This Week in Security: Phreaking for Fun and Profit; Leaky Software

Phreaking for Fun and Profit – Two-Factor Auth or Single Factor Betrayal?

In another tale of vulnerable authentication schemes, researchers at Positive Technologies demonstrated how to steal Bitcoins from Coinbase accounts due to a weak password recovery mechanism.

The attack begins by taking over the user’s Gmail account via the password reset mechanism, which relies on a one-time code sent via SMS to the victim’s cellphone. However, due to weaknesses in the underlying telecommunications network known as Signaling System 7 (SS7), attackers can intercept SMS messages for specific phone numbers.

With the one-time code in hand, the attacker resets the victim’s password and gains access to the user’s inbox. From there, the same password reset mechanism at Coinbase sends a URL to the controlled inbox, allowing the attacker to reset the victim’s Coinbase password, take full control and transfer Bitcoins out of the victim’s wallet.

That’s not to say you should run out and disable all of your SMS-based 2-factor authentication (2FA), but you should be aware that the security provided by SMS-based 2FA is much weaker than a 2FA token generated locally on a dedicated device or smartphone.

Poorly designed password reset mechanisms that rely only on the 2FA token betray the user’s trust in security. It’s a violation of the name since the second factor becomes the singular primary factor for authenticating a user in a password reset scenario. 2FA is supposed to provide an additional layer of protection, not serve as a backdoor.

Additionally, the monstrous hash dump released by Troy Hunt earlier this year has almost been fully cracked with 99.42% of the hashes cracked according to the shared community password recovery site,

As always, you can protect yourself with the following recommendations:

  • Using a password manager to generate and store strong passwords
  • (Read more...)

This is a Security Bloggers Network syndicated blog post authored by Cylance Research and Intelligence Team. Read the original post at: Cylance Blog