Here I was, just got home, looked at Twitter and saw that John McAfee had posted a few videos discussing the BitFi wallet, the "unhackable" cryptocoin wallet. The date was 2nd August 2018 and the BitFi wallet was being hacked! I mean, the device was really being torn apart - it had been investigated; rooted; cast onto other devices etc. but this blog isn't about that, it's about Two-Factor Authentication (2FA).
I watched one of his videos, and around about a minute into the video John says, and I quote,
This made me think. And rub my chin. And think a bit more. Did he really say that?!? Seriously though, did he??? He comes out with some wacky things but...!!! I was gob-smacked!
I put the video back and yes, that's exactly what he said! So 2FA is only used by idiots is it?!?
This was a stupid thing to say in my opinion. In a nutshell he says that because he was hacked, then it makes no difference how many layers of security you use.
This is ridiculous. He was hacked because he was the victim of a SIM swapping hack. This is where the attacker manages to talk to the mobile carrier of their victim and convince them to move the mobile account of their victim onto a SIM card which is in their possession.
Once the SIM swap has taken place, the attacker can then use this SIM to bypass the second piece of information required to successfully log into system x (by "system x, I mean x as in it can be any system such and Twitter in McAfee's case, not "System X" the digital phone exchange, or the DJ).
Now, this causes a problem. Two-Factor Authentication DOES work, but it only works properly when the both factors are secure. Due to SIM swapping hacks, this brings using SIM services as a secure factor into a bit of disrepute.
In the case of Twitter, they use SMS messaging as a second factor.
Should we use it to protect our account? Yes! Yes we should! And this goes for all those other systems that implement a SIM factor.
Think about it. SIM swapping hacks may be getting more popular, but these can be remedied by you (yes, YOU) taking a little action and ringing your mobile provider to set up a PIN or passphrase on your account that would need to be used in order to swap a SIM. Do it. Do it now! It (probably) won't take long. Once done it's good to say you are protected against SIM swap hacks, but with all security, there is no such thing as a 100% secure system.
In my opinion, the best 2FA devices are those, such as RSA tokens and soft tokens such as Google Authenticator. But, like anything else, these can be lost or stolen. Similarly, a user can give up his password from a violent, threatening attacker.
Every layer of security that you add to a system makes it harder for the attacker to get through.
So Mr. McAfee, you are wrong, people are not idiots for using 2FA. If set up properly two-factor authentication is an excellent way to help keeping access to your systems and accounts secure.
@M_C_Stott
I watched one of his videos, and around about a minute into the video John says, and I quote,
"...and if you are using two factor authentication you are an idiot. So more than one way of, of securing something is not necessarily secure."
This made me think. And rub my chin. And think a bit more. Did he really say that?!? Seriously though, did he??? He comes out with some wacky things but...!!! I was gob-smacked!
I put the video back and yes, that's exactly what he said! So 2FA is only used by idiots is it?!?
This was a stupid thing to say in my opinion. In a nutshell he says that because he was hacked, then it makes no difference how many layers of security you use.
This is ridiculous. He was hacked because he was the victim of a SIM swapping hack. This is where the attacker manages to talk to the mobile carrier of their victim and convince them to move the mobile account of their victim onto a SIM card which is in their possession.
Once the SIM swap has taken place, the attacker can then use this SIM to bypass the second piece of information required to successfully log into system x (by "system x, I mean x as in it can be any system such and Twitter in McAfee's case, not "System X" the digital phone exchange, or the DJ).
Now, this causes a problem. Two-Factor Authentication DOES work, but it only works properly when the both factors are secure. Due to SIM swapping hacks, this brings using SIM services as a secure factor into a bit of disrepute.
In the case of Twitter, they use SMS messaging as a second factor.
Should we use it to protect our account? Yes! Yes we should! And this goes for all those other systems that implement a SIM factor.
Think about it. SIM swapping hacks may be getting more popular, but these can be remedied by you (yes, YOU) taking a little action and ringing your mobile provider to set up a PIN or passphrase on your account that would need to be used in order to swap a SIM. Do it. Do it now! It (probably) won't take long. Once done it's good to say you are protected against SIM swap hacks, but with all security, there is no such thing as a 100% secure system.
In my opinion, the best 2FA devices are those, such as RSA tokens and soft tokens such as Google Authenticator. But, like anything else, these can be lost or stolen. Similarly, a user can give up his password from a violent, threatening attacker.
Every layer of security that you add to a system makes it harder for the attacker to get through.
So Mr. McAfee, you are wrong, people are not idiots for using 2FA. If set up properly two-factor authentication is an excellent way to help keeping access to your systems and accounts secure.
@M_C_Stott
Comments
Post a Comment