Sunday, January 6, 2019

"I don't want to bother turning on Two Factor Authentication"

By Steve Endow

January 2019 Update:  A security researcher has developed a tool that can intercept logins and 2FA codes through a man-in-the-middle attack.

This type of attack can apparently defeat most, if not all code based 2FA systems.  

I have a separate blog post discussing YubiKeys / U2F tokens, which are touted as being more secure than code-based 2FA authentication schemes.

The article mentions that the tool "is inefficient against U2F-based schemes that rely on hardware security keys."  I am not sure if author did mean inefficient, or if he meant ineffective, but I don't think U2F tokens would prevent the browser from authenticating with a YubiKey with the MITM in place.  

If anyone has information indicating that U2F validates the URL and / or can prevent this type of MITM proxy attack, I would love to read about it.

The other day I received a Skype message from a friend.  It was an abbreviated URL using the Google URL shortener.

It looked something like this:

Since it was from a friend I knew well, I was about to click on it.

Then I paused.

The URL format seemed a bit odd.  After a moment of reflection, I realized it looked suspicious.  Then I realized that the message appeared in Skype.  And this friend doesn't message me on Skype.  And I vaguely recall receiving a similar message on Skype from a customer a few years ago.

I messaged my friend through another app and let him know that his Skype account had been compromised.

He was able to login to his Skype account and confirm it had been compromised.  He was able to see several logins from other countries.

He let me know that he reset his password, and considered the problem resolved.

I then recommended enabling two factor authentication on the account.

His response:  "I don't regularly use the account, so I don't want to deal with the potential hassle of 2FA".

I propose looking at 2FA differently.

Let's assume that I'm not the only person who received the likely malicious Skype message.  Let's say that as a result of my friend not using a strong unique password and not enabling 2FA, 50 other Skype contacts received a similar message.  These contacts would include friends, but would also likely include customers.

By not having 2FA enabled on the account, my friend just exposed his friends and customers to a malicious URL that may then compromise their security and logins.  As an ERP consultant, his customer contacts could likely include accounting managers and CFOs and CEOs.  If those people click on the link and have their Skype or other online accounts compromised, imagine the potential fallout.  And those compromised accounts would then be used to further spread malicious links or emails to more contacts.

If your account was just compromised and accessed from India, Indonesia, and Bangladesh, in part because you did not have 2FA enabled, and that resulted in your friends and customers receiving a message with a malicious link, are you being a responsible person?

Account hacks do happen constantly, so let's say that you get a pass on your first account hack.

But what if after your account is hacked, you then decline to enable 2FA on that account?

Is that being responsible?

Enabling and using 2FA is not difficult.

But unfortunately most web sites and services require you take the time to enable 2FA.

Yes, every web site and service seems to have their own quirky implementation of 2FA, but they all generally use just a few methods.  SMS text messaging, Google Authenticator, or a separate authenticator app, like Microsoft Authenticator, Authy, Yahoo, etc.

It's a truly minor inconvenience for keeping your accounts more secure and reducing the risk that your hacked account will expose your friends and customers to unnecessary security risks.

Be responsible.  Enable 2FA and other security measures whenever you can.

Steve Endow is a Microsoft MVP in Los Angeles.  He is the owner of Precipio Services, which provides Dynamics GP integrations, customizations, and automation solutions.

You can also find him on Twitter and YouTube

No comments:

Post a Comment

All comments must be reviewed and approved before being published. Your comment will not appear immediately.

How many digits can a Business Central Amount field actually support?

 by Steve Endow (If anyone has a technical explanation for the discrepancy between the Docs and the BC behavior, let me know!) On Sunday nig...