Wednesday, 22 June 2016

On 05:49 by admin   No comments
According to security personnel to disclose information, the hacker can masquerade as Google is now the company's technical staff, and then send false information to the user of a short two-factor authentication to defraud the target account codes, in order to gain access to the target account. Although the process of this attack, the attacker only needs to obtain the target user's two-factor authentication code, but also need to obtain the target account's user name and password, but these two data can obtain information from the database before the leak.

Alex MacCaw is one of the co-founder, he updated his Twitter status in at 7:08 on June 5, 2016, he wrote in a tweet: "Please note that hackers can now bypass Google's Two-factor authentication mechanism for the user to carry out attacks. "

First, the attacker can send a short message displayed on the map similar to the target user. This information may deceive the target user, allowing users to think that this warning message is sent by Google over the company, because only when someone else is trying to log into their account, Google will send such a message to alert the user. When someone attempts to log the user's account, Google will send the company does a similar message to alert the user, and false messages used by attackers with Google sent official corporate information content consistent. An attacker does not require the target to provide two-factor user authentication code to regain access to the account, but requires users to provide two-factor authentication code to temporarily lock their account.

The attacker then after entering the user name and password, users only need to wait for their two-factor authentication code can be. According to Google's requirements, user account with a user's mobile device for binding. As a result, the user receives the codes 2FA after, as long as the verification code sent to the attacker, the attacker can get access to the target account. Currently, security experts recommend that users can ignore all such SMS messages, as long as the user to ignore such messages, the attacker still can not log on to the user's account. However, if the target user that they received two-factor authentication code sent to the attacker, the attacker can get access to the electronic mailbox of the target user. Obviously, the attackers are using social engineering techniques to attack.

It is understood that this attack is discovered and the company's internal reporting. Currently, users can use two main methods to avoid such attacks. First, unless the user login operation is currently in progress, do not reply to any such text messages. Secondly, this is the most important point, Google's technical staff will not require users to provide two-factor authentication code. Moreover, two-factor authentication code is used to get access to the account, rather than to lock the account.

At present, many companies have added two-factor authentication mechanism in their products. Two-factor authentication (2FA) is a method of two conditions the user identity authentication password combination and in-kind (credit card, SMS phone, token or fingerprint and other biomarkers). This method has been widely used in enterprises, especially in the remote access to the data, but in other areas of the application is still very limited. Two-factor authentication promotion reason blocked, mainly due to its need to use additional tools, and the conditions for IT and technical support staff brought no small burden. Its Critics have also pointed out that such security measures are still very vulnerable to attack, that is, within a very small period of time, this technique is vulnerable to a middleman (man-in-the-middle) attack (which is also rigorous SSL processing the main reason). In fact, in addition to these obstacles, and now we have begun to realize, we do not use two-factor authentication hidden costs brought about by far much higher than the cost of using two-factor authentication required.

Two-factor authentication is a secure remote access of best practices, but also the technology to a number of cybercriminals opportunity. If an attacker to get in a lot of credentials, they can masquerade as a legitimate user, but also can evade detection security software. Many companies believe that two-factor authentication mechanism is absolutely reliable, but also did not take certain safety precautions to protect against attackers and system back door.


Post a comment