From the NY Times:
Here’s how two-factor authentication is supposed to work: You log in to your bank account or email inbox, and after correctly entering your password, you are prompted to confirm the login through an app on your cellphone, a one-time code sent to you via text message or email, a physical YubiKey device or even a phone call. That app, text message, email, YubiKey or phone call is your “second factor,” intended to ensure that even if the person trying to log in isn’t really you, he or she still can’t gain access to your accounts without access to your phone or YubiKey.
You might find two-factor authentication mildly irritating, and there’s a chance you might not even notice the extra step in the login process anymore. Regardless, you probably feel a certain comfort in the idea that at least your money or your inbox is well protected. But like so many other commonly accepted best practices in computer security, we actually know very little about how well two-factor authentication works.
In December, Amnesty International released a report describing an easy-to-apply technique being used to compromise accounts protected by two-factor authentication. The hackers whom Amnesty International investigated, who were targeting accounts belonging to individuals in the Middle East and North Africa, set up phishing pages that captured not only users’ passwords but also the one-time authentication codes generated by their two-factor services.
Setting up phishing websites that look like the login pages for well-known web services is a common way to steal passwords online. Here’s the way it works: Someone designs a website that looks almost exactly like Bank of America’s website and then emails you a message, purporting to be from Bank of America, warning you that your account is about to expire, or your information needs to be updated, and directing you to a fake site where you believe you’re logging into your bank account but instead are just typing your password into a website owned by scammers.
This type of phishing is precisely the kind of threat that two-factor authentication is supposed to protect you against. Unlike so-called dictionary attacks — in which hackers try to guess your password by running through a dictionary of possible choices — forcing people to develop more complicated or longer passwords (a minimum of eight characters with uppercase and lowercase letters, and at least one symbol and one number) does not help at all when someone steals your password via phishing. So the password-complexity requirements that have reigned as a common (and irritating) best practice in every workplace for years are increasingly supplemented by two-factor authentication, to protect you against both dictionary attacks and phishing attacks.
But it turns out that the one-time codes generated by people’s smartphones or sent via text message and email can also be phished. If you’re the hacker, all it takes is adding a component to your fake Bank of America website so that after you prompt someone for his password, you try to log in to his real Bank of America account using the password he has just provided, triggering a second-factor alert that doesn’t alarm him because he thinks he’s signing into Bank of America too. Then, on your fake phishing site, you prompt him to enter his second-factor code and use it to complete the login...
No comments:
Post a Comment