Hacker Read

EthanHeilman · 2012-09-20 12:31:36+00:00

Someone can just steal your two factor authentication token by asking for one at a forged login page.

throwaway290 | karma 1892 | avg karma 0.62 · | 2023-05-31 03:29:07

steal password + seize the phone to get 2 factor token = compromise.

mrkris | karma 3 | avg karma 0.5 · | 2014-01-02 17:57:58

Having 2-Factor auth is meaningless if you can bypass the auth itself.

droithomme | karma 7759 | avg karma 3.17 · | 2017-06-11 20:15:39

Two factor authentication is nothing more than a massive vulnerability. We've seen people somehow change our listed contact numbers through unknown exploits, then hijack ownership of properties using the new number to prove they are us. This wouldn't be possible if not for 2nd factor authorization schemes.

jhancock | karma 3468 | avg karma 2.41 · | 2008-11-30 08:00:31+00:00

More likely examples are hacking into sites that don't use two factor auth, like your domain registrar or web mail accounts.

If you are using any form of online banking without two factor auth, find another bank!!! Even paypal offers a security token these days.

reply

kevingadd | karma 14699 | avg karma 2.67 · | 2013-09-04 07:28:53+00:00

Without the settings in your authenticator you're locked out of accounts that require a 2-factor token from it, unless you've got backup tokens printed out.

gomox | karma 2192 | avg karma 4.04 · | 2020-01-03 03:22:04+00:00

Unless you have two factor auth enabled.

TwoBit | karma 2039 | avg karma 1.83 · | 2015-09-17 16:10:39

I'm not sure 2 factor would help. The hackers could echo his 2 factor key he typed into their fake login page to the real login page.

world-set-free | karma 21 | avg karma 0.88 · | 2023-06-21 04:37:13

Two factor authetication is dumb. It invites poor disipline with reusing passwords and with 500 pound gorilla corps, losing your second factor is losing your account permanently.

BaseBand | karma 4 | avg karma 0.4 · | 2012-08-06 16:02:54

Two-factor authentication is such a pain, It makes it much harder to steal your banking credentials when you sign on using public wifi.

aktuel | karma 143 | avg karma 1.27 · | 2023-01-30 10:56:26

What is usually not mentioned is that enabling two factor authentication is a mayor reason for people getting locked out of their accounts.

BrainInAJar | karma 881 | avg karma 1.93 · | 2015-03-27 20:45:40

Phones get hacked too. If you ever access a site with your phone, it's not two factor auth. Malware can read your 2FA key and read your password as you type it in.

Mahh | karma 103 | avg karma 2.64 · | 2013-08-07 02:19:04+00:00

That's only in regard to a phishing attack, but two factor authentication protects you in the case that you lose your password to an adversary who tries to log in themselves.

If said adversary can steal your password through other means (for example, you use the same password over multiple sites, and the adversary happens to run one of them), they still would have to coerce you into giving the Allow on your phone.

reply

77pt77 | karma 1565 | avg karma 1.18 · | 2017-02-15 19:51:17+00:00

If I understood this correctly, two factor authentication was irrelevant.

Whoever did this just forged the cookies and had full webmail access regardless of any authentication method.

reply

mathrawka | karma 1120 | avg karma 3.25 · | 2013-07-05 23:16:00+00:00

Two-factor is getting to be a necessary feature for sites...

HOWEVER, there are always ways around two-factor auth. Some sites have some special codes that you are advised to print and carry around with you. Some sites let you verify your personal information to turn it off.

What it comes down to is how secure are:

- the methods of disabling two-factor auth

- the methods involved when you lose your two-factor auth token/device

And let's not forget:

- the methods invovled when you forget your password

- customer service intervention methods (i.e. social engineering)

Putting a "Look we support two-factor auth! We are super secure!" message out there is always a red flag for me, as to how they have counter measures in place for the above scenarios are very important... as that is what the evil people will do.

reply

paraschopra | karma 8514 | avg karma 3.81 · | 2011-06-27 08:23:31+00:00

Just enabled 'Two factor authentication'. Thanks for writing this. Made me realize the loss I would incur if my account gets hacked.

crote | karma 7004 | avg karma 4.39 · | 2023-04-24 04:41:51

So instead of having a physical device you own act as a second factor, you are now vendor-locked to a proprietary authentication solution for the entire login process. No thank you!

The entire point of two-factor authentication is to have, well, two factors: something you know and something you have. Using the PC itself as token was already problematic enough as it has a massive code base and runs all sorts of untrusted code so it is likely to be compromised at some point - but at least that was somewhat excusable due to convenience making it accessible to way more people. But getting rid of the rest of the credential and solely relying on the OS is just insanity.

reply

theprop | karma 666 | avg karma 2.58 · | 2017-06-12 03:54:28+00:00

Wow! What's the easiest way to stop this kind of attack? Stop all two-factor authentication?

pkhamre | karma 169 | avg karma 1.42 · | 2012-06-29 13:40:17

Even google's two factor authentication got hacked. How do you seceure yourself for something like that?

gideon_b | karma 157 | avg karma 2.18 · | 2017-11-24 18:41:27+00:00

Two factor won't protect you from a spear-fishing attack.

The attacker can submit your info to GitHub the moment you submit to the malicious site. You receive the token via SMS as expected, enter it on the second page of the malicious site, granting them access.

reply