Pardon the Intrusion #20: SMS authentication needs to go

Subscribe to this bi-weekly newsletter here!

Welcome to the latest edition of Pardon The Intrusion, TNW’s bi-weekly newsletter in which we explore the wild world of security.

I’ve said it before, and I’ll say it again: if you are going to secure your accounts using two-factor authentication (2FA), then using SMS is a bad idea. Not only has it been proven insecure, it’s also susceptible to SIM-swapping attacks.

But relying on SMS can also have other unintended consequences. Case in point: just earlier this week, US telecom provider T-Mobile suffered a nationwide outage, hampering calls and text messages for almost an entire day. (Data connections however continued to work.)

Although the root has been since identified and blamed on a fiber-optic circuit failure from an unnamed third-party provider, the fact is that SMS messages were considerably delayed, making it difficult for those who enabled SMS-based 2FA to access apps and websites.

“I tried to login to my amazon, my Google, and my universities [sic] account, all three of which have 2FA,” posted a user on Reddit. “With all three, the text message 2FA have been delayed by minutes or not arrived at all. Additionally on my Google account I have it set up to receive a 2FA phone call, but the call never came through.”

So what should you do? Now would be good time as any to switch to token-based authenticator apps like Authy or Aegis, or a hardware key to avoid such hassles, and for companies to ditch SMS authentication altogether.

While going passwordless may still take some time, it feels more like a possibility than ever before. Let’s hope it happens sooner rather than later.

What’s trending in security?

Hackers continue to improvise by exploiting contact-tracing apps to spread malware, while ransomware attacks on organizations cripple critical infrastructure. In another major development, it emerged that Facebook helped the FBI nab a child predator by paying a cybersecurity firm to develop a zero-day exploit. And for a bit of happy news, Zoom reversed course and said will it offer end-to-end encryption to all users, both paid and free, starting next month.

  • Facebook helped law enforcement by paying a cybersecurity firm six figures to develop a tool that exploited a zero-day flaw in privacy-oriented operating system, Tails. This was part of an effort to identify a man who extorted and threatened minors.

    • I have mixed feelings about this. Ethical issues aside, child safety is a grave issue, and it’s good Facebook helped. But it’s worth noting that Tails was kept in the dark about the flaw, and it’s not known if the FBI reused the exploit for other investigations. The takeaway: transparency is key. [Motherboard]
  • Chinese police are gathering blood samples from the country’s roughly 700 million men and boys with the purpose of building a national genetic database of their DNA. They also want to be able to “track down a man’s male relatives using only that man’s blood, saliva or other genetic material.” [The New York Times]
  • Cybersecurity experts revealed 19 vulnerabilities, called Ripple20, in a library designed in the 90s that has been widely used and integrated into billons of internet connected devices in the last 20 years. Patches are now available. [The Hacker News]
  • Remember when Wikileaks published the CIA’s list of top-secret hacking tools (dubbed Vault 7) in 2017? We now know how it was leaked: The agency’s hacking arm known as the CCI (Center for Cyber Intelligence) “prioritized building cyber weapons at the expense of securing their own systems.” [The Washington Post]
  • The Dark Basin group, known to be behind thousands of phishing and malware attacks, has been traced back to India-based “ethical hacking” firm BellTroX InfoTech Services that works on behalf of commercial clients. [Reuters / Citizen Lab]
  • Researchers have proposed privacy “nutrition” labels for IoT devices to give owners a better idea of how secure they are, how they manage user data, and the privacy controls they come with. [WIRED]

  • An analysis of the top 54 open source projects found that security vulnerabilities in these tools doubled in 2019, going from 421 bugs reported in 2018 to 968 last year. [ZDNet]
  • Apple has open-sourced a new project for developers of password management apps to help create strong passwords compatible with popular websites. [Apple]
  • A researcher proved it was dead simple to view, edit, and delete sensitive health information for hundreds of thousands of patients across India. [InfoSec Write-ups]
  • Eavesdropping just got a lot easier, and more sophisticated. Using a technique called “Lamphone,” a spy can potentially listen to your conversations by just watching a hanging lightbulb in the room. [The Hacker News]
  • IBM stopped selling facial recognition technology to law enforcement, while Microsoft said it would stop only until there’s federal law regulating its use. Amazon, for its part, declared a one year freeze on law enforcement’s use of its facial recognition technology, dubbed Rekognition, following concerns that it could be abused, and stifle civil rights and privacy. [Slate]

  • Nintendo revealed an additional 140,000 accounts were compromised in a data breach that happened in April, taking the total to 300,000. [CNET]
  • Intel’s new CPUs will have anti-malware defenses directly built into them, thanks to a Control-Flow Enforcement Technology jointly developed by the company and Microsoft. [Ars Technica]
  • Hacking group POISON CARP (aka Evil Eye or Earth Empusa) is now targeting Uyghurs with a new Android malware called ActionSpy to snoop on their instant messages. The group was previously found targeting Tibetans last September. [Trend Micro]
  • Postbank, the banking division of South Africa’s Post Office, is set to replace about 12 million cards after the bank’s encrypted master key was exposed in plaintext at one of its data centers. The rogue employees, suspected to be behind the breach, used the key to make make more than 25,000 fraudulent transactions, stealing more than $3.2 million from customers. [ZDNet]
  • The fortnight in breaches, leaks, and ransomware attacks: Babylon Health, Conduent, Alabama’s Florence city, Honda, Tennessee’s Knoxville city, Life Healthcare, chipmaker MaxLinear, Tait, and a number of niche dating apps.

Data Point

Kaspersky’s Explicit content and cyberthreats report released this week found that the number of users attacked due to mobile porn-related threats doubled from 19,699 in 2018 to 42,973 in 2019. “Adware, software that’s used to show and redirect users to unwanted advertising pages, remained in first place in terms of variety, with a fifth (19%) of malicious files being AdWare installers,” the report said, with Trojans and other banking malware rounding up the top threats.


Takeaway: With users increasingly shifting to mobile devices for day-to-day use, it’s no surprise that hackers are jumping on this trend to spread malware. “With cybercriminals able to cross-reference various leaked databases of users, they are able to make more informed decisions on who to target and how, making sextortion and scamming more effective,” Kaspersky researchers warn.

If there’s anything to note here, it’s that one needs to be more careful than ever when visiting websites online, and be on the lookout for spear-phishing and other email scams.

That’s it. See you all in two weeks. Stay safe!

Ravie x TNW (ravie[at]thenextweb[dot]com)

Read next:

iPhone maker Foxconn wants to expand its manufacturing presence in India

Celebrate Pride 2020 with us this month!

Why is queer representation so important? What’s it like being trans in tech? How do I participate virtually? You can find all our Pride 2020 coverage here.

Source link