Wednesday, October 4, 2023
LetsAskBinu.com
  • Home
  • Cybersecurity
  • Cyber Threats
  • Hacking
  • Protection
  • Networking
  • Malware
  • Fintech
  • Internet Of Things
No Result
View All Result
LetsAskBinu.com
No Result
View All Result
Home Cybersecurity

Why 2FA is failing and what should be done about it

Researcher by Researcher
September 26, 2022
in Cybersecurity
0
Why 2FA is failing and what should be done about it
189
SHARES
1.5k
VIEWS
Share on FacebookShare on Twitter


Jack Wallen details a recent hack and why he believes one aspect of two-factor authentication is part of the problem.

cyber security in two-step verification, Login, User, identification information security and encryption, Account Access app to sign in securely or receive verification codes by email or text message.
Image: THAWEERAT/Adobe Stock

Recently, my PayPal account was hacked, and it’s not the first or second time it’s happened. Fortunately, I have enough alerts set up to catch these things fairly quickly and act on them, but that doesn’t mean all is well. It’s not. I know it’s only a matter of time before another account is hacked.

SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)

At this point, you’re probably thinking: “Why doesn’t he use a strong password and two-factor authentication on those accounts?” My answer: I do. All of my accounts are protected by passwords I couldn’t even think about memorizing, generated by a random password generator. Every account I use has 2FA enabled.

But not all 2FA setups are built the same. Let me explain: Of all the accounts I have — and, like you, they are many — only one configuration ever gets hacked. That configuration is 2FA sent over SMS. The accounts using 2FA via a password app like Authy or Google’s Authenticator have never had any problems.

But those SMS 2FA accounts have been nothing but problems. Why is this an issue? Simply put, when those 2FA codes are submitted via SMS text, they can be intercepted by the wrong people. If they already have your login credentials, the SMS text is the missing piece. Once they can intercept that code, they have the keys to the kingdom and lay waste to all that awaits them.

Must-read security coverage

2FA via an authenticator app isn’t nearly as simple to crack. The problem is that a lot of institutions — especially banks — fail to see this vulnerability and continue going about the business of using an inferior security mechanism.

Believe it or not, I get it. Many organizations understand that getting users to enable 2FA is already a losing proposition. Most consumers don’t want to have to deal with the fiddly bits of requesting a code, waiting and then typing it. These are the same people still using “password123” for their login because they want everything to be as simple as possible.

Again, I understand: Life is already complicated enough without having to jump through even more hoops to do something that should be simple. But if you want to keep your data and money safe from those whose only task is to take it, strong passwords and added security are a must. It’s just so disheartening to know that many important institutions are still relying on less-than-secure technology.

An interesting and important position

The thing is, these organizations are in a rather interesting and important position. Say, for example, that Bank X decides it’s had enough of accounts being hacked and put in place two things: Strong password requirements and authenticator app-style 2FA. Any customer of that bank would have to implement those two things immediately. Yes, there would be a kerfuffle over the change, but eventually, everyone would accept it and move on with the improved security. Soon enough, the ritual of logging in to an account would become second nature and the complaints would cease.

Bank X would have successfully helped its customers understand that a couple of extra steps are worth the added security. By leveraging auth apps over SMS codes, the bank heightens the security of their organization and hopefully slows down the number of hacks that occur.

No, it’s not perfect, and even authy-type 2FA can be hacked, but they aren’t hacked at nearly the level of SMS 2FA. Knowing that, it never ceases to amaze me that so many websites and services still depend on SMS 2FA codes.

It’s time banks and other important services dropped SMS 2FA codes and migrated users to authorization app-type 2FA.

What should consumers do?

As far as consumers and users are concerned, if given the option between SMS and app-based 2FA, always go with the app-based option. By going that route, you don’t have to worry that your time-based 2FA code will be transmitted across the ether for someone to snoop on and use against you.

This should be instituted across the board with zero exceptions — at least until someone comes up with a more reliable, secure form of multi-factor authentication. Otherwise, accounts are going to continue to be hacked at an increasingly alarming rate.

To every bank, service and social networking site I would say this: It’s long past time for you to institute better security. Yes, there is a steeper learning curve to app-based 2FA codes, but most consumers and users would acclimate fairly quickly to the method if given a reason. And if any bank thinks a consumer is going to leave your institution because of an improved security policy, you’ve clearly never moved from one bank to another.

Subscribe to TechRepublic’s How To Make Tech Work on YouTube for all the latest tech advice for business pros from Jack Wallen.



Source link

Related articles

Sentra Raises $30 Million for DSPM Technology

Northern Ireland’s Top Police Officer Apologizes for ‘Industrial Scale’ Data Breach

August 13, 2023
Minimizing Risk Through Proactive Apple Device Management: Addigy

Minimizing Risk Through Proactive Apple Device Management: Addigy

August 12, 2023
Tags: 2FAfailing
Share76Tweet47

Related Posts

Sentra Raises $30 Million for DSPM Technology

Northern Ireland’s Top Police Officer Apologizes for ‘Industrial Scale’ Data Breach

August 13, 2023
0

Northern Ireland’s top police officer apologized Thursday for what he described as an “industrial scale” data breach in which the...

Minimizing Risk Through Proactive Apple Device Management: Addigy

Minimizing Risk Through Proactive Apple Device Management: Addigy

August 12, 2023
0

Enterprise IT teams are struggling to cope with three major forces of change: the evolving regulatory environment, a globally dispersed...

Decipher Podcast: Katelyn Bowden and TC Johnson

Decipher Podcast: Katelyn Bowden and TC Johnson

August 12, 2023
0

Veilid main site: https://veilid.com/ Cult of the Dead Cow site: https://cultdeadcow.com/ Source link

In Other News: Government Use of Spyware, New Industrial Security Tools, Japan Router Hack 

In Other News: macOS Security Reports, Keyboard Spying, VPN Vulnerabilities

August 12, 2023
0

SecurityWeek is publishing a weekly cybersecurity roundup that provides a concise compilation of noteworthy stories that might have slipped under...

Used Correctly, Generative AI is a Boon for Cybersecurity

Used Correctly, Generative AI is a Boon for Cybersecurity

August 12, 2023
0

Adobe stock, by Busra At the Black Hat kickoff keynote on Wednesday, Jeff Moss (AKA Dark Tangent), the founder of...

Load More
  • Trending
  • Comments
  • Latest
This Week in Fintech: TFT Bi-Weekly News Roundup 08/02

This Week in Fintech: TFT Bi-Weekly News Roundup 15/03

March 15, 2022
Supply chain efficiency starts with securing port operations

Supply chain efficiency starts with securing port operations

March 15, 2022
Microsoft to Block Macros by Default in Office Apps

Qakbot Email Thread Hijacking Attacks Drop Multiple Payloads

March 15, 2022
QNAP Escalation Vulnerability Let Attackers Gain Administrator Privileges

QNAP Escalation Vulnerability Let Attackers Gain Administrator Privileges

March 15, 2022
Beware! Facebook accounts being hijacked via Messenger prize phishing chats

Beware! Facebook accounts being hijacked via Messenger prize phishing chats

0
Shoulder surfing: Watch out for eagle‑eyed snoopers peeking at your phone

Shoulder surfing: Watch out for eagle‑eyed snoopers peeking at your phone

0
Remote work causing security issues for system and IT administrators

Remote work causing security issues for system and IT administrators

0
Elementor WordPress plugin has a gaping security hole – update now – Naked Security

Elementor WordPress plugin has a gaping security hole – update now – Naked Security

0
Browse Safer and Faster Around the World with JellyVPN for just $34.99

Browse Safer and Faster Around the World with JellyVPN for just $34.99

October 3, 2023
Hackers Steal User’s Database From European Institute

Hackers Steal User’s Database From European Institute

October 3, 2023
Hackers Bypass Cloudflare Firewall & DDoS using Cloudflare

Hackers Bypass Cloudflare Firewall & DDoS using Cloudflare

October 2, 2023
AWS Honeypot to Disrupt Threat Actors

AWS Honeypot to Disrupt Threat Actors

October 2, 2023

Recent Posts

Browse Safer and Faster Around the World with JellyVPN for just $34.99

Browse Safer and Faster Around the World with JellyVPN for just $34.99

October 3, 2023
Hackers Steal User’s Database From European Institute

Hackers Steal User’s Database From European Institute

October 3, 2023
Hackers Bypass Cloudflare Firewall & DDoS using Cloudflare

Hackers Bypass Cloudflare Firewall & DDoS using Cloudflare

October 2, 2023

Categories

  • Cyber Threats
  • Cybersecurity
  • Fintech
  • Hacking
  • Internet Of Things
  • LetsAskBinuBlogs
  • Malware
  • Networking
  • Protection

Tags

Access attack Attacks banking BiWeekly bug Cisco cloud code critical Cyber Cybersecurity Data Digital exploited financial Fintech Flaw flaws Google Group Hackers Krebs Latest launches malware Microsoft million Network News open patches platform Ransomware RoundUp security services Software Stories TFT Threat Top vulnerability warns Week

© 2022 Lets Ask Binu All Rights Reserved

No Result
View All Result
  • Home
  • Cybersecurity
  • Cyber Threats
  • Hacking
  • Protection
  • Networking
  • Malware
  • Fintech
  • Internet Of Things

© 2022 Lets Ask Binu All Rights Reserved