Two-factor authentication (2FA or Two-Factor Authentication), θεωρείται μαζί με τη χρήση βιομετρικών στοιχείων σαν μία από τις ισχυρότερες μεθόδους προστασίας των δεδομένων του χρήστη στο διαδίκτυο. Μια νέα επίθεση που επινοήθηκε από δύο ερευνητές από το πανεπιστήμιο του Άμστερνταμ δείχνει ότι υπάρχουν αδύνατα points and in this protection method.
Two researchers, Radhesh Krishnan Konoth and Victor van der Even, reported discovering the security flaw in 2014, alerting Google and others online υπηρεσίες, παρουσίασαν τα ευρήματά τους σε banks, but nothing changed.
As the investigators explained, because the vulnerability had not yet been publicly announced (to date), many were the ones who said it was not very risky. The two researchers do not agree.
As they explain, they do not use a software defect, but a two-factor authentication problem.
Το concept ονομάζεται "anywhere computing," και αναφέρεται στην ικανότητα συγχρονισμού των εφαρμογές και του περιεχομένου σε όλες τις συσκευές. Χρησιμοποιώντας λοιπόν το anywhere computing το 2FA μπορεί να παρακαμφθεί αν κάποιος εισβολέας αποκτήσει πρόσβαση στον υπολογιστή του θύματος.
From there, design flaws in the 2FA engine of the various services allow attackers to use services such as iTunes or the Google Play Store to promote malicious applications to a user's phone without activating the 2FA authentication system and without displaying an icon on the home screen of the device indicating the installation of new software.
Of course, the attacker must pass the malware from Google Stores or Apple Stores, but we've seen this happen last time.
Researchers argue that services using 2FA should be very cautious with synchronizing applications between different devices.
For more information, you can see the video below. For those who want more details download the PDF How Anywhere Computing Just Killed Your Phone-Based Two-Factor Authentication.
