damjam wrote: ↑
Tue Sep 18, 2018 6:44 am
If you want to follow that advice, and I do, it eliminates banking by phone as far as I can tell. I don't see how you can login to the app and then use a second factor without also entering that into the phone. (Assuming your bank even offers 2FA, which some (many?) don't).
So with a tear in my eye I say adieu to my banking app.
At the risk of bumping this thread into another tailspin of confusion, I want to hit these 2 points.
For the phone:
- Your phone is likely a full order of magnitude more secure than a standard desktop/laptop computer.
- 2FA (with the exception of U2F) feels more secure than it actually is
For most people, their smart phone is the most secure computing platform they use, particularly iPhones and 'flagship' Android devices that get regular software updates. As long as you don't jailbreak or root your phone, there are substantial protections that the operating system provides. Unlike a traditional Windows or Mac desktop, the applications always run without admin privileges, are sandboxed to prevent cross-app data leakage, are running on an encrypted filesystem, and the apps are code-signed and undergo validation (even if imperfect) through the respective platform app stores.
For example, on your desktop machine you might run Quicken. You might get an email notification that an update is available, click the link, and install an update that would modify Quicken. If you're not careful in that process, you might end up installing code that was modified from what the developer originally produced. It's up to you, the user, to handle all of the authenticity checking along that deployment path. This can get even more risky when you consider projects like the Keepass password manager which is distributed as open source code. The official site only has Windows binaries, so if you want to run on another platform you have to grab a port/fork like KeepassX, KeepassXC, MiniKeepass, or a handful of others. If you're a first time user who just does a Google search for "Keepass" -- how do you know that you landed on a site that actually has a non-tampered binary distribution of that application? The source code is openly published, so nothing would stop someone from publishing a binary build that looks exactly like the real Keepass app, but on the back end sends the passwords you enter back to an attacker's system.
For smartphone app stores, the developers sign their applications when they publish to Google Play / Apple App Store. Additionally, Google and Apple sign the application so that your phone can validate that the app came from a valid location. This allows your phone to self-check if an application has been tampered with between leaving the developer and when you downloaded it. All you need to do is make sure the App name and Developer name are what you believe they should be when you install it the first time from the app store, and your phone will take care of all that validation for all updates going forward.
The thing that people gloss over is that this is the SECOND
authentication factor. This leads to 2 important questions:
- How did your attacker get your FIRST authentication factor? (your password)
- Is your second factor protected against the attack methods through which the first factor would be obtained?
Only U2F keys offer protection against phishing and malware/keyloggers. Even if you somehow land on bad.com and click the U2F token button, the authentication response it generates can never be used on good.com . This is not the case for SMS, Google Authenticator, Authy, Duo, or any of the other "punch in the code" or "approve this login y/n?" style 2FA systems out there.
The very best that the most common 2FA implementations can offer is that an attacker will only be able to log in once. Just remember, an attacker only needs 1 successful entry to be able to add their own 2FA method to your account and they can have perpetual access going forward. How often do you log into your accounts and double check the registered authentication apps or phone numbers?
It's not like we didn't know about this. Bruce Schneier pointed out the obvious problems with 2FA systems in 2005 ( https://www.schneier.com/blog/archives/ ... re_of.html
) and there are countless examples of these bypass systems being used regularly. If you want to see the cutting edge of the exploits that can be run, focus on security exploit news around cryptocurrency wallets, where there are very real financial gains to be had from theft and almost zero chance of any kind of prosecution.