Articles about 2fa

Facebook users pwnd by phone with account recovery vulnerability

Facebook account recovery using pre-registered mobile numbers is poorly implemented and open to abuse, according to critic James Martindale. Martindale wrote an article on Medium, titled I kinda hacked a few Facebook accounts using a vulnerability they won't fix, highlighting his concerns in a bid to push the social network …
John Leyden, 17 Jul 2017
Facepalm from Shutterstock

Two-factor FAIL: Chap gets pwned after 'AT&T falls for hacker tricks'

A software developer says a thief siphoned cash from his PayPal account – after a dumbass AT&T rep handed control of his cellphone account to a hacker, thus defeating his two-factor authentication. Justin Williams, an iOS code jockey based in Denver, Colorado, said someone was able to dupe an AT&T support tech into assigning …
Shaun Nichols, 10 Jul 2017

LastPass now supports 2FA auth, completely undermines 2FA auth

Password manager LastPass has added a new feature to its software: the ability to store two-factor authentication codes. This is great news. For hackers. Increasingly, people with sense use two-factor auth as a way of ensuring that it is much harder for miscreants to break into their accounts, and to detect if anyone is anyone …
Kieren McCarthy, 19 May 2017

eBay dumps users into insecure authentication mechanism

Web tat bazaar eBay appears to be suggesting its readers adopt known-to-be-insecure practices when logging on to the service. eBay has long offered customers the chance to get their hands on a hard token that generates one-time-passwords. But Krebs on Security reports that a reader received an email from eBay telling customers …
Simon Sharwood, 23 Mar 2017
Two eggs hugging couple arranged in carton

Aah, all is well in the world. So peaceful, so– wait, where's the 2FA on IoT apps? Oh my gawd

Smart home poster child Nest has stolen a march on the rest of the smart-home industry by adding two-factor authentication to its systems. From Tuesday, owners of Nest products can tie a mobile phone to their account and so require that anyone trying to access their data has to enter a six-digital code sent by text to that …

Netflix US Twitter account hacked

Netflix's US Twitter account was briefly hijacked on Wednesday. The feed was taken over by a hacking group, OurMine, who used the hijack to promote its website and invite Netflix to get in touch. The social media team running the Netflix US Twitter account, which has 2.5 million followers, got off easily. Previous account …
John Leyden, 21 Dec 2016

Standards body warned SMS 2FA is insecure and nobody listened

The US National Institute of Standards and Technology's (NIST) advice that SMS is a poor way to deliver two factor authentication is having little impact, according to Duo Security. Last July NIST declared that sending one-time passwords to mobile phones was insecure. The organisation wrote in its advisory that the likelihood …
Darren Pauli, 6 Dec 2016

PayPal patches bone-headed two factor authentication bypass

Update Paypal has patched a boneheaded two factor authentication breach that allowed attackers to switch off the critical account control in minutes by changing a zero to a one. British MWR InfoSecurity consultant Henry Hoggart (@_mobisek) discovered and quietly reported the flaw to the payment giant. Attackers with username and …
Darren Pauli, 27 Oct 2016

Hacking mobile login tokens tricky but doable, says reverse-engineer

Mobile apps that generate on-screen tokens for two-factor authentication can be examined and cloned by malware, a security researcher warns. Fraudsters and crooks can take these clones and generate the codes necessary to login into bank accounts and other online services as their victims. Banks are increasingly relying on …
John Leyden, 2 Sep 2016
Password

US standards lab says SMS is no good for authentication

America's National Institute for Standards and Technology has advised abandonment of SMS-based two-factor authentication. That's the gist of the latest draft of its Digital Authentication Guideline, here. Down in section 5.1.3.2, the document says out-of-band verification using SMS is deprecated and won't appear in future …
Android figurine (silver) hangs off building at Mountain View HQ. Photo by Nick Fox, Shutterstock.com</a>

Academics claim Google Android two-factor authentication is breakable

Computer security researchers warn security shortcomings in Android/Playstore undermine the security offered by all SMS-based two-factor authentication (2FA). The issue - first reported to Google more than a year ago - revolves around an alleged security weakness rather than a straightforward software vulnerability. The …
John Leyden, 8 Apr 2016

Instagram rolls out two factor authentication

Hipsters and selfie-lovers will enjoy extra security after Instagram added two-factor authentication to its service. The security measure is becoming a de facto standard for protecting user accounts by requiring a code generated on a second device to be entered alongside passwords. Instragram will send a code to user's mobile …
Team Register, 18 Feb 2016

Got a time machine? Good, you can brute-force 2FA

Time-based two-factor authentication tokens, and plug-ins that use them, are only as good as your time signal, and in the right (wrong) circumstances, they can be brute-forced. Security researcher Gabor Szathmari says the problem is that if your 2FA tokens depend on the network time protocol (NTP), it's too easy for a sysadmin …

Boffins nail 2FA with 'ambient sound' login for the lazy

Internet users who think two taps on a smartphone is two taps too much may soon be able to use seamless second factor authentication that verifies a person is in possession of their phone by matching ambient noise sound prints. Researchers Nikolaos Karapanos, Claudio Marforio, Claudio Soriente, and Srdjan Capkun of the …
Darren Pauli, 17 Aug 2015

Snapchat slings SMS two-factor authentication

Snapchat has deployed two factor authentication as part of its push to increase security across the popular selfie slinging app. The sexting swap shop allows users to set up SMS log-in verification that makes en-masse account hijacking more difficult, and better protects Snapchat's Snapcash money transfer system. The …
Darren Pauli, 15 Jun 2015
Manneken pis wears football kit. Source: James Cridland, Flickr

Tesla Twitter account and website hijacked, Elon Musk pwned

The website and Twitter account of carmaker Tesla were hacked over the weekend, as part of what looks like a prank between rival hackers. Elon Musk’s personal Twitter account was also hijacked on Saturday night (US time) by miscreants who at one point claimed to be from the infamous Lizard Squad hacking crew. The name …
John Leyden, 27 Apr 2015
Wolves

Big Blue securo-bods warn of dire Dyre Wolf AMONG WOLVES

Infosec experts have spotted a nasty variant of a banking malware – dubbed Dyre Wolf – which involves a sophisticated two-factor authentication workaround that has apparently led to the theft of more than $1m from the biz world. Wrongdoers have demonstrated what IBM Security described as "a brazen twist from the once-simple …
Kelly Fiveash, 4 Apr 2015
Logging onto Windows 10 with a mobile for 2-factor authentication

Yahoo! wheels! out! password! on-demand! service! for! simpletons!

Yahoo! is trialling a service that removes the need to remember your passwords, providing users aren't so absent-minded they don't also lose or mislay their mobile phones. The on-demand password service allows registered users to get a short password sent to their phone. On-demand passwords is an opt-in service, initially only …
John Leyden, 16 Mar 2015

Create a news alert about 2fa, or find more stories about 2fa.

Biting the hand that feeds IT © 1998–2017