Posted by:
admin
13 years, 8 months ago
William Edwards wrote a post entitled "I know someone whose 2-factor phone authentication was hacked…" about a friend whose bank account was drained by fraudsters. His bank relied on a dial-back system. The attackers social-engineered BT to re-route the phone calls. This attack is eerily similar to the recent attack on Cloudflare, which started with an attack on an AT&T account.
I agree with almost everything in the post, except this: a dial-back verification systems is not two-factor authentication. It's been clear to me that the term "two-factor authentication" is showing its age. In many ways I prefer the term "strong authentication" because it implies that you are increasing the strength around authentication. And it leads us to this:
There is no cryptography in a dial-back system. There is no provable encryption in SMS. These systems may be better than a static password, but they are not strong!
If your authentication system falls back to a system that doesn't rely on secure systems, then it is not strong. It's the old cliché about weakest links.
Share on Twitter Share on Facebook