Articles about 2fa

PayPal patches bone-headed two factor authentication bypass

Update Paypal has patched a boneheaded two factor authentication breach that allowed attackers to switch off the critical account control in minutes by changing a zero to a one. British MWR InfoSecurity consultant Henry Hoggart (@_mobisek) discovered and quietly reported the flaw to the payment giant. Attackers with username and …
Darren Pauli, 27 Oct 2016

Hacking mobile login tokens tricky but doable, says reverse-engineer

Mobile apps that generate on-screen tokens for two-factor authentication can be examined and cloned by malware, a security researcher warns. Fraudsters and crooks can take these clones and generate the codes necessary to login into bank accounts and other online services as their victims. Banks are increasingly relying on …
John Leyden, 2 Sep 2016
Password

US standards lab says SMS is no good for authentication

America's National Institute for Standards and Technology has advised abandonment of SMS-based two-factor authentication. That's the gist of the latest draft of its Digital Authentication Guideline, here. Down in section 5.1.3.2, the document says out-of-band verification using SMS is deprecated and won't appear in future …
Android figurine (silver) hangs off building at Mountain View HQ. Photo by Nick Fox, Shutterstock.com</a>

Academics claim Google Android two-factor authentication is breakable

Computer security researchers warn security shortcomings in Android/Playstore undermine the security offered by all SMS-based two-factor authentication (2FA). The issue - first reported to Google more than a year ago - revolves around an alleged security weakness rather than a straightforward software vulnerability. The …
John Leyden, 8 Apr 2016

Instagram rolls out two factor authentication

Hipsters and selfie-lovers will enjoy extra security after Instagram added two-factor authentication to its service. The security measure is becoming a de facto standard for protecting user accounts by requiring a code generated on a second device to be entered alongside passwords. Instragram will send a code to user's mobile …
Team Register, 18 Feb 2016

Got a time machine? Good, you can brute-force 2FA

Time-based two-factor authentication tokens, and plug-ins that use them, are only as good as your time signal, and in the right (wrong) circumstances, they can be brute-forced. Security researcher Gabor Szathmari says the problem is that if your 2FA tokens depend on the network time protocol (NTP), it's too easy for a sysadmin …

Boffins nail 2FA with 'ambient sound' login for the lazy

Internet users who think two taps on a smartphone is two taps too much may soon be able to use seamless second factor authentication that verifies a person is in possession of their phone by matching ambient noise sound prints. Researchers Nikolaos Karapanos, Claudio Marforio, Claudio Soriente, and Srdjan Capkun of the …
Darren Pauli, 17 Aug 2015

Snapchat slings SMS two-factor authentication

Snapchat has deployed two factor authentication as part of its push to increase security across the popular selfie slinging app. The sexting swap shop allows users to set up SMS log-in verification that makes en-masse account hijacking more difficult, and better protects Snapchat's Snapcash money transfer system. The …
Darren Pauli, 15 Jun 2015
Manneken pis wears football kit. Source: James Cridland, Flickr

Tesla Twitter account and website hijacked, Elon Musk pwned

The website and Twitter account of carmaker Tesla were hacked over the weekend, as part of what looks like a prank between rival hackers. Elon Musk’s personal Twitter account was also hijacked on Saturday night (US time) by miscreants who at one point claimed to be from the infamous Lizard Squad hacking crew. The name …
John Leyden, 27 Apr 2015
Wolves

Big Blue securo-bods warn of dire Dyre Wolf AMONG WOLVES

Infosec experts have spotted a nasty variant of a banking malware – dubbed Dyre Wolf – which involves a sophisticated two-factor authentication workaround that has apparently led to the theft of more than $1m from the biz world. Wrongdoers have demonstrated what IBM Security described as "a brazen twist from the once-simple …
Kelly Fiveash, 4 Apr 2015
Logging onto Windows 10 with a mobile for 2-factor authentication

Yahoo! wheels! out! password! on-demand! service! for! simpletons!

Yahoo! is trialling a service that removes the need to remember your passwords, providing users aren't so absent-minded they don't also lose or mislay their mobile phones. The on-demand password service allows registered users to get a short password sent to their phone. On-demand passwords is an opt-in service, initially only …
John Leyden, 16 Mar 2015

Authy 2FA app popped by simple, secret, code

Attackers could bypass the Authy two factor authentication (2FA) system by typing a phrase in a token field. Authy's apps make it possible for punters to log in to services like Gmail, Dropbox and Facebook, or even Amazon Web Services, with a one-time password sourced from an app. But prior to the advent of a patch issued 8 …
Darren Pauli, 16 Mar 2015

Hey, NUDE CELEBS! Apple adds SWEET 2FA to iMessage, Facetime

Apple has activated a two-factor authentication (2FA) system for Facetime and iMessage, extending the service to beyond iCloud accounts in a move that it hopes will help secure its communications platforms. The feature has become effective immediately, meaning any attempt to activate the services on a new device would first …
Team Register, 13 Feb 2015

CommBank app leaks 2FA tokens says Sydney dev

Sydney programmer Stuart Ryan has chipped Australia's dominant retail bank, the Commonwealth Bank, for allowing two factor authentication codes to be viewable on locked iPhones. The bank sends authentication tokens over push notifications on iOS devices, rather than SMS for users who had activated the second factor account log …
Darren Pauli, 12 Feb 2015
JP Morgan HQ at Canary Wharf

JPMorgan Chase mega-hack was a simple two-factor auth fail

Hackers broke into JPMorgan's network through a giant security hole left open by a failure to switch on two-factor authentication on an overlooked server. The New York Times reports that technicians at JPM had failed to upgrade one of its network servers, meaning that access was possible without knowing a combination of a …
John Leyden, 23 Dec 2014

Lucky you. Twitter offers you its 'Digits' (for mobe app sign-ins)

Twitter's launch of a service that provides a new way to sign up to apps without using passwords has received a cautious welcome from security experts. The new service, Digits, is designed to offer application developers a simpler, password-free login option for their mobile applications. The utility is designed to fit into …
John Leyden, 24 Oct 2014
iPad Psycho image

NUDE SELFIE CLOUD PERV menace: Apple 2FA? Sweet FA, more like

Apple’s two-factor authentication doesn't actually protect iCloud backups or photo streams, contrary to what many iPhone and iPad fondlers might wish to believe. Scores of (mostly female) celebrities, including Oscar winner Jennifer Lawrence, had their iCloud hacked before miscreants siphoned off private nude snaps which …
John Leyden, 3 Sep 2014
The Register breaking news

Apple's two-factor security isn't as good as Microsoft or Google's, say experts

Apple's two-factor authentication system does not protect users' private files backed up to the iCloud, it is claimed. Fanbois have been able to secure their Apple accounts with a two-step login process since March: these accounts are important because they are used to bung or retrieve backups into and out of Cupertino's …
John Leyden, 31 May 2013

Create a news alert about 2fa, or find more stories about 2fa.

Biting the hand that feeds IT © 1998–2018