2-Factor auth vulnerable to social engineering attack

[happycheese 2]

Please refer to this article. In one line, it says "if your service uses 2-factor auth based on SMS (which Evernote does), you are vulnerable to have your phone number transferred and your 2-factor bypassed" 

https://www.forbes.com/sites/laurashin/2016/12/21/hackers-are-hijacking-phone-numbers-and-breaking-into-email-and-bank-accounts-how-to-protect-yourself/#4a2abe6f360f

Suggested quick fix: Let users modify their phone number to 000-000-0000 if they are concerned. 

[gazumped 11,666]

23 minutes ago, happycheese said:

Please refer to this article. In one line, it says "if your service uses 2-factor auth based on SMS (which Evernote does), you are vulnerable to have your phone number transferred and your 2-factor bypassed" 

https://www.forbes.com/sites/laurashin/2016/12/21/hackers-are-hijacking-phone-numbers-and-breaking-into-email-and-bank-accounts-how-to-protect-yourself/#4a2abe6f360f

Suggested quick fix: Let users modify their phone number to 000-000-0000 if they are concerned. 

The article does mention Evernote and " the websites of banks and countless other web services " which kinda suggests the author is pointing out a fundamental vulnerability of current market-standard protections.  It doesn't mention the idea of reverting phone numbers to all zeros which at first glance seems most likely to lock users out of their own accounts under 2-factor auth.

I'd doubt anyone from Evernote is likely to comment on this because any enquiry about security protections might in itself be social engineering, in that any discussion reveals details that might at some stage be useful to an 'unfriendly' audience...

[JohnLongney 83]

Indeed, for the guileless, careless, uninformed people the number of risks have increased.

But in the same way as carrying a fat wad of banknotes around was by no means particularly safe in the old days so can any modern form of transaction become hazardous. Bitcoin transactions would be one way of going wrong. Same as not ignoring spammails with links to fraudulent sites.

All banks, insurance companies, traders etc repeatedly warn against following links given in such mails/messages because under no circumstances  would any of them contact for account verification in that way. 

Nobody would be surprised to have the home emptied of all valuables if access is made just too easy.

Using brain.exe is the only guard that generally works very well against perils in the sky :-)

Forbes, though widely known and read, to me , is just another rag, in other words, not everything published must be taken literally.

 

 

 

 

 

 

 

 

[happycheese 2]

I think you guys are missing the point. This is not a phishing scam or an attack that relies on user stupidity/negligence. This is about "hackers" who know your Evernote password and just enough about you, say your home address and whatever else Verizon representatives use to authorize you. The "hackers" can then transfer your phone number and request SMS codes. I guess you can claim that getting the user password relies on phishing, but the point is that Evernote Security can plug this security hole with either Google Authenticator (slightly more secure) or Fido U2F keys (phishing proof).

[NoLife 12]

On 6/12/2017 at 8:12 AM, happycheese said:

Please refer to this article. In one line, it says "if your service uses 2-factor auth based on SMS (which Evernote does), you are vulnerable to have your phone number transferred and your 2-factor bypassed" 

https://www.forbes.com/sites/laurashin/2016/12/21/hackers-are-hijacking-phone-numbers-and-breaking-into-email-and-bank-accounts-how-to-protect-yourself/#4a2abe6f360f

Suggested quick fix: Let users modify their phone number to 000-000-0000 if they are concerned. 

well isn't this a known factor no matter which app if u use SMS as 2-factor authenticator it is not safe. So it has been recommended to use google authenticator or U2F.

Sorry if this feels like an insult to anybody.

[gazumped 11,666]

I'm not offended as such,  but still unsure why changing your phone number to all zeros makes a difference.  That in itself feels like social engineering - encouraging users to shoot themselves in the foot for 'security' reasons.  And nothing online can be totally safe.  If one person can get to it,  a black hat can always pretend to be that person.to gain access.  There's a subjective trade off which only individual users can make:  ease of access vs security.

[Rich Tener 86]

Hi @happycheese, I lead the security team here at Evernote and am happy to discuss how we are thinking about this attack vector. We do support TOTP codes with Google Authenticator, but don't give you a way to disable SMS delivery.

Internally, we've discussed U2F support with our product teams and it is in our backlog, but we don't have any plans to implement support right now.

We don't have any plans to let you disable SMS authentication as a backup to your code generator, but will consider it. We probably wouldn't do that by default, but would make it an option for users that want to protect their account against the type of mobile number takeover attacks described in the article. We still think that using SMS for delivering 2-factor codes is an improvement over not having 2-factor enabled at all. It also strikes a good balance between securing your account and not locking you out of it. Most code generator apps don't back up the secret keys, so if you lose or wipe your phone and didn't print out your backup codes, you are stuck.

I suggest following the recommendations in the Forbes article. Even if we address this specific threat model, there will always be another service that doesn't and protecting your mobile number better secures all of them.