• Sign in to Neowin Faster!

    Create an account on Neowin to contribute and support the site.

Sign in to follow this  

How Hackers Bypass Gmail 2FA at Scale

Recommended Posts

+warwagon    12,606
Quote

 

If you’re an at risk user, that extra two-factor security code sent to your phone may not be enough to protect your email account.

Hackers can bypass these protections, as we’ve seen with leaked NSA documents on how Russian hackers targeted US voting infrastructure companies. But a new Amnesty International report gives more insight into how some hackers break into Gmail and Yahoo accounts at scale, even those with two-factor authentication (2FA) enabled.

They do this by automating the entire process, with a phishing page not only asking a victim for their password, but triggering a 2FA code that is sent to the target’s phone. That code is also phished, and then entered into the legitimate site so the hacker can login and steal the account.

The news acts as a reminder that although 2FA is generally a good idea, hackers can still phish certain forms of 2FA, such as those that send a code or token over text message, with some users likely needing to switch to a more robust method.

“Virtually in that way they can bypass any token-based 2FA if no additional mitigations are implemented” Claudio Guarnieri, a technologist at Amnesty, told Motherboard in an online chat.

2FA is adding another layer of authentication onto your account. With token-based 2FA, you may have an app that generates a code for you to enter when logging in from an unknown device, or, perhaps most commonly, the service will send a text message containing a short code that you then type into your browser.

 

 

https://motherboard.vice.com/en_us/article/bje3kw/how-hackers-bypass-gmail-two-factor-authentication-2fa-yahoo

 

In my opinion, this is another benefit of a password manager like lastpass which autofills passwords. If you log in using a password manager it will bot autofill (at least not automatically) your password into a fake website. It goes by the domain. So it will auto fill https://mail.google.com but not https://mail.gooogle.com . So when it doesn't auto fill my passwords, or show a matching passcard(s) to the website, I take one last look at the address bar.

Share this post


Link to post
Share on other sites
cork1958    1,543

Personally, wouldn't/don't trust a password manager anymore than I trust Trump to tell the truth!! :)

Share this post


Link to post
Share on other sites
+warwagon    12,606
4 minutes ago, cork1958 said:

Personally, wouldn't/don't trust a password manager anymore than I trust Trump to tell the truth!! :)

I just don't think I can get creative enough to come up with unique passwords for each of the 406 websites. That being said after the last lastpass outage I do keep a currentish import in keepass on 2 disconnect flash drives.

Share this post


Link to post
Share on other sites
cork1958    1,543
1 hour ago, warwagon said:

I just don't think I can get creative enough to come up with unique passwords for each of the 406 websites. That being said after the last lastpass outage I do keep a currentish import in keepass on 2 disconnect flash drives.

Holy crap! 406 websites that you have an account for and need to login? I couldn't come up with that many if I tried!!

 

Nothing personal, but that's insane!! LOL

 

Maybe should create a poll to see what number of passwords is majority that users have?!

Share this post


Link to post
Share on other sites
+warwagon    12,606
11 minutes ago, cork1958 said:

Holy crap! 406 websites that you have an account for and need to login? I couldn't come up with that many if I tried!!

 

Nothing personal, but that's insane!! LOL

 

Maybe should create a poll to see what number of passwords is majority that users have?!

I'm so sorry. I miss spoke. I just looked and if I remove the 192.168.1.1 passwords I have 485.

 

There is such a poll I created on August 17th 2017 

 

The password Poll

 

 

  • Haha 1

Share this post


Link to post
Share on other sites
cork1958    1,543

Well, huh? I some how missed that poll!! :(

 

Just voted on it though. Didn't leave a reply being that it's from last year. I fit in with most of the votes. 20-30 passwords although that may be a high guess, different combinations of same passwords with random gibberish. No option for storing password in your brain though!!

Share this post


Link to post
Share on other sites
+warwagon    12,606
2 hours ago, cork1958 said:

Well, huh? I some how missed that poll!! :(

 

Just voted on it though. Didn't leave a reply being that it's from last year. I fit in with most of the votes. 20-30 passwords although that may be a high guess, different combinations of same passwords with random gibberish. No option for storing password in your brain though!!

don't worry, you can still leave a reply, I already bumped it yesterday.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.