two factor authentication – Page 2

GitHub rolling out two-factor authentication to millions of users

Posted on March 10, 2023 by Karl Greenberg

Over the next nine months, the largest internet hosting service for software development and collaboration will make all code contributors add another layer of electronic evidence to their accounts.
The post GitHub rolling out two-factor authentication… Continue reading GitHub rolling out two-factor authentication to millions of users→

Failures in Twitter’s Two-Factor Authentication System

Posted on November 17, 2022 by Bruce Schneier

Twitter is having intermittent problems with its two-factor authentication system:

Not all users are having problems receiving SMS authentication codes, and those who rely on an authenticator app or physical authentication token to secure their Twitter account may not have reason to test the mechanism. But users have been self-reporting issues on Twitter since the weekend, and WIRED confirmed that on at least some accounts, authentication texts are hours delayed or not coming at all. The meltdown comes less than two weeks after Twitter laid off about half of its workers…

Continue reading Failures in Twitter’s Two-Factor Authentication System→

Defeating Phishing-Resistant Multifactor Authentication

Posted on November 9, 2022 by Bruce Schneier

CISA is now pushing phishing-resistant multifactor authentication.
Roger Grimes has an excellent post reminding everyone that “phishing-resistant” is not “phishing proof,” and that everyone needs to stop pretending otherwise. Hi… Continue reading Defeating Phishing-Resistant Multifactor Authentication→

Tech news you may have missed: Sept. 22 – 29

Posted on September 29, 2022 by Tamara Scott

Malicious 2FA attacks, account takeovers on the rise and how to dictate text on your iPhone lead this week’s tech news.
The post Tech news you may have missed: Sept. 22 – 29 appeared first on TechRepublic.
Continue reading Tech news you may have missed: Sept. 22 – 29→

Uber exposes Lapsus$ extortion group for security breach

Posted on September 20, 2022 by Lance Whitney

In last week’s security breach against Uber, the attackers downloaded internal messages from Slack as well as information from a tool used to manage invoices.
The post Uber exposes Lapsus$ extortion group for security breach appeared first on TechRepub… Continue reading Uber exposes Lapsus$ extortion group for security breach→

Credit Card Fraud That Bypasses 2FA

Posted on September 20, 2022 by Bruce Schneier

Someone in the UK is stealing smartphones and credit cards from people who have stored them in gym lockers, and is using the two items in combination to commit fraud:

Phones, of course, can be made inaccessible with the use of passwords and face or fingerprint unlocking. And bank cards can be stopped.

But the thief has a method which circumnavigates those basic safety protocols.

Once they have the phone and the card, they register the card on the relevant bank’s app on their own phone or computer. Since it is the first time that card will have been used on the new device, a one-off security passcode is demanded…

Continue reading Credit Card Fraud That Bypasses 2FA→

Man-in-the-Middle Phishing Attack

Posted on August 25, 2022 by Bruce Schneier

Here’s a phishing campaign that uses a man-in-the-middle attack to defeat multi-factor authentication:

Microsoft observed a campaign that inserted an attacker-controlled proxy site between the account users and the work server they attempted to log into. When the user entered a password into the proxy site, the proxy site sent it to the real server and then relayed the real server’s response back to the user. Once the authentication was completed, the threat actor stole the session cookie the legitimate site sent, so the user doesn’t need to be reauthenticated at every new page visited. The campaign began with a phishing email with an HTML attachment leading to the proxy server…

Continue reading Man-in-the-Middle Phishing Attack→

When Security Locks You Out of Everything

Posted on June 28, 2022 by Bruce Schneier

Thought experiment story of someone who lost everything in a house fire, and now can’t log into anything:

But to get into my cloud, I need my password and 2FA. And even if I could convince the cloud provider to bypass that and let me in, the backup is secured with a password which is stored in—you guessed it—my Password Manager.

I am in cyclic dependency hell. To get my passwords, I need my 2FA. To get my 2FA, I need my passwords.

It’s a one-in-a-million story, and one that’s hard to take into account in system design.

This is where we reach the limits of the “Code Is Law” movement…

Continue reading When Security Locks You Out of Everything→

GitHub to Require All Code Contributors to Enable 2FA by Late 2023

Posted on May 5, 2022 by Rabia Noureen

Microsoft is planning to make some changes to the existing… Continue reading GitHub to Require All Code Contributors to Enable 2FA by Late 2023→

Bypassing Two-Factor Authentication

Posted on April 1, 2022 by Bruce Schneier

These techniques are not new, but they’re increasingly popular:

…some forms of MFA are stronger than others, and recent events show that these weaker forms aren’t much of a hurdle for some hackers to clear. In the past few months, suspected script kiddies like the Lapsus$ data extortion gang and elite Russian-state threat actors (like Cozy Bear, the group behind the SolarWinds hack) have both successfully defeated the protection.

[…]

Methods include:

Sending a bunch of MFA requests and hoping the target finally accepts one to make the noise stop.
…

Continue reading Bypassing Two-Factor Authentication→