2 factor authentication bypassed

prime
prime
Community Member
edited May 2018 in Lounge

Comments

  • pervel
    pervel
    Community Member

    If I understand the article correctly, the hacker didn't strictly speaking bypass any authentication at all. Rather he tricked the victim into doing the authentication on behalf of the hacker. I think the lesson is that with clever and targeted social engineering there will always be ways for hackers to steal people's data somehow. Though technology can help a lot, users also need to be educated about the dangers of social engineering such as phishing.

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited May 2018

    It's essentially a very sophisticated phishing scam, with the fake website serving as a frontend to a legitimate one. This is why I go a little crazy when people claim that 2FA will protect them from these kinds of attacks. But it doesn't change the fundamental risk; the attacker just needs the code in a more timely fashion. So I think it's actually worse for our security to have an undeserved level of faith in 2FA, rather than appreciating it only for the security it does in fact offer.

    Indeed, most security measures can be bypassed through human means. We try to minimize this with 1Password by using encryption instead of authentication as the foundation of 1Password's security...but of course if someone can trick us into giving them our Master Password (or entering it for them, if we're using 1Password on a compromised machine), they will be able to access the data just as we can. Social engineering attacks are scary, but if we're vigilant and practice skeptical computing, we're less at risk than if we just enter our password anywhere without thinking.

  • prime
    prime
    Community Member

    @brenty

    Indeed, most security measures can be bypassed through human means. We try to minimize this with 1Password by using encryption instead of authentication as the foundation of 1Password's security...but of course if someone can trick us into giving them our Master Password (or entering it for them, if we're using 1Password on a compromised machine), they will be able to access the data just as we can. Social engineering attacks are scary, but if we're vigilant and practice skeptical computing, we're less at risk than if we just enter our password anywhere without thinking.

    This is why I tell people if they get an email “they want to add you as a friend” I’ll go on the site either thought the app, or login manually to check.

  • AGAlumB
    AGAlumB
    1Password Alumni

    Indeed. Terrifying. Better safe than sorry. :dizzy:

  • Ben.S
    Ben.S
    Community Member

    I wouldn’t call that a “new exploit”. That’s a tactic that’s been used for quite some time. It’s only natural that hackers would also proxy 2fa requests as well. Another example why I stopped following tech crunch a long time ago.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @Ben.S: I think they say that to get more clicks and therefore more advertising revenue. :tongue:

    But in all seriousness, it is worth sharing because a lot of people believe that "2FA" protects them when using compromised machines, or from person-in-the-middle attacks. That's unfortunately still a common believe, when clearly someone in that position can just as easily capture the one-time password and use it too. :(

This discussion has been closed.