Connect with us

Bitcoin News

PSA: SMS 2FA Is Weak AF

Photo: Kevin Frayer (Getty)Let’s use a crime spree to teach a lesson.Nine people were charged this week by the Justice Department this week with stealing $2.4 million in cryptocurrency by a scheme called SIM hijacking. SIM hijacking is an elaborate but relatively straightforward bit of fraud and social engineering in which crooks steal phone numbers…

PSA: SMS 2FA Is Weak AF
Illustration for article titled PSA: SMS 2FA Is Weak AF
Photo: Kevin Frayer (Getty)

Let’s use a crime spree to teach a lesson.

Nine people were charged this week by the Justice Department this week with stealing $2.4 million in cryptocurrency by a scheme called SIM hijacking.

SIM hijacking is an elaborate but relatively straightforward bit of fraud and social engineering in which crooks steal phone numbers from targets by various means, in this particular case by bribing customer support representatives or in other cases by impersonating the victims.

The victims of this scheme held millions of dollars in cryptocurrency in online exchanges and used those phone numbers as two-factor authentication delivered via text message (SMS) to secure their money. Once the alleged hackers hijacked those numbers, they were able to leverage them to break into the accounts and take the money.

What makes cryptocurrency such a tempting target is that once it’s stolen, there’s no getting it back. No bank to call, no centralized authority to appeal to. That’s the appeal of cryptocurrency for a lot of people, right? And that tends to be what makes it such a juicy target.

Two-factor authentication is one of the easiest and most important steps you can take to secure your online life. Unfortunately for those who got their Bitcoin ripped off, there’s a small but important wrinkle to be aware of.

Here’s the lesson: Two-factor authentication that relies on phone numbers and text messages is weak and if you use it to protect something like, I don’t know, millions of dollars of cryptocurrency, you’re going to be an easier target.

That’s not brand new information but it’s important. It’s clear that despite years of research, too many people still rely on this weak authentication to secure their online accounts. For cybersecurity, it can take years to shift to the new paradigm.

The phone numbers are never the only tool needed to get into the accounts but they are supposed to be the failsafe, the second authentication factor to go with a password that makes your account exponentially safer. But ultimately phone numbers are weak authenticators and any important account you have should be using more to secure it.

This is not a victim-blaming blog and this is not their fault. Obviously, the crooks are first at fault but the websites themselves should be doing better on security. For important accounts, it probably shouldn’t even be a choice to use text messages as two-factor authentication. Any website with important accounts that offer it can probably do better and any website that offers only text message two-factor authentication can hardly do any worse.

There’s a lot going on here — this group congregated on one of the weirdest and most childish centers of cybercrime on the internet and antagonized targets over Twitter — but let’s keep things simple for the sake of the lesson.

Here’s the background information: The cybersecurity consensus is that all your accounts need two-factor authentication. What does that mean?

That means two factors are needed to gain access because it’s shockingly easy to lose control of your password. The first factor is typically your password and that’s easy enough. The second factor might be your phone number so they may text you a text message (SMS) code and give you access. The second factor could also be an app like Google Authenticator that will supply a code or a hardware key like the Yubikey that you use like one would use a physical front door key.

The best common form of two-factor authentication is a physical key. This is the kind of authentication that Google gives to political campaigns, dissidents, and journalists among others — the kind of people whose lives can depend on their cybersecurity.

A physical key is pretty easy to set up but, okay, maybe you don’t need to measure up to life-or-death cybersecurity. An authenticator app is a strong and simple choice. Google Authenticator is a great way to get that second factor in a secure way delivered straight to your phone.

Lowest on the list is the text message.

It’s been almost four years since the U.S. government warned agencies to move away from SMS authentication because it’s impossible to verify and easy to intercept but it’s still widespread — including, apparently, but some poorly secured cryptocurrency exchanges.

“While a password coupled with SMS has a much higher level of protection relative to passwords alone, it doesn’t have the strength of device authentication mechanisms inherent in the other authenticators allowable…,” Paul Grassi, NIST’s senior standards and technology adviser, explained in 2016. “It’s not just the vulnerability of someone stealing your phone, it’s about the SMS that’s sent to the user being read by a malicious actor without getting her or his grubby paws on your phone.”

Let’s end the lesson with a simple takeaway: Always use two-factor authentication. If it’s something important — your money, your social media accounts, your email — download an authenticator app or get a key.

Or just haplessly lose a few mil and hope the cops eventually catch the bad guys. Sometimes that works too.

Source

Continue Reading
Advertisement
Loading...
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Bitcoin News

Moonday Mornings: Binance to resume deposits and withdrawals after $40M Bitcoin hack

It’s time for Moonday Mornings, Hard Fork’s wrap-up of the weekend’s top cryptocurrency and blockchain headlines. Here’s what happened. 1. Binance says it will resume deposits and withdrawals on its platform on Tuesday. The cryptocurrency exchange had suspended the functions following an attack in which hackers stole over $40 million worth of Bitcoin. 2. The…

Moonday Mornings: Binance to resume deposits and withdrawals after $40M Bitcoin hack

It’s time for Moonday Mornings, Hard Fork’s wrap-up of the weekend’s top cryptocurrency and blockchain headlines.

Here’s what happened.

1. Binance says it will resume deposits and withdrawals on its platform on Tuesday. The cryptocurrency exchange had suspended the functions following an attack in which hackers stole over $40 million worth of Bitcoin.

2. The figureheads of the fake cryptocurrency scheme, OneCoin, are being sued. Brother and sister duo, Konstantin Ignatov and Ruja Ignatova are facing a class action law suit for their involvement in the scam which was “based completely on lies and deceit,” ZDNet reports.

3. A Bitcoin BTC fueled ransomware attack hit the Baltimore City government last week. Despite being cleaned of the ransomware, hackers are allegedly still accessing the infected computers, ZeroHedge reports. The Federal Bureau of Investigation is now investigating the attack.

4. The creator of the Bitcoin treasure hunt Satoshi’s Treasure is claiming nearly 60,000 people are following the global challenge, CoinDesk reports. One player has already claimed the first prize, and didn’t even have to go anywhere to claim it.

And finally.

5. William Shatner is putting William Shatners on the blockchain. The former Star Trek actor is joining Mattereum, a legaltech firm, to document the authenticity of science collectibles and memorabilia from a range of franchises on the blockchain.

That’s another weekend’s headlines for you. Live long and prosper.

Published May 13, 2019 — 07:58 UTC

Source

Continue Reading

Bitcoin News

Amazon granted patent for Bitcoin-style system to fight DDoS attacks

Cryptocurrency rumor mongers are likely to be dancing today as Amazon has successfully filed a patent for a Bitcoin-styled Proof-of-Work system. But don’t get ahead of yourself, it doesn’t look like the Seattle-based ecommerce giant will be accepting Bitcoin for payments. Despite first being filed in December 2016, Amazon’s patent application was granted earlier this…

Amazon granted patent for Bitcoin-style system to fight DDoS attacks

Cryptocurrency rumor mongers are likely to be dancing today as Amazon has successfully filed a patent for a Bitcoin-styled Proof-of-Work system. But don’t get ahead of yourself, it doesn’t look like the Seattle-based ecommerce giant will be accepting Bitcoin for payments.

Despite first being filed in December 2016, Amazon’s patent application was granted earlier this week and appears to outline a system that uses Proof-of-Work to prevent distributed denial-of-service (DDoS) attacks.

“One way to mitigate against such attacks is to configure a service such that requests to the service incur some sort of expense, thereby providing a disincentive to participating in the attack,” the application reads.

Planting a Merkle Tree

Amazon proposes to use Merkle Trees to present a Proof-of-Work challenge and make it too costly for a series of computers to perform a DDoS attack.

But what’s a Merkle Tree? In short, Merkle Trees are cryptographic tools where blocks of data are manipulated to give them a unique identifier also known as a hash.

These hashes are then manipulated again to create a parent hash. Parent hashes are always a combination of two or more child hashes. It’s layers on layers of hashed data.

Since computing power is required to build a Merkle Tree, performing such hashes could get very costly in terms of time, electricity, and resources. In turn, this makes DDoS attacks economically unfeasible.

In the case of Amazon’s patent, imagine having to construct a Merkle Tree before you’re allowed to access a website hosted on one of its servers. To an individual the cost might be insignificant, but to an organization trying to carry out a DDoS attack – which might involve many hundreds of computers – it could become prohibitively expensive.

Amazon’s Merkle Tree

Merkle Trees are also used in Proof-of-Work blockchains like Bitcoin as part of its consensus mechanism. But for now that’s as close as Amazon will get to Bitcoin.

Indeed, with this news it seems Amazon is still of the “blockchain, not Bitcoin” mantra. Earlier this month, the web giant said that AT&T, Accenture, and Nestlé are all using its cloud-based blockchain tools.

Read next:

South African voters fear mobile political campaigns will steal their personal info

Source

Continue Reading

Crypto Live Prices

  • USD
  • EUR
  • GPB
  • AUD
  • JPY
Advertisement
Loading...
Advertisement
Advertisement

Trending

Copyright © 2018 Crypto141.com