Two-step authentication - bye-bye

Two-step authentication. A good idea, but in practice it only makes it easier to get access to your data, because includes too many additional participants who may also have their own vulnerabilities.

For a long time I was going to write about it, but somehow they did not reach out. The other day, having already felt the beauty of this method of protection, I decided that the time had come.

So, two-step authentication implies an additional protection of your electronic data through the binding of a mobile phone and confirmation of entries or other operations via SMS.

Situation: a person loses his phone. In my case, not new, but favorite, the phone presented to the girl. After half an hour after the “loss”, it is successfully untied from iCloud. A non-standard unlock password was set on the phone, TouchID was activated, the iCloud password surely falls under the category of complex ones. The phone is blocked through the FindMyIphone service.

First case


The attacker finds out Apple ID under which the phone is tied up, as well as the phone number. Methods for this - for every taste, so we miss this moment. We admit this mail registered in Google.

Action one: a person enters the address of the mailer and presses the password recovery to the existing address, choosing SMS confirmation.

The second step: the phone is protected with a password and the display of incoming calls on the screen is turned off. Okay, we ask Siri to voice the last message and, despite the blocked device, we get the code.

Alternatively: after sending an SMS, we select the call and calmly receive it on the blocked device. The code is obtained by dubbing it with IVR.

The third step : enter the password reset code in the form of a mailer, invent a new password and get control over the account.

Fourth step : go to appleid.com request a reset and get the code for this to the already captured mail.

The fifth action: untie the device from the account, having done quite simple operations to change secret questions.

A curtain.

It is worth noting that the procedure for restoring access to an Apple account may differ and in some cases imply an easier way - the choice in the form of restoring access to the “phone” account and obtaining a code to enter the password directly on the Apple ID website. The method works if the device has been assigned to an account for some time and is protected by a password or TouchID. We will not dwell on this.

Second case


Suppose an attacker needs to gain access to the data, but there is no phone to which the confirmation via the access number is connected. Moreover, unlike the first case, the attacker initially knows "whom" he is trying to crack. The goal is the mail.

I don’t bother to talk about other countries, but in Ukraine there are procedures for cellular operators, following which and answering certain questions from the operator of the center call, you can ask to reset your personal account password.

Action one: The attacker calls at the time when the victim is sleeping, at the operator’s KC, from any phone, says that he needs to get access to his personal account, but there is no possibility to call him back from his phone. This is followed by a series of questions, the answers to which are easy to obtain in advance. I will not dwell on this point, but from about five attempts, without attracting attention and using different phone numbers for test calls in CC, you can collect a list of all the necessary questions that are the same for obtaining information on subscriber costs and for restoring a prepaid SIM card forms of communication and to restore access to your personal account.

Second action:the attacker gains access to the victim’s office, where he sets up redirection of all calls to his phone number. Or SMS forwarding, if the cabinet technically allows it.

Step three: gmail requests a password reset via phone number. After sending an SMS, you can indicate that it was not received and request a call, test, the call button appeared 60 seconds after sending the SMS.

The fourth step: having received the code for resetting the gmail password via the IVR mailer, the attacker gains access to the mail of the victim, and accordingly, to most of the accounts that are assigned to this mail.

Above, I indicated that such actions are usually performed at night. The expectation is that when receiving an SMS with a code, the victim will not see it. will sleep. If the personal account of the mobile operator of the victim of hacking supports the function of setting the forwarding of SMS messages, the time of day stops playing a role.

Third case


The case can be applied when the victim of a hack represents a certain financial or personal interest, which lies outside of “read the correspondence in the social. network "or unlock the stolen phone. The third case is identical to the second one, but it implies large cash costs.

It is easy to find a person who will be employed at the CC of the operator of interest, where from the first days of the internship, this employee will be provided with a personal password to the subscriber service system, including the function of viewing call detail (possibly with or without the last digits). as well as user service control panels, including redirects, which I wrote about in the case above. Perhaps a personal password will be provided later, in this case, the training of a new employee is carried out on the login / password of an already experienced employee of the CC, who is more likely to have access to all the necessary functions. This case is expensive only if there is nothing to compare with and, of course, depends entirely on the goal.

Using the above basic cases, or their variations, on which there is no point in stopping, it is rather easy to get access to various services and cabinets. Unfortunately, well-working protection measures for combining, at times, can backfire only by increasing the chance of hacking.

Security methods: do not use two-stage authentication in any important services. If possible, avoid adding the used phone number in any Internet services, even if the number is ultimately hidden by the privacy settings. It can be hidden from the display, but obtained through the means of searching or restoring the passwords of the same services.

In terms of telecom operators, there are other subscriber service procedures that in one way or another increase the user's security, but in any case the only question is how personally you are interested in who will work on getting access to your personal data. In addition, I tried to superficially describe the possible and proven attack vectors, but this does not mean that I described them all, nor does it mean that defending against one, we will not substitute for others.

At the end of the post, I want to add that I am not an expert in information security issues, I have nothing to do with her by occupation, but rather it’s just a personal interest.

This is my first post. Do not judge strictly, perhaps, for someone I described the obvious things, but maybe someone else this information will be useful and will allow at least a little to reduce the chance of losing or compromising your personal information.

Also popular now: