Authy 2FA security app hacked for phone numbers

Questions on how we spend our money and our time - consumer goods and services, home and vehicle, leisure and recreational activities
StrongMBS
Posts: 82
Joined: Sat Jan 14, 2017 1:38 pm

Re: Authy 2FA security app hacked for phone numbers

Post by StrongMBS »

Blues wrote: Mon Jul 08, 2024 5:16 pm
StrongMBS wrote: Mon Jul 08, 2024 5:12 pm
Blues wrote: Mon Jul 08, 2024 4:51 pm The iPhone has an option to wipe itself as well after a number of incorrect PIN entries.
AI Overview

An iPhone with a 4- or 6-digit passcode will erase all data after 10 consecutive failed passcode attempts. Before the data is erased, the iPhone will disable itself after five failed attempts. An alert on the lock screen will let you know when your iPhone is disabled.
I seldom use my FIDOO2 keys in a public place and when I do, I'm very careful about entering the pin to prevent shoulder surfing, can you say the same when you're unlocking your phone 100 times a day?

Before it gets brought up, do you really think that face ID that passed while you were wearing a mask during COVID is so secure?
I never made claims to being a zealot when it comes to this subject. I use Authy, I use Bitwarden, I take reasonable precautions with my settings and activity and call it good. I was simply making a point about the iPhone in case one of our members was unaware.

Having spent my adult life in federal law enforcement, I know that there's only so much we can do to protect our virtual and actual lives. I do what I feel is reasonable and accept responsibility for the rest.
First thank you for your service, and I am sorry, and I apologize for jumping on you without understanding your motivation.

I just wanted to make sure people do not equate the security risk of the PIN for these two devices as the same. I also agree that this is an important feature to turn on along with the option to remotely wipe the phone if lost or stolen.

Granted SIM swapping is an ever increase issue and occurrence, it is still rare, and I do not know of anybody who knows that this has happen to.

While I know of many people who have lost their phone or had it stolen (one as a targeted executive). Most people underestimate their risk associated with having a phone stolen until it happens and panic sets in and how much of their digital lives can be accessed from it.

This included Apple device, in fact here is an article from last year on the subject.
https://9to5mac.com/2023/02/24/apple-an ... es-ios-17/

Again, I am sorry.
User avatar
Blues
Posts: 2528
Joined: Wed Dec 10, 2008 10:58 am
Location: Blue Ridge Mtns

Re: Authy 2FA security app hacked for phone numbers

Post by Blues »

No worries. No offense taken.

Thank you for the kind words. :sharebeer
gavinsiu
Posts: 5392
Joined: Sun Nov 14, 2021 11:42 am

Re: Authy 2FA security app hacked for phone numbers

Post by gavinsiu »

StrongMBS wrote: Mon Jul 08, 2024 4:22 pm Sorry I was not clear, what does encryption have to do with the recent Twilio/Authy data breach?

You wrote “While the system was hacked, the encryption seems to have kept it from being exploited and the multi-device prevents someone from adding a client. I am thinking that it's still secure.”

Just did not understand how you reached that conclusion.
The encryption provided protection when a system was hacked. Suppose Authy stored everything in clear text on the server, it would be game over for everyone. The hacker managed to steal only unencrypted info such as phone number of the account.

Hackers are cover and some of them are backed by the goverrnment. If you have valuable info, It's only a matter of time until you are hacked. You want a system to limit damaged even when hacked.
gavinsiu
Posts: 5392
Joined: Sun Nov 14, 2021 11:42 am

Re: Authy 2FA security app hacked for phone numbers

Post by gavinsiu »

StrongMBS wrote: Mon Jul 08, 2024 4:37 pm I agree that in most account authentication systems the recovery option is the weak link.

So, it seems the choices here are the security of my mobile device for Authy or the security of my Microsoft account and my Gmail account as a recovery option both using FIDO2 keys (which will wipe itself if my PIN is entered incorrectly 8 times).

To each his own but I will take the later.
I tend to think that software choices are personal. There is no wrong choices as long as you are willing to live your particular's choice's limitation.
Tirebiter
Posts: 203
Joined: Wed Nov 01, 2017 12:04 pm

Re: Authy 2FA security app hacked for phone numbers

Post by Tirebiter »

StrongMBS wrote: Sun Jul 07, 2024 3:59 pm First let's correct the headline of this post, the Authy 2FA app was not hacked but rather there was a data breach from Twilio’s (Authy owners) systems which included at least the account IDs and phone numbers of Authy users.

If the app had been hacked, then the fallout would be much worse and troublesome. At present the biggest risk for Authy users seems to be the possibility of increase phishing and smishing attacks to their phone numbers.
This is helpful. I use Authy. I understand I should be more vigilant of phishing attempts, and since I’m not ready to change my phone number, this is now an increased risk whether I continue to use Authy or not. Are there any other steps I should be taking in response to this data breach?
StrongMBS
Posts: 82
Joined: Sat Jan 14, 2017 1:38 pm

Re: Authy 2FA security app hacked for phone numbers

Post by StrongMBS »

Tirebiter wrote: Tue Jul 09, 2024 1:12 am
StrongMBS wrote: Sun Jul 07, 2024 3:59 pm First let's correct the headline of this post, the Authy 2FA app was not hacked but rather there was a data breach from Twilio’s (Authy owners) systems which included at least the account IDs and phone numbers of Authy users.

If the app had been hacked, then the fallout would be much worse and troublesome. At present the biggest risk for Authy users seems to be the possibility of increase phishing and smishing attacks to their phone numbers.
This is helpful. I use Authy. I understand I should be more vigilant of phishing attempts, and since I’m not ready to change my phone number, this is now an increased risk whether I continue to use Authy or not. Are there any other steps I should be taking in response to this data breach?
In response to this data breach, I am not sure since it has only been 9-days since the initial disclosure. https://www.twilio.com/en-us/changelog/ ... ndroid_iOS

So far, the disclosed compromised data seems to not compromise the security of your Authy account/app/tokens or the Authy systems. Although allowing an unauthenticated endpoint to access Authy account PPI seems like a rookie mistake (several articles have used the API word here, but the Twilio release does not say that although it might have been implied).

I would also again point out this is the early days of this breach and in 2022 it was almost a month before they disclosed some accounts had been compromised, so keep an eye out for updates on the link above.

I might take this opportunity to look at your general TOTP setup.

First, like any piece of critical security software, keep it and all software on the device up to date. Ideally the software should do this automatically or at least have a mechanism to notify you that there's an update to install.

Then enable the strongest MFA, ideally phishing-resistant, to any web login account associated with this software. Also try to minimize risk for any recovery mechanism provided on said account. (https://www.cisa.gov/sites/default/file ... a-508c.pdf)

Second “evaluate” the security best practices recommend by the vendor, I do not use Authy so I cannot tell you what these are or if they are the right thing to do (hence the evaluate term), but it seems you should at least disable “Multi-device” which for some reason is enabled by default until you add a backup device in which case I believe it gets disabled automatically which is a nice touch but it might have been better to have it disabled to begin with. https://help.twilio.com/articles/19753646900379

Third evaluate what non-recoverable data the application (and therefore the device it is on) and the vendor systems has and what would you do if it was lost. In this case of an TOTP app, this data is the seed/token. Although often accounts secured with TOTP can be recovered if the seed/token is lost, losing numerous tokens at a time can be quite disruptive to one's life, hence it is often suggested to have a backup of the token and maybe the seed.

Many of the TOTP apps have backup techniques including syncing across devices or to a storage device often located in the cloud. Again, a word of caution every place the seat/token is stored is another attack-surface with its associated security risk, including the vendors cloud servers if the token is stored there.

Authy seems to allow a backup device with sync between them. Although as gavinsiu has pointed out with them discontinuing their desktop apps (not a great sign if ask me) it makes it harder to utilize this feature since it now requires two non-desktop devices which many do not have or at least two that they keep secure.

Backup inside of the vendors wall garden deals with device failure/lost/stolen but does nothing if the vendor fails or if you wish to change vendors. But that is a longer discussion.
gavinsiu
Posts: 5392
Joined: Sun Nov 14, 2021 11:42 am

Re: Authy 2FA security app hacked for phone numbers

Post by gavinsiu »

Yes, the breach in my opinion did not compromise the Authy accounts, but it's not good that they have been breach twice. The fear is that they are also lax in other areas. i believe the Last Pass breach, they found out that some of the earlier accounts had weaker encryption and some of the fields thought to be encrypted were not.

As StrongMBS pointed out, it may be good to examine your security setup and try to weed out weak areas. The ones I have seen so far are:
  • Security fall back such as using SMS to recovery when you "lose your Yubikey" but that you might not be able to turn off.
  • Security questions that are used to recover. One way to mitigate is to just replace with a randomly generated string, but some places use the string in a voice call.
  • Allowing human to bypass systems. One instance is that Tmobile allow you to assigned a pin to prevent porting but allow a human to override it so that a clever user trick the operator to override the pin.
Then there is the issue of backup, which is different from the security. Authy is a wall garden, once you put your TOTP in, you can't get it out. You can just backup to other clients. My preference is to use something that isn't cloud based and back it up myself. TOTP is just 6 digit, so there is no need for me have it in multiple clients. I just need a way to backup and restore, which can easily handled by various TOTP apps.

One problem with this approach is that the same app don't usually show up in different platform. If you switch from a Android to an iphone, you may find that your TOTP app doesn't exists on the other platform and there is no common format to transfer between apps (most password manager have import and export, but not TOTP).

In my case, I have to support my non-tech family members that do not live nearby, so a cloud based app is a must.
Post Reply