Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




167 posts

Master Geek
+1 received by user: 5


Topic # 242550 3-Nov-2018 09:21
Send private message quote this post

Two factor authentication is meant to keep the bad guys out .. but does it?

 

Take a G-Suite login process for example .. what if:

 

  • Google user enters Gmail-username gullible and password 1234 into the bad-guy website
  • bad-guy uses these credentials to log into Google, gets prompted for text code, and passes this request on to gullible
  • gullible enters text code onto bad-guy website
  • bad-guy completes Google login and immediately changes account setup to lock out gullible

Any thoughts?

 

 


Create new topic
988 posts

Ultimate Geek
+1 received by user: 425

Trusted
Subscriber

  Reply # 2118867 3-Nov-2018 09:27
Send private message quote this post

Called a man in the middle attack https://en.wikipedia.org/wiki/Man-in-the-middle_attack






725 posts

Ultimate Geek
+1 received by user: 301

Subscriber

  Reply # 2118869 3-Nov-2018 09:29
Send private message quote this post

This is a man in the middle attack (mitm). It is difficult to protect against technically because it relies on the end user to be vigilant, which is often not the case.

 

This is why to turn of MFA, most systems require further challenges to the end user to complete the configuration change.

 

 








 
 
 
 


BDFL - Memuneh
61780 posts

Uber Geek
+1 received by user: 12434

Administrator
Trusted
Geekzone
Lifetime subscriber

  Reply # 2118876 3-Nov-2018 09:48
Send private message quote this post

Yes and no. If you use an authenticator app then the code changes every 30 seconds, making it harder to time the attack - repeated requests sent to Gullible would raise suspicions.

 

A SMS attack is easier because it's also easier to use social engineering (or Bad Telco Employee) to get a SIM Card and transfer the number to that SIM (this happened before, in the USA).

 

The one you show would need Gullible to enter the code on a site that 1) is not the domain used for login and 2) is asking for a code for a login Gullible did not initiate.

 

Yes, some gullible people will be gullible but these attacks require a certain degree of sophistication and some targeting.





Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Geekzone Live »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.