Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


ForumsIT Pro and developersIs a phishing attack possible with 2FA
Foiler

220 posts

Master Geek
+1 received by user: 10


#242550 3-Nov-2018 09:21
Send private message

Two factor authentication is meant to keep the bad guys out .. but does it?

 

Take a G-Suite login process for example .. what if:

 

  • Google user enters Gmail-username gullible and password 1234 into the bad-guy website
  • bad-guy uses these credentials to log into Google, gets prompted for text code, and passes this request on to gullible
  • gullible enters text code onto bad-guy website
  • bad-guy completes Google login and immediately changes account setup to lock out gullible

Any thoughts?

 

 

Create new topic
Brumfondl
1198 posts

Uber Geek
+1 received by user: 524

Trusted
Subscriber

  #2118867 3-Nov-2018 09:27
Send private message

Called a man in the middle attack https://en.wikipedia.org/wiki/Man-in-the-middle_attack







gbwelly
1263 posts

Uber Geek
+1 received by user: 776


  #2118869 3-Nov-2018 09:29
Send private message

This is a man in the middle attack (mitm). It is difficult to protect against technically because it relies on the end user to be vigilant, which is often not the case.

 

This is why to turn of MFA, most systems require further challenges to the end user to complete the configuration change.

 

 







freitasm
BDFL - Memuneh
80646 posts

Uber Geek
+1 received by user: 41029

Administrator
ID Verified
Trusted
Geekzone
Lifetime subscriber

  #2118876 3-Nov-2018 09:48
Send private message

Yes and no. If you use an authenticator app then the code changes every 30 seconds, making it harder to time the attack - repeated requests sent to Gullible would raise suspicions.

 

A SMS attack is easier because it's also easier to use social engineering (or Bad Telco Employee) to get a SIM Card and transfer the number to that SIM (this happened before, in the USA).

 

The one you show would need Gullible to enter the code on a site that 1) is not the domain used for login and 2) is asking for a code for a login Gullible did not initiate.

 

Yes, some gullible people will be gullible but these attacks require a certain degree of sophistication and some targeting.




Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies 

 

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

 

Create new topic








Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.








RSS feeds
Main feed
Forums feed
Copyright
©2002-2026 Geekzone®
Site features
Geekzone BI dashboard
Geekzone Badges
Geekzone Status Page

 

Site Information
Subscribe to Geekzone
Privacy Statement
Forum Usage Guidelines (FUG)
Advertising
Trademark and copyright