How Hackers Bypass Gmail 2FA at Scale


Recommended Posts

  Quote

 

If you’re an at risk user, that extra two-factor security code sent to your phone may not be enough to protect your email account.

Hackers can bypass these protections, as we’ve seen with leaked NSA documents on how Russian hackers targeted US voting infrastructure companies. But a new Amnesty International report gives more insight into how some hackers break into Gmail and Yahoo accounts at scale, even those with two-factor authentication (2FA) enabled.

They do this by automating the entire process, with a phishing page not only asking a victim for their password, but triggering a 2FA code that is sent to the target’s phone. That code is also phished, and then entered into the legitimate site so the hacker can login and steal the account.

The news acts as a reminder that although 2FA is generally a good idea, hackers can still phish certain forms of 2FA, such as those that send a code or token over text message, with some users likely needing to switch to a more robust method.

“Virtually in that way they can bypass any token-based 2FA if no additional mitigations are implemented” Claudio Guarnieri, a technologist at Amnesty, told Motherboard in an online chat.

2FA is adding another layer of authentication onto your account. With token-based 2FA, you may have an app that generates a code for you to enter when logging in from an unknown device, or, perhaps most commonly, the service will send a text message containing a short code that you then type into your browser.

 

Expand  

 

https://motherboard.vice.com/en_us/article/bje3kw/how-hackers-bypass-gmail-two-factor-authentication-2fa-yahoo

 

In my opinion, this is another benefit of a password manager like lastpass which autofills passwords. If you log in using a password manager it will bot autofill (at least not automatically) your password into a fake website. It goes by the domain. So it will auto fill https://mail.google.com but not https://mail.gooogle.com . So when it doesn't auto fill my passwords, or show a matching passcard(s) to the website, I take one last look at the address bar.

  On 19/12/2018 at 16:45, cork1958 said:

Personally, wouldn't/don't trust a password manager anymore than I trust Trump to tell the truth!! :)

Expand  

I just don't think I can get creative enough to come up with unique passwords for each of the 406 websites. That being said after the last lastpass outage I do keep a currentish import in keepass on 2 disconnect flash drives.

  On 19/12/2018 at 16:48, warwagon said:

I just don't think I can get creative enough to come up with unique passwords for each of the 406 websites. That being said after the last lastpass outage I do keep a currentish import in keepass on 2 disconnect flash drives.

Expand  

Holy crap! 406 websites that you have an account for and need to login? I couldn't come up with that many if I tried!!

 

Nothing personal, but that's insane!! LOL

 

Maybe should create a poll to see what number of passwords is majority that users have?!

  On 19/12/2018 at 18:52, cork1958 said:

Holy crap! 406 websites that you have an account for and need to login? I couldn't come up with that many if I tried!!

 

Nothing personal, but that's insane!! LOL

 

Maybe should create a poll to see what number of passwords is majority that users have?!

Expand  

I'm so sorry. I miss spoke. I just looked and if I remove the 192.168.1.1 passwords I have 485.

 

There is such a poll I created on August 17th 2017 

 

The password Poll

 

 

Well, huh? I some how missed that poll!! :(

 

Just voted on it though. Didn't leave a reply being that it's from last year. I fit in with most of the votes. 20-30 passwords although that may be a high guess, different combinations of same passwords with random gibberish. No option for storing password in your brain though!!

  On 20/12/2018 at 12:24, cork1958 said:

Well, huh? I some how missed that poll!! :(

 

Just voted on it though. Didn't leave a reply being that it's from last year. I fit in with most of the votes. 20-30 passwords although that may be a high guess, different combinations of same passwords with random gibberish. No option for storing password in your brain though!!

Expand  

don't worry, you can still leave a reply, I already bumped it yesterday.

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Posts

    • let's be honest here, it was in the line of secret doxing app
    • Dating safety app Tea spills private chats in new leak by Usama Jawad Tea is (was?) an extremely popular "dating safety" app designed for women who typically uploaded pictures of men they have dated, recounting their experience, and highlighting red flags. The app maintains exclusivity to women by requiring all its users to submit a selfie and government identification during the sign-up process. It was the target of a major breach a couple of days ago due to a Firebase bucket being left publicly exposed, leaking the identification data and other sensitive information for thousands of users. Now, the app has been struck with a second cybersecurity incident and it is arguably bigger than the first. 404 Media reports that a second database has leaked and it contains about 1.1 million chat messages discussing some sensitive topics that people likely wouldn't want to make public. These include topics like cheating partners, abortions, and unfaithful boyfriends. The messages span from 2023 to last week, but the impact and scope of the leak is unclear. The person who did discover the database noted that practically any user could access the repository using their own API key. In a statement to Bleeping Computer, Tea has confirmed the second breach too, noting that "some" direct messages (DMs) have been exposed. The company has decommissioned the affected system for now, but claims that other infrastructure remains unaffected. It has emphasized that it will invest efforts in the coming days to improve its cybersecurity posture, but did not share any further details at this time. The service will also be reaching out to its affected customers and offer them free identity protection services as a sort of an apology. These cybersecurity incidents further highlight the need to be vigilant when sharing identifiable information online, especially with apps which are very new to the market and have not yet matured. Security researchers and analysts have cautioned the public that it is very possible to locate social media profiles of Tea users due to all the data that has been leaked.
    • 26200.5722 is the first available 25H2 build from the ge_release_svc_betaflt branch (25H2's previous branch was the "ge_prerelease_im" branch). The 26200.5722 release also removes the "Insider Preview" references in the system area. These significant changes usually indicates that the public release of 25H2 will be ready within 6 weeks to 2 months.
    • Microsoft: Windows Autopatch is the safest way to upgrade enterprise PCs to Windows 11 by Usama Jawad A few hours ago, Microsoft published a guide for IT admins explaining how they can use Intune to upgrade Windows 10 devices to Windows 11, while also migrating from Active Directory (AD) to a cloud-native system like Entra ID. The company has also published a similar guide, but switched the tool to Windows Autopatch, claiming that it is the fastest and safest way for enterprise PCs to update to Windows 11. For those unaware, Windows Autopatch is a way to automate updates while empowering IT admins to ensure that endpoints are healthy and compliant through ring-based, staggered deployments. IT admins also have the ability to reverse updates easily if something does go wrong. In the current scenario of upgrading enterprise PCs to Windows 11 using Autopatch, Microsoft has outlined a four-step process. The first involves assessing Windows 11-readiness across your organization, assigning Entra ID groups to devices, and then mapping these groups to rollout rings in Autopatch. Next, IT admins should segment devices into Windows Autopatch groups, while also defining staggered rollout policies controlled through rollout rings. At a base level, there should be two groups: devices that meet the criteria of Windows 11 and should upgrade to it, and Windows 10 hardware that doesn't meet the criteria and should receive Extended Security Updates (ESUs). Devices should be spread in a logical manner across various rings, with each group having a dedicated update policy. The third step involves defining the speed of staggered update rollouts. This can be managed through the Intune admin center, which gives you control over sequencing, pace, and deferrals. Finally, IT admins should monitor the rollout of the Windows 11 update through the Windows Autopatch feature update reporting module. It contains the update status across devices, trendlines within historical views, and remediation guidance for errors. Microsoft believes that this combination of Windows Autopatch groups and Intune is the best way to upgrade to Windows 11, so IT admins should get started right away as support for Windows 10 is ending on October 14, 2025.
    • TDP of this CPU is 60 watts higher than Ryzen 7600. At s usage rate of four hours per day, at a cost of twelve cents per KWh, the Intel cost $10.51 more per year to use. I don't see a real advantage to Intel here.
  • Recent Achievements

    • Dedicated
      ataho31016 earned a badge
      Dedicated
    • First Post
      Gladiattore earned a badge
      First Post
    • Reacting Well
      Gladiattore earned a badge
      Reacting Well
    • Week One Done
      NeoWeen earned a badge
      Week One Done
    • One Month Later
      BA the Curmudgeon earned a badge
      One Month Later
  • Popular Contributors

    1. 1
      +primortal
      652
    2. 2
      ATLien_0
      261
    3. 3
      Xenon
      165
    4. 4
      neufuse
      142
    5. 5
      +FloatingFatMan
      107
  • Tell a friend

    Love Neowin? Tell a friend!