For your consideration: Hackers are stealing 2FA codes with terrifyingly effective voice bots

Metanis said:
Just keeping Darwin relevant for a new age...
Click to expand...

Indeed. But it points out, again, the old truism about humans being the weakest link in the chain, and the one that will always be exploited.

We're never going to "tech" our way out of this. Nor, sadly, are we ever going to educate enough users and get them to use a bit of common sense about pausing and considering.

It's a never-ending story.
 
britechguy said:
And, who cares whether you consider it "real" or not? That's quite irrelevant, really. It's in common use, no matter what you'd call it, and most of the world calls it 2FA.
Click to expand...

And you're the one that goes off on huge tirades about how you magically don't need any of it personally.

What is relevant? User behavior... that's what's relevant.

Code based 2FA sucks, because users have to type in a 6 digit code. Not only do they give those codes up via the same social engineering BS that they lose their passwords with, but they're inconvenient as all get out. It doesn't matter how they get these codes. Now, SMS and email based code delivery opens up a whole new can of worms in this space for stealing those codes... but the fact remains access to the codes themselves is not secure, largely due to user stupidity that we'll never completely cure.

Push notifications don't work, because most of them are a simple accept / reject prompt. They fail for the same reason UAC prompts with admin rights fail. Users do not think about them, they simply get them and push OK. Get a user busy, and they'll reflex that accept button EVERY TIME. So this process isn't any better than a password while the user is awake.

Proper 2FA is designed for all of the above. Both Google and Microsoft have the means to do this properly. Microsoft calls theirs "Phone Sign-on".

The signin process for Phone Sign-on is like this:

User punches login into thing that needs it, a login form appears on the screen with a two digit code, the user receives a notification on their mobile device, user unlocks their mobile device, types in the two digit code on the device and touches accept. Login complete.

Not only is the above process idiot proof easy, but it's patently impossible to subvert. Attackers cannot "steal" a code, because one doesn't exist. The password cannot be stolen because it too, doesn't exist. (passwordless sign-on is part of this) The only thing they can do is breach the authentication system itself. They could also steal the phone... But that tends to generate phone calls. So for a remote and quiet breach they need something that can break the sandbox of a mobile device and let it eavesdrop on the mobile app doing the lifting.

So if you have a real phone, a Google Pixel or an Apple iPhone, that's fully patched and serviced... the above simply doesn't happen. For the same reason these sorts of things don't tend to happen on Microsoft Windows that's fully patched and serviced. Got a crap phone from a crap vendor that isn't getting patches? Well... you aren't safe... you're running an unpatched and out of support device! That's a problem, stop it.

This stuff is game, set, and match for impersonation breaches. Hyper-Secure environments use dedicated hardware for this process instead of mobile devices for a reason. Because something you have (your phone / HOTP device), and something you know (unlock code / pattern / biometric / password) is as an authentication base is as good as it gets. Most of us don't need or want something that strong, so using our phones is just easier.

As for the article? I've been training users on these concepts for years. They are not new techniques. This isn't even news. And it most certainly isn't evidence of why not to use 2FA. It is however why I say, real 2FA doesn't rely on these codes. The fact that banks and other massive organizations don't do this correctly is on them. We have the technology, we have buckets of places refusing to use it.
 
Sky-Knight said:
And you're the one that goes off on huge tirades about how you magically don't need any of it personally.
Click to expand...

They're not tirades. They're statements.

Apparently, the fact that I've been in the computer world and not had a single compromise of which I'm aware since the mid-1980s, using only passwords is not sufficient, to you, to show that, when used appropriately, they are way more than just adequate.

All of these authentication methods are brought into play because individuals do something stupid and some genius thinks there's a technical solution to that. There isn't. And the harder you make it for someone to conveniently access something, the more likely they are to use whatever (stupid, admittedly) methods that are available to "prop doors open."

I really don't care that you believe that your opinion, on anything, is the one and only right one. Others frequently differ.
 
Sky-Knight said:
If the push 2FA is vulnerable to a MITM, they push mechanism isn't using mTLS and is garbage. Again, both Google and Microsoft's processes do this.
Click to expand...
That's not relevant to this method of MITM. It's not even technically a MITM attack as the end user is not initiating the connection. The hacker is using previous aquired password data and then is tricking the end user to perform the 2nd part of the authentication. They can be tricked just as easily to press a single button as they can to verbally recite a code.
 
There is also an interesting twist on this....many thieves have given up on wide nets to bring in prey, they just look for them on social media. Find someone who blabs all about life, pets and the ones dear to them, find out where they work etc, then call up the cell provider and sim swap. Now all that 2FA is worthless because they have implanted themselves as part of your digital life like a cancer cell.

Reminds me of older films where a person would find as much as they could about a "mark" and armed with this knowledge they then started the scam.

It's true when they say information is power.
 
nlinecomputers said:
That's not relevant to this method of MITM. It's not even technically a MITM attack as the end user is not initiating the connection. The hacker is using previous aquired password data and then is tricking the end user to perform the 2nd part of the authentication. They can be tricked just as easily to press a single button as they can to verbally recite a code.
Click to expand...

And yet again... I point out the process that Microsoft uses via Phone Signin doesn't have this fault.

The notification pops an INPUT BOX on the phone that requires the user to input a two digit number provided by the login prompt. The user isn't simply clicking "OK", they have to punch in a two digit number they do not have before they can push OK.

Also, there is no password to steal, all the attacker needs to generate a notification on the phone is the login name. If your phone is popping and you cannot press OK, and all you have is reject that rejection gets the originating device banned from all authentications pretty quickly.

Microsoft makes it annoying to setup a generic TOTP authenticator for a reason... they suck. I use them daily, but they still suck!

@NviGate Systems Yes, which is precisely why SMS based 2FA isn't really 2FA. The cellular networks are too easily breached.
 
Sky-Knight said:
And yet again... I point out the process that Microsoft uses via Phone Signin doesn't have this fault.

The notification pops an INPUT BOX on the phone that requires the user to input a two digit number provided by the login prompt. The user isn't simply clicking "OK", they have to punch in a two digit number they do not have before they can push OK.
Click to expand...
You mean you can't build a bot that logs into your m365 account, while telling the end user which number to select? How is pressing a number on your phone any different than punching a touch tone code texted into your phone in response to the robot voice?

Robot voice "To verify your account please press...82...on your Microsoft Authenticator app on your cellphone."

The 82 obviously grabbed by the bot logging in to your account. The same bot has convinced you to reply and grant him access. All this requires is a guilble end user.
 
nlinecomputers said:
You mean you can't build a bot that logs into your m365 account, while telling the end user which number to select? How is pressing a number on your phone any different than punching a touch tone code texted into your phone in response to the robot voice?

Robot voice "To verify your account please press...82...on your Microsoft Authenticator app on your cellphone."

The 82 obviously grabbed by the bot logging in to your account. The same bot has convinced you to reply and grant him access. All this requires is a guilble end user.
Click to expand...

The 82 is presented via CAPTCHA enabled prompt. The generation engine is monitored and excessive requests get flagged.

It's not perfect, but it's vastly less likely that a bit will get that number and target a person, and then convince said person to punch it into their phones than it is for a password to get lifted, or someone to push "authorize" on a simple push method by mistake.

That little window that presents that number isn't nearly as simple as it appears. And if you CAN build a bot for that evolving mess, go for it? I've tried... for my part. Have you?
 
NviGate Systems said:
Find someone who blabs all about life, pets and the ones dear to them, find out where they work etc, then call up the cell provider and sim swap. Now all that 2FA is worthless because they have implanted themselves as part of your digital life like a cancer cell.
Click to expand...
One of the many reasons why having active social media accounts is a terrible idea. I have social media accounts on all major platforms. I registered them just so someone couldn't impersonate me. I never post anything to them. If you look for me on Facebook my name will come up, but I've posted nothing to the account and when you go to it, everything is set to full privacy. It's the same thing with all my social media accounts. When you Google my name, I don't come up anywhere. Even those paid services don't have anything accurate on me. I know, I've paid them all to see what they had on me. The best one was BeenVerified.com. They had an address I used to live at when I was 3 years old as my current address LOL. I'm not saying I'm invisible to the cops or the government, but no scammer or internet bozo is going to find me.
 
You must log in or register to reply here.

Similar threads

sapphirescales
Should I Change Banks?
2
Replies
26
Views
2K
sapphirescales
sapphirescales
seedubya
Are you B2B? Grateful for your input on this ....
Replies
1
Views
812
Markverhyden
Markverhyden
nightkingdoms
Stripe... Like Square... For Your Web Site
2 3
Replies
43
Views
7K
nightkingdoms
nightkingdoms
PcTek9
IceSword for XP
Replies
12
Views
5K
NYJimbo
NYJimbo
Back
Top