#authentication
A leaky #database spilled #2FA codes for the world’s tech giants
source: https://techcrunch.com/2024/02/29/leaky-database-two-factor-codes/
A #technology company that routes millions of #SMS text messages across the world has secured an exposed database that was spilling one-time #security codes that may have granted users’ #access to their #Facebook, #Google and #TikTok accounts.
#news #fail #cybersecurity #problem #economy #internet #account #login #authentication #mobile #software
Microsoft, Apple, Google, and hundreds of tech companies accelerate push to eliminate passwords, supporting standards developed by the FIDO Alliance and the W3C
Google, Microsoft, and Apple are important in this regard because they represent the greatest volume of single-sign capabilities for sites other than their own. So if you want a change away from passwords, without their support, it drags out for years, never reaching any tipping point to be effective. Note though that what is being adopted are open alliance standards, and not proprietary to Google, Apple, or Microsoft.
We do have 2FA (2-Factor Authentication) already, but it often falls back onto insecure e-mail or text messages. We’re going to also have to finalise, or have options between biometrics vs device specific. Many don’t want biometrics (or their hash) saved, not because it’s invasive (it does not store your actual fingerprint), but because it cannot be changed (or does using a different finger count, although most of us still have a limit of 10?). Biometrics are the most convenient and usually not lost, but that also counts against them for the same reason. A device such as YubiKey, fob, phone, etc can easily be lost or left at home, and you lose access.
But yes, passwords do need to go, along with that useless advice of updating a password every 30 days.
See https://www.theregister.com/2022/05/05/microsoft-apple-google-fido/
#technology #security #passwords #authentication
#Blog, ##authentication, ##passwords, ##security, ##technology
How Hackers Used #Slack to Break into #EA #Games
A representative for the hackers told Motherboard in an online chat that the process started by purchasing stolen cookies being sold online for $10 and using those to gain access to a Slack channel used by EA.
...
The hackers then requested a multifactor #authentication token from EA IT support to gain access to EA's corporate #network. The representative said this was successful two times.
Once inside EA's network, the hackers found a service for EA developers for compiling games. They successfully logged in and created a virtual machine giving them more visibility into the network, and then accessed one more service and downloaded #game #source #code.
more here: https://www.vice.com/en/article/7kvkqb/how-ea-games-was-hacked-slack
#security #hack #hacker #news #details #story #cookie #login
#Android: Misconfiguration of third party #cloud services exposed data of over 100 million users
Real-time #databases allow application developers to store data on the cloud, making sure it is synchronized in real-time to every connected client. This service solves one of the most encountered problems in #application #development, while making sure that the database is supported for all client platforms. However, what happens if the developers behind the application do not configure their real-time database with a simple and basic feature like #authentication?
#security #privacy #software #app #smartphone #mobile #news #fail #problem
If you’re still using texts for 2FA, it’s time to change to an app - Many banks are ditching the use of verification via texts
Good article explaining the risks today of using texts for second-factor authentication. E-mails are no better as they can be delayed and are usually in plain text.
Note too that although there is often mention of the Google Authenticator app, you can actually use any authenticator app, even to authenticate into Google services. I prefer to use Authy as it has consistently been ahead of Google's own app, having search capability, easily replication between multiple devices (or to new devices) including my desktop.
Some password managers like LastPass, 1Password and Bitwarden have built-in support for 6-digit authentication already that not many folks are aware of.
Most popular services on the Internet today offer authenticator app support, so you want to spend a minute on each just setting it up - you won't have to thank yourself later as you're probably unlikely to have those accounts hacked in future.
See There’s a better way to protect yourself from hackers and identity thieves
