SMS Password Recovery: nopls

Allowing SMS password recovery on your applications and etc has now become a horrible means of password recovery. Recent hacks, (i.e. LinusTechTips) show an upcoming trend in hacking via social engineering.

The best thing ever, but often incorrectly implemented: two-factor authentication.

Two-factor authentication is great, but if people are able to get access to your cell phone number, how secure is it really? While you may just be the average joe, with nothing extremely important tied to your name, such as an entire company and social media accounts with millions of followers, this issue comes with the default methods that many services choose to implement two-factor authentication alongside password recovery.

This attack was done by either in person, or over the phone, someone calling Bell Canada, and pretending to be Linus Sebastian, being able to convince them to activate a new account, allowing them to reset passwords through SMS.

This “hack” which has been performed on many, this time was targeted at Linus Media Group, the media company formed by Linus Sebastian to promote growth of, and protect his company which many have worked extremely hard to produce such successful results. Props to the team at Linus Media Group.

However, this brings a bigger issue than just as Linus’ mother-in-law says, “Did they place any long distance phone calls?” but more so the issue of insecurity on the mobile operators behalf. For example: Authy, an alternative to Google Authenticator, allows you to sync your keys for mobile authentication “encrypted” through their website. A weak password, and your cell phone number is all it takes for ALL of your authentication to be vulnerable. Remember, once they have your email, they typically have everything. If you consider the implications this may have on your jobs, and also your personal life, potentially you could lose all your money, as well as your job, for insecurity which you’d theoretically be liable for.

If you use two-factor authentication, great! Just make sure that your phone is definitely not a SINGLE factor for password recovery, because until the carriers check themselves and become more secure, you’re vulnerable to exactly what happened to Linus Media Group. Don’t be caught with your pants down.

How do you feel about password recovery via. SMS? Your feedback is appreciated in the comments section.

Advertisements


Categories: Security

Tags: , , , , , , ,

1 reply

Trackbacks

  1. SMS Password Recovery: nopls – sec.uno
%d bloggers like this: