Skip to main content

Two-Factor Authentication

Here I was, just got home, looked at Twitter and saw that John McAfee had posted a few videos discussing the BitFi wallet, the "unhackable" cryptocoin wallet. The date was 2nd August 2018 and the BitFi wallet was being hacked! I mean, the device was really being torn apart - it had been investigated; rooted; cast onto other devices etc. but this blog isn't about that, it's about Two-Factor Authentication (2FA).
I watched one of his videos, and around about a minute into the video John says, and I quote,

"...and if you are using two factor authentication you are an idiot. So more than one way of, of securing something is not necessarily secure."

This made me think. And rub my chin. And think a bit more. Did he really say that?!? Seriously though, did he??? He comes out with some wacky things but...!!! I was gob-smacked!
I put the video back and yes, that's exactly what he said! So 2FA is only used by idiots is it?!?

This was a stupid thing to say in my opinion. In a nutshell he says that because he was hacked, then it makes no difference how many layers of security you use.

This is ridiculous. He was hacked because he was the victim of a SIM swapping hack. This is where the attacker manages to talk to the mobile carrier of their victim and convince them to move the mobile account of their victim onto a SIM card which is in their possession.
Once the SIM swap has taken place, the attacker can then use this SIM to bypass the second piece of information required to successfully log into system x (by "system x, I mean x as in it can be any system such and Twitter in McAfee's case, not "System X" the digital phone exchange, or the DJ).

Now, this causes a problem. Two-Factor Authentication DOES work, but it only works properly when the both factors are secure. Due to SIM swapping hacks, this brings using SIM services as a secure factor into a bit of disrepute.

In the case of Twitter, they use SMS messaging as a second factor.
Should we use it to protect our account? Yes! Yes we should! And this goes for all those other systems that implement a SIM factor.

Think about it. SIM swapping hacks may be getting more popular, but these can be remedied by you (yes, YOU) taking a little action and ringing your mobile provider to set up a PIN or passphrase on your account that would need to be used in order to swap a SIM. Do it. Do it now! It (probably) won't take long. Once done it's good to say you are protected against SIM swap hacks, but with all security, there is no such thing as a 100% secure system.

In my opinion, the best 2FA devices are those, such as RSA tokens and soft tokens such as Google Authenticator. But, like anything else, these can be lost or stolen. Similarly, a user can give up his password from a violent, threatening attacker.
Every layer of security that you add to a system makes it harder for the attacker to get through.

So Mr. McAfee, you are wrong, people are not idiots for using 2FA. If set up properly two-factor authentication is an excellent way to help keeping access to your systems and accounts secure.


@M_C_Stott

Comments

Popular posts from this blog

Dissecting WannaCry

Below is  brief overview of the inner workings of WannaCry. It is by no means a complete indepth account of what it does, but the inquisitive will learn a little bit without touching any code debuggers.

Enjoy the read!

gerbil (follow me on Twitter: @gerbil)



Dissecting WannaCry
Hi guys.

Before I continue to bore you to death, just a few points:

Firstly, before you read this page thinking you're going to unlock the mysteries of the world or even find the arc of the covenant, that isn't going to happen.
This page is basically a reformatted version of a text dump, i.e. a few of my notes that I took when I examined WannaCry. And I'm not prepared to write an indepth, detailed account with them notes.
So, that means it contains holes, either because I've missed it, didn't think it relevant (at the time), or because I was too lazy to include it, which is probably the main reason. I am only human after all! Cynics will probably read this document and point and poke at it sayin…

Gain the PIN to ANY bank card

Gain the PIN of ANY debit card.

***DISCLAIMER : I AM NOT HELD RESPONSIBLE FOR ANY DAMAGE, EMBARRASSMENT OR TIME WASTED FROM FOLLOWING OUT ANY OF THE TECHNIQUES DESCRIBED IN THIS ARTICLE***

Some people know me, other people don't.
In a nutshell I am one of those cyber security types, not the type that will find vulerabilities, exploit them then brag about them, but one who will find vulerabilities, then report on them and not brag. After all, I am a penetration tester, it is what I do for a job.
But sometime I may stumble upon a security flaw that I think should be reported to the public, to keep the reader safe and, well, alive.

Enjoy the read!

gerbil (follow me on Twitter: @gerbil)

-----

So, you've pilfered that debit card from your victim and you are seriously strapped for cash.

Well, one way you could go about this would be to take a few trips to the supermarket, buying bits of shopping (under £20) and take advantage of the fucking awful "contactless" chip that most card…