[ad_1]
"Two-factor authentication" is a reassuring expression. The installation is done as if you were installing a brand new, sturdy deadbolt on your door. Until you realize that there is only one building that stores the working keys of millions of dead bolts, associated with your name and address, and that this place is guarded by people who do not understand very well the locks.
This is essentially the achievement by which millions of Facebook users have (or should be) the result of the company's latest massive security breach. In an October 12 message titled "Security Update Update," encrypted and unnecessarily, Guy Rosen, vice president of Facebook's product management, wrote that "15 million people, the attackers have accessed two sets of information: name and contact details (phone number). , email, or both, depending on what people had on their profiles). "
This effectively compromises two-factor authentication for all these users, not just on Facebook, but on any service that only allows text messages as a second form of authentication. (Here's how to know if you are affected.)
Security boosters have been telling us for a long time not to rely on SMS for two-factor authentication. It may seem safe: your phone has a face identifier, a long password or a particularly elaborate gesture. But the technology that allows a text to reach you in the first place is not secure in itself.
As Wired wrote in 2016, "Attacks on political activists in Iran, Russia and even here in the United States have shown that determined hackers can sometimes hijack SMS messages designed to protect you." L & # Last year, security researchers at Positive Technologies have video in which they easily intercept SMS messages and have access to the Gmail and Coinbase accounts of a hypothetical target, simply by using their name and phone number.
For the 15 million people mentioned, all registered services using text messaging for two-factor authentication have been reduced to a factor: the bad old password. And that is the case for many services. Just a few days ago, Instagram, which belongs to Facebook, has stopped using only SMS for 2FA.
Facebook hackers would at least have the names, phone numbers or email addresses of those 15 million. But they have a lot more, too. The post continues:
For 14 million people, the attackers had access to the same two sets of information [as in name, number and/or email], as well as other details that people had on their profiles. This included the user name, gender, location / language, relationship status, religion, hometown, current declared city, date of birth, types of devices used to access Facebook, to education, to work, the last 10 places in which they opened or tagged, the people or pages that they follow and the 15 most recent searches.
It sounds like an epic phishing expedition. This might even be enough to respond to other more personal forms of authentication, such as security issues that banks often face.
Text-based SMS compromises Facebook, as recently revealed, allows advertisers to target users based on their phone numbers, even if they only shared those numbers with Facebook for the purpose of … create two-factor authentication.
It is no wonder that after this revelation, CEO Mark Zuckerberg was not really able to answer the question of whether users should always trust his company.
Source link
