Technical Discussion
  >> Security Related Issues


Register (or login) on our website and you will not see this ad.


Pages in this thread: 1 | [2] | (show all)   Print Thread
Standard User caffn8me
(knowledge is power) Fri 27-Jan-17 15:29:24
Print Post

Re: Facebook finally adds proper 2 Factor Authentication


[re: bobble_bob] [link to this post]
 
There are major vulnerabilities in the SS7 protocol which is used by mobile phone networks. One particular vulnerability relates to roaming on other networks and this cannot be protected without disabling roaming. It is this vulnerability which enables third parties to impersonate a subscriber and intercept SMS messages.

Briefly, the mobile network knows how to get messages and calls to your phone because your phone registers with the network and says where it is. If a rogue device pretends to be your phone (all that's needed is the number), calls and messages can be routed to the new device.

It's discussed here;
4.1.5. Interception – SMS

The updateLocation message is used to update the subscriber’s location in the
network. It informs the network of which VLR/MSC the subscriber is currently
connected to.

Using a fake updateLocation message the attacker claims that the victims MS is
connected to their MSC. In this case, the subscriber SMSs will be forwarded to the
attacker’s SMS center to be delivered to the MS. (Engel, 2014, p42) In addition to
intercepting personal SMSs of the target, this attack can be used against authentication
systems that utilize SMS verification (SMS token, Facebook verification, etc.) and could
lead to the compromise of the target’s identity.
and in more detail in Tobias Engel's 2014 paper SS7: Locate. Track. Manipulate.

Sarah

--
If I can't drink my bowl of coffee three times daily, then in my torment, I will shrivel up like a piece of roast goat

Spiders on coffee - Badass spiders on drugs

Edited by caffn8me (Fri 27-Jan-17 15:45:40)

Standard User zyborg47
(eat-sleep-adslguide) Sun 19-Mar-17 11:12:40
Print Post

Re: Facebook finally adds proper 2 Factor Authentication


[re: caffn8me] [link to this post]
 
I do not like 2FA, it is a pain in the neck, this was one of the reasons I left Vodafone for their mobile service because they forced it onto us.

Adrian

Desktop machine now powered by windows 8.1 pro 64bit, no dreaded metro, laptop by Linux

Plusnet FTTC
Standard User caffn8me
(knowledge is power) Mon 20-Mar-17 14:24:18
Print Post

Re: Facebook finally adds proper 2 Factor Authentication


[re: zyborg47] [link to this post]
 
I feel it's more of a reassurance than a pain.

What may be a minor inconvenience to me is a major pain in the backside for hackers.

It just takes a little longer to log in but I know that on the sites for which I have 2FA enabled, if their password databases get hacked, my accounts still shouldn't be compromised.

Sarah

--
If I can't drink my bowl of coffee three times daily, then in my torment, I will shrivel up like a piece of roast goat

Spiders on coffee - Badass spiders on drugs


Register (or login) on our website and you will not see this ad.

Standard User gomezz
(eat-sleep-adslguide) Mon 20-Mar-17 15:17:37
Print Post

Re: Facebook finally adds proper 2 Factor Authentication


[re: caffn8me] [link to this post]
 
And its a once only effort for your trusted devices (ie non-shared personal devices only you have physical access to).

BT Infinity 1 (unlimited)
Pages in this thread: 1 | [2] | (show all)   Print Thread

Jump to