Hacker Read

77pt77 · 2017-02-15 19:51:17+00:00

If I understood this correctly, two factor authentication was irrelevant.

Whoever did this just forged the cookies and had full webmail access regardless of any authentication method.

ehsanakhgari | karma 317 | avg karma 14.41 · | 2012-04-14 04:58:27+00:00

No, I was not using the two factor authentication feature. I still don't know what caused this, but yeah, my account might have been hacked.

ggambetta | karma 6684 | avg karma 6.13 · | 2016-10-20 21:41:02

Wait, the account didn't have two-factor auth enabled?!?

sgroppino | karma 355 | avg karma 3.03 · | 2017-07-30 22:12:03

I'd have though that two-factor authentication could have prevented this type of attack?

boundlessdreamz | karma 4595 | avg karma 5.44 · | 2012-06-02 10:58:31+00:00

But even after resetting the password, two factor authentication is needed to log in right? How was that bypassed?

ricardobeat | karma 18682 | avg karma 2.77 · | 2012-11-10 14:17:45

He wasn't even using two-factor authentication?

nulbyte | karma | avg karma · | 2022-08-15 20:10:59

> ... had successfully changed the password, but in the case below, failed to access the account due to the second-factor authentication...

Why wasn't two factor authentication required to reset the password? This is Security 101: Greater risks need greater authentication.

reply

TwoBit | karma 2039 | avg karma 1.83 · | 2015-09-17 16:10:39

I'm not sure 2 factor would help. The hackers could echo his 2 factor key he typed into their fake login page to the real login page.

jrockway | karma 72069 | avg karma 3.74 · | 2012-04-22 07:12:24+00:00

This is why two-factor authentication is vital for email accounts. It's just too easy to accidentally reuse your email password somewhere, and then things like this can happen. With a second factor, someone would have to physically steal your phone or OTP device to access your account, and that's a lot harder for some hackers in China to do :)

malvosenior | karma 4408 | avg karma 2.13 · | 2014-09-11 15:25:39+00:00

Says my account was hacked, but then gives me the incorrect two letters for the start of my password. Seems bunk.

Also, why wouldn't you give your email address to a random website? I have it plastered all over the net. Spam is a solved problem at this point. Ironically thanks to Gmail!

Agree on 2 factor auth though.

reply

aaronwalker | karma 48 | avg karma 1.12 · | 2022-07-01 16:52:07

Hmm. Makes me wonder about the security of two factor authentication schemes. For scams like these it's pretty obvious that someone is trying to access your account, but I do wonder if there are more secure ways to verify your identity when changing account settings.

paraschopra | karma 8514 | avg karma 3.81 · | 2011-06-27 08:23:31+00:00

Just enabled 'Two factor authentication'. Thanks for writing this. Made me realize the loss I would incur if my account gets hacked.

ta76767 | karma 4 | avg karma 4.0 · | 2015-01-03 21:48:42+00:00

> Logic being if someone controls your email account already, it doesn't matter that you have two-factor auth, they can shut it off because they control your account. A lot people using two factor auth with their Google account have been hacked exactly this way.

Can you explain this a little more? I don't think I understand, because to me it sounds like you're saying, "once your account is hacked, two factor authentication won't help because your account has been hacked, so the adversary can disable two factor authentication". Don't major changes to accounts like that sometimes require re-authenticating with all required factors? I need to do this if I want to add a bill pay recipient to my bank account even if I'm already logged in.

reply

droithomme | karma 7759 | avg karma 3.17 · | 2017-06-11 20:15:39

Two factor authentication is nothing more than a massive vulnerability. We've seen people somehow change our listed contact numbers through unknown exploits, then hijack ownership of properties using the new number to prove they are us. This wouldn't be possible if not for 2nd factor authorization schemes.

icebraining | karma 48925 | avg karma 2.14 · | 2014-02-12 17:08:45

This is not two factor authentication, since it eliminates one of the factors (the password). Gmail's doesn't, so that is two factor auth.

mikelward | karma 870 | avg karma 1.73 · | 2019-06-17 16:08:14+00:00

The article doesn't say if the user had two-factor authentication set up. I guess it's implied they used SMS as the second factor.

This would happen with any email provider.

So the fix isn't changing email provider, it's using a more secure second factor, e.g. U2F.

reply

mcv | karma 23993 | avg karma 2.57 · | 2014-04-10 09:33:07+00:00

Yeah, that's not something that should count as two-factor authentication. It's just single factor authentication with a warning.

utefan001 | karma 408 | avg karma 1.61 · | 2016-04-21 17:02:44

Seems like two factor authentication here would have helped.

tinco | karma 11728 | avg karma 3.67 · | 2018-12-27 10:42:14+00:00

It's not called two factor authentication. Two factor authentication is when you have two factors for authentication. This is just one..

EthanHeilman | karma 5606 | avg karma 5.18 · | 2012-09-20 12:31:36+00:00

Someone can just steal your two factor authentication token by asking for one at a forged login page.