> <a href="https://infosec.exchange/@RGB_Lights" class="u-url mention" rel="nofollow noopener" target="_blank">@RGB_Lights</a> : MFA using SMS is too vulnerable for various attacks, and an authenticator app effectively *is* a password manager - but typically incapable of checking domain names, and possibly with a broken or insecure backup strategy.<a href="https://infosec.exchange/tags/Passwords" class="mention hashtag" rel="nofollow noopener" target="_blank">#Passwords</a> <a href="https://infosec.exchange/tags/PasswordManager" class="mention hashtag" rel="nofollow noopener" target="_blank">#PasswordManager</a> <a href="https://infosec.exchange/tags/Phishing" class="mention hashtag" rel="nofollow noopener" target="_blank">#Phishing</a> <a href="https://infosec.exchange/tags/CheckDomainName" class="mention hashtag" rel="nofollow noopener" target="_blank">#CheckDomainName</a> <a href="https://infosec.exchange/tags/WeakMFA" class="mention hashtag" rel="nofollow noopener" target="_blank">#WeakMFA</a> <a href="https://infosec.exchange/tags/Weak2FA" class="mention hashtag" rel="nofollow noopener" target="_blank">#Weak2FA</a>

Erik van Straten<a href="https://xn--8r9a.com/@north" class="u-url mention" rel="nofollow noopener" target="_blank">@north</a> : SMS *is* 2FA, albeit weak.The problem with "something you know, are, or have" is that users are never told that it is essential that each factor used cannot be easily copied, stolen, guessed etc. or temporarily fall into the wrong hands (literally in this case).Another problem is that if you loose a factor, you may no longer have access to your account.So each factor must be strong, carefully kept secret and needs to be backupped. These are extreme requirements that nobody wants (you) to understand.P.S. both iPhones and Android phones can be configured to *not* show SMS texts (and most other possibly confidential information) on their screen when locked.P.P.S. Unlocked phones are vulnerable to Time Traveler TOTP attacks. An attacker with temporary access to an unlocked phone may change the system date/time to the future, read a TOTP code for a website, and restore correct system time. When the future arrives they can use your TOTP code at their leisure on their own device to log in to your account, and reuse it (within 30 sec.) if required to pwn your account.P.P.P.S. Weak 2FA/MFA does not prevent AitM (Attacker in the Middle) phishing attacks if the AitM uses Evilginx2 or some other "evil proxy" website.2019 "MFA had failed" (by Alex Weinert, Director of Identity Security at Microsoft) <a href="https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/all-your-creds-are-belong-to-us/ba-p/855124" rel="nofollow noopener" translate="no" target="_blank">https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/all-your-creds-are-belong-to-us/ba-p/855124</a><a href="https://infosec.exchange/@acut3hack" class="u-url mention" rel="nofollow noopener" target="_blank">@acut3hack</a> <a href="https://infosec.exchange/tags/2FA" class="mention hashtag" rel="nofollow noopener" target="_blank">#2FA</a> <a href="https://infosec.exchange/tags/MFA" class="mention hashtag" rel="nofollow noopener" target="_blank">#MFA</a> <a href="https://infosec.exchange/tags/SMS" class="mention hashtag" rel="nofollow noopener" target="_blank">#SMS</a> <a href="https://infosec.exchange/tags/TOTP" class="mention hashtag" rel="nofollow noopener" target="_blank">#TOTP</a> <a href="https://infosec.exchange/tags/WeakMFA" class="mention hashtag" rel="nofollow noopener" target="_blank">#WeakMFA</a> <a href="https://infosec.exchange/tags/Weak2FA" class="mention hashtag" rel="nofollow noopener" target="_blank">#Weak2FA</a> <a href="https://infosec.exchange/tags/AitM" class="mention hashtag" rel="nofollow noopener" target="_blank">#AitM</a> <a href="https://infosec.exchange/tags/MitM" class="mention hashtag" rel="nofollow noopener" target="_blank">#MitM</a> <a href="https://infosec.exchange/tags/EvilProxy" class="mention hashtag" rel="nofollow noopener" target="_blank">#EvilProxy</a> <a href="https://infosec.exchange/tags/Evilginx2" class="mention hashtag" rel="nofollow noopener" target="_blank">#Evilginx2</a> <a href="https://infosec.exchange/tags/TimeTravelerAttacks" class="mention hashtag" rel="nofollow noopener" target="_blank">#TimeTravelerAttacks</a> <a href="https://infosec.exchange/tags/TimeTravelAttacks" class="mention hashtag" rel="nofollow noopener" target="_blank">#TimeTravelAttacks</a> <a href="https://infosec.exchange/tags/PhaaS" class="mention hashtag" rel="nofollow noopener" target="_blank">#PhaaS</a>

Recent searches

Search options

Administered by:

Server stats:

#weakmfa