![]() ![]() Maybe you then get prompted to input otherwise confidential information, get prompted to install a “Security Key” upgrade, or maybe get completely kicked out and asked to re-authenticate at the real site, but now there is a session stealing process running. The fake web site looks like the legitimate site and prompts you to use your Google Security Key just like you expect, and you are let onto the web site after authentication just like you expect. You get a fake email with a look-alike web site that you use Google Security Keys on. I don’t have the time or space to cover all of them, but let me cover the fake web site and fake authentication attack scenario. Hijacking Shared Authentication Attacks.Tech Support Social Engineering Attacks.Fake Web Sites and Fake Authentication Experiences.Just a cursory review shows me that Google Security Keys are probably susceptible to 8 of the 12 attacks I cover in my talks. Yes, but it does not prevent all attacks. The FIDO Alliance’s Universal 2nd Factor specification has a feature that prevents man-in-the-middle attacks, like the one Mitnick demonstrates. My still remaining critics might counter that Mitnick’s particular hack wouldn’t work against Google’s hardware-based 2FA solution, and in particular Google Security Keys, because they contain a feature (i.e. Repeat after me, any authentication solution is hackable. Or just watch my friend, co-worker, and world’s best-known hacker, Kevin Mitnick, blow past a popular 2FA solution using social engineering and some common hacking methods like the 2FA token isn’t even there.Īfter Kevin first posted his video, people said that his method wouldn’t work on Google, and so he goes around demonstrating breaking around Google’s software-based 2FA solution, Google Authenticator, for giggles. Start by watching my Hacking 2FA video or read the CSO column (listed above). ![]() Either way, not the sources of authority you should be listening to.Ĭritics of mine are probably saying if Google has gone over a year without any of their 85,000 employees getting hacked, how can I say that they are hackable with any degree of expertise, certainty, or personal dignity? If a vendor or person tells you they have something that is unhackable, run! They are either lying or don’t know what they are talking about. It includes everything in the computer security world. It includes whatever we come up with in the future. There is not an authentication solution made that cannot be hacked. Apple computers and devices didn’t get hacked until they became super popular, and now they are. Just because it hasn’t or didn’t (not sure how you ultimately prove that of course) get hacked, doesn’t mean it can’t be hacked. Now that we’ve got the obligatory “I’m not insane” moment out of the way, I’m just as correct to say that there is no doubt in my mind that Google’s Security Key MFA device can be hacked. What’s not to love about any company or person trying to improve computer security? The security vendors providing Google Security Key MFA solutions are awesome. Google is awesome in so many ways, not the least of which is their incredible push to better secure more web sites, using more default HTTPS and trying to fix our digital authentication mess as examples, but also in switching all their users to MFA. I’m saying it right here, MFA is awesome! We need to replace as many one factor authentication (1FA) and/or simple password authentication scenarios wherever and whenever we can. I feel almost criminal saying anything bad about any MFA solution. I had to repeat it enough that I decided to write an article about it so I can just point future requests to a link.įirst, and foremost, any multi-factor authentication (MFA) method should be applauded and supported. Never one to be a wallflower, I’ve given my opinion and limited expertise over and over. I’m not, but I did recently stay at a Holiday Inn. Apparently as the author and presenter of the 12 Ways to Hack 2FA and an author of a similar CSO column, I’m purported to be an authority on it. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |