Authentication - Cyber Security Informer

Failures in Twitter’s Two-Factor Authentication System

Schneier on Security

NOVEMBER 17, 2022

Twitter is having intermittent problems with its two-factor authentication system: Not all users are having problems receiving SMS authentication codes, and those who rely on an authenticator app or physical authentication token to secure their Twitter account may not have reason to test the mechanism.

Authentication

Authentication Passwords Accountability Media

Bypassing Two-Factor Authentication

Schneier on Security

APRIL 1, 2022

FIDO2 multi-factor authentication systems are not susceptible to these attacks, because they are tied to a physical computer. .” Calling the target, pretending to be part of the company, and telling the target they need to send an MFA request as part of a company process.

Authentication

Authentication Hacking Passwords

Defeating Phishing-Resistant Multifactor Authentication

Schneier on Security

NOVEMBER 9, 2022

CISA is now pushing phishing-resistant multifactor authentication. Roger Grimes has an excellent post reminding everyone that “phishing-resistant” is not “phishing proof,” and that everyone needs to stop pretending otherwise. His list of different attacks is particularly useful.

Authentication

Authentication Phishing

Problems with Multifactor Authentication

Schneier on Security

OCTOBER 21, 2021

Roger Grimes on why multifactor authentication isn’t a panacea : The first time I heard of this issue was from a Midwest CEO. His organization had been hit by ransomware to the tune of $10M. Operationally, they were still recovering nearly a year later. And, embarrassingly, it was his most trusted VP who let the attackers in.

Authentication

Authentication Ransomware Social Engineering Engineering

Beware of Pixels & Trackers on U.S. Healthcare Websites

The healthcare industry has massively adopted web tracking tools, including pixels and trackers.

Healthcare

Using “Master Faces” to Bypass Face-Recognition Authenticating Systems

Schneier on Security

AUGUST 6, 2021

” Abstract: A master face is a face image that passes face-based identity-authentication for a large portion of the population. Fascinating research: “ Generating Master Faces for Dictionary Attacks with a Network-Assisted Latent Space Evolution.”

Authentication

The Consumer Authentication Strength Maturity Model (CASMM)

Daniel Miessler

MARCH 24, 2021

Basically, how secure is someone’s current behavior with respect to passwords and authentication, and how can they improve? Mar 24, 2021 — Someone mentioned that there are higher ranks of authentication out there, which I agree with, but this is specifically for everyday users. How to use this model.

Authentication

Authentication Passwords Internet Internet

Apple to Add Manual Authentication to iMessage

Schneier on Security

NOVEMBER 22, 2023

Signal has had the ability to manually authenticate another account for years. iMessage is getting it : The feature is called Contact Key Verification, and it does just what its name says: it lets you add a manual verification step in an iMessage conversation to confirm that the other person is who their device says they are.

Authentication

Authentication Encryption Accountability

CASMM (The Consumer Authentication Strength Maturity Model)

Daniel Miessler

MARCH 24, 2021

Basically, how secure is someone’s current behavior with respect to passwords and authentication, and what can they do to improve? This post is an attempt to create an easy-to-use security model for the average internet user. People like moving up rankings, so let’s use that! How to use this model.

Authentication

Authentication Passwords Internet Internet

Leaving Authentication Credentials in Public Code

Schneier on Security

NOVEMBER 16, 2023

Seth Godin wrote an article about a surprisingly common vulnerability: programmers leaving authentication credentials and other secrets in publicly accessible software code: Researchers from security firm GitGuardian this week reported finding almost 4,000 unique secrets stashed inside a total of 450,000 projects submitted to PyPI, the official code (..)

Authentication

Authentication Cryptocurrency Accountability Software

MY TAKE: Businesses gravitate to ‘passwordless’ authentication — widespread consumer use up next

The Last Watchdog

MAY 24, 2022

Perhaps not coincidently, it comes at a time when enterprises have begun adopting passwordless authentication systems in mission-critical parts of their internal operations. Fortifications, such as multi-factor authentication (MFA) and password managers, proved to be mere speed bumps. Coming advances.

Authentication

Authentication Passwords Banking Digital transformation

Fooling a Voice Authentication System with an AI-Generated Voice

Schneier on Security

MARCH 1, 2023

A reporter used an AI synthesis of his own voice to fool the voice authentication system for Lloyd’s Bank.

Authentication

Authentication Banking Artificial Intelligence

What Is Passwordless Authentication?

Tech Republic Security

MARCH 5, 2024

Learn about passwordless authentication, and explore the different types, benefits and limitations to help you decide which solution to choose.

Authentication

GUEST ESSAY: Why it’s high time for us to rely primarily on passwordless authentication

The Last Watchdog

JULY 24, 2023

The next big thing is passwordless authentication. First and foremost, most solutions rely on connected devices like mobile phones to authenticate users. Attackers will continue to find ways to breach our systems, and authentication cryptography will become increasingly vulnerable to attack. Some solutions do this today.

Authentication

Authentication Passwords Social Engineering Phishing

Passwordless Authentication without Secrets!

Thales Cloud Protection & Licensing

OCTOBER 11, 2024

Passwordless Authentication without Secrets! This highlights an increasing demand for advanced authentication methods like passkeys and multi-factor authentication (MFA), which provide robust security for most use cases. Similarly, in retail and manufacturing, delays caused by authentication procedures reduce overall efficiency.

Authentication

Authentication Retail Healthcare Manufacturing

CVE-2024-8698: Keycloak Vulnerability Puts SAML Authentication at Risk

Penetration Testing

SEPTEMBER 22, 2024

Tracked as CVE-2024-8698,... The post CVE-2024-8698: Keycloak Vulnerability Puts SAML Authentication at Risk appeared first on Cybersecurity News.

Authentication

Authentication Risk Cybersecurity

Not All MFA is Equal, and the Differences Matter a Lot

Daniel Miessler

MARCH 10, 2022

People are starting to get the fact that texts (SMS) are a weak form of multi-factor authentication (MFA). It might have been a text, or it could have been something “strong”, like a mobile authenticator app like Google Authenticator or Authy. It completely changes how authentication is done.

Authentication

Authentication Phishing Passwords Accountability

Man-in-the-Middle Phishing Attack

Schneier on Security

AUGUST 25, 2022

Here’s a phishing campaign that uses a man-in-the-middle attack to defeat multi-factor authentication: Microsoft observed a campaign that inserted an attacker-controlled proxy site between the account users and the work server they attempted to log into.

Phishing

Phishing Authentication Passwords Accountability

New iPhone Security Features to Protect Stolen Devices

Schneier on Security

DECEMBER 27, 2023

No passcode fallback is available in the event that the user is unable to complete Face ID or Touch ID authentication. For especially sensitive actions, including changing the password of the Apple ID account associated with the iPhone, the feature adds a security delay on top of biometric authentication.

Authentication

Authentication Passwords Accountability

CVE-2024-40715: Authentication Bypass Threat in Veeam Backup Enterprise Manager

Penetration Testing

NOVEMBER 7, 2024

this flaw is classified as a high-severity vulnerability,... The post CVE-2024-40715: Authentication Bypass Threat in Veeam Backup Enterprise Manager appeared first on Cybersecurity News. Veeam recently disclosed a new security vulnerability, tracked as CVE-2024-40715, that impacts Veeam Backup Enterprise Manager.

Backups

Backups Authentication Cybersecurity

GUEST ESSAY: Massive NPD breach tells us its high time to replace SSNs as an authenticator

The Last Watchdog

SEPTEMBER 24, 2024

About the essayist: Ambuj Kumar is Co-founder and CEO of Simbian , AI Agents for cybersecurity The post GUEST ESSAY: Massive NPD breach tells us its high time to replace SSNs as an authenticator first appeared on The Last Watchdog.

Authentication

Authentication Identity Theft Banking Data breaches

GitLab Patches Critical SAML Authentication Bypass Flaw in CE and EE Editions

The Hacker News

SEPTEMBER 18, 2024

GitLab has released patches to address a critical flaw impacting Community Edition (CE) and Enterprise Edition (EE) that could result in an authentication bypass. The vulnerability is rooted in the ruby-saml library (CVE-2024-45409, CVSS score: 10.0), which could allow an attacker to log in as an arbitrary user within the vulnerable system.

Authentication

Backdoor Added — But Found — in PHP

Schneier on Security

APRIL 9, 2021

Developers have moved PHP to GitHub, which has better authentication. They were discovered and removed before being pushed out to any users. But since 79% of the Internet’s websites use PHP, it’s scary. Hopefully it will be enough — PHP is a juicy target.

Authentication

Authentication Internet Internet Hacking

RADIUS Vulnerability

Schneier on Security

JULY 10, 2024

New attack against the RADIUS authentication protocol: The Blast-RADIUS attack allows a man-in-the-middle attacker between the RADIUS client and server to forge a valid protocol accept message in response to a failed authentication request.

Authentication

Authentication Passwords

Google Cloud to Enforce Multi-Factor Authentication by 2025 for All Users

The Hacker News

NOVEMBER 5, 2024

Google's cloud division has announced that it will enforce mandatory multi-factor authentication (MFA) for all users by the end of 2025 as part of its efforts to improve account security. "We

Authentication

Authentication Engineering Account Security Accountability

PIN-Stealing Android Malware

Schneier on Security

JANUARY 9, 2024

The malware captures any PINs and passwords the victim enters to unlock their device and can later use them to unlock the device at will to perform malicious activities hidden from view.

Malware

Malware Banking Authentication Passwords

Google Workspace Authentication Vulnerability Allowed Thousands of Emails to be Compromised

Tech Republic Security

JULY 30, 2024

Hackers managed to compromise “a few thousand” Google Workspace accounts by circumventing the verification process.

Authentication

Authentication Accountability

Brute-Forcing a Fingerprint Reader

Schneier on Security

MAY 30, 2023

It’s neither hard nor expensive : Unlike password authentication, which requires a direct match between what is inputted and what’s stored in a database, fingerprint authentication determines a match using a reference threshold.

Authentication

Authentication Encryption Passwords

The Rise of One-Time Password Interception Bots

Krebs on Security

SEPTEMBER 29, 2021

In February, KrebsOnSecurity wrote about a novel cybercrime service that helped attackers intercept the one-time passwords (OTPs) that many websites require as a second authentication factor in addition to passwords. That is true two-factor authentication: Something you have, and something you know (and maybe also even something you are).

Passwords

Passwords Mobile Authentication Banking

Recycle Your Phone, Sure, But Maybe Not Your Number

Krebs on Security

MAY 19, 2021

The Princeton team further found 100 of those 259 numbers were linked to leaked login credentials on the web, which could enable account hijackings that defeat SMS-based multi-factor authentication. While you’re at it, consider removing your phone number as a primary or secondary authentication mechanism wherever possible.

Mobile

Mobile Wireless Authentication Accountability

Crime Shop Sells Hacked Logins to Other Crime Shops

Krebs on Security

JANUARY 21, 2022

One example is Genesis Market , where customers can search for stolen credentials and authentication cookies from a broad range of popular online destinations. What’s more, relatively few cybercrime shops online offer their users any sort of multi-factor authentication.

Hacking

Hacking Cybercrime Authentication Passwords

NIST Recommends Some Common-Sense Password Rules

Schneier on Security

SEPTEMBER 27, 2024

However, verifiers SHALL force a change if there is evidence of compromise of the authenticator. Verifiers and CSPs SHALL NOT prompt subscribers to use knowledge-based authentication (KBA) (e.g., “What was the name of your first pet?”) ”) or security questions when choosing passwords.

Passwords

Passwords Authentication

Crooks Bypassed Google’s Email Verification to Create Workspace Accounts, Access 3rd-Party Services

Krebs on Security

JULY 26, 2024

Google says it recently fixed an authentication weakness that allowed crooks to circumvent the email verification required to create a Google Workspace account, and leverage that to impersonate a domain holder at third-party services that allow logins through Google’s “Sign in with Google” feature.

Accountability

Accountability Authentication Cryptocurrency Web Fraud

Microsoft Patch Tuesday, November 2024 Edition

Krebs on Security

NOVEMBER 12, 2024

The second bug fixed this month that is already seeing in-the-wild exploitation is CVE-2024-43451 , a spoofing flaw that could reveal Net-NTLMv2 hashes , which are used for authentication in Windows environments. Narang notes that CVE-2024-43451 is the third NTLM zero-day so far this year.

Authentication

Authentication Engineering Malware Passwords

FBI Hacker Dropped Stolen Airbus Data on 9/11

Krebs on Security

SEPTEMBER 13, 2023

Credentials stolen by info-stealers often end up for sale on cybercrime shops that peddle purloined passwords and authentication cookies (these logs also often show up in the malware scanning service VirusTotal ).

Cybercrime

Cybercrime Passwords Authentication Malware

How 1-Time Passcodes Became a Corporate Liability

Krebs on Security

AUGUST 30, 2022

The missives asked users to click a link and log in at a phishing page that mimicked their employer’s Okta authentication page. Those who submitted credentials were then prompted to provide the one-time password needed for multi-factor authentication. That’s down from 53 percent that did so in 2018, Okta found.

Mobile

Mobile Phishing Authentication Accountability

Okta: Breach Affected All Customer Support Users

Krebs on Security

NOVEMBER 29, 2023

20, 2023 that identity and authentication giant Okta had suffered a breach in its customer support department, Okta said the intrusion allowed hackers to steal sensitive data from fewer than one percent of its 18,000+ customers. For this reason, they can’t be locked down with multifactor authentication the way user accounts can.

Authentication

Authentication Accountability Passwords Antivirus

The FBI Warns About A Google Voice Scam That Is Not New, But Still Finding Plenty Of Victims

Joseph Steinberg

JANUARY 26, 2022

To do so, they ask you to perform a form of Google authentication in which, to confirm your identity, you need to provide them with a number that will be sent to your phone by either text or voice message. As such, the criminal’s request may seem innocuous, when it is anything but.

Scams

Scams Authentication Accountability Artificial Intelligence

The Internet is Held Together With Spit & Baling Wire

Krebs on Security

NOVEMBER 26, 2021

” Lumen told KrebsOnSecurity that it continued offering MAIL-FROM: authentication because many of its customers still relied on it due to legacy systems. Nevertheless, after receiving Korab’s report the company decided the wisest course of action was to disable MAIL-FROM: authentication altogether.

Internet

Internet Internet Authentication Telecommunications

Are You One of the 533M People Who Got Facebooked?

Krebs on Security

APRIL 6, 2021

From there, the bad guys can reset the password of any account to which that mobile number is tied, and of course intercept any one-time tokens sent to that number for the purposes of multi-factor authentication. Usually, this is a mobile app like Authy or Google Authenticator that generates a one-time code.

Mobile

Mobile Accountability Passwords Authentication

Can We Stop Pretending SMS Is Secure Now?

Krebs on Security

MARCH 16, 2021

But Lucky225 said the class of SMS interception he’s been testing targets a series of authentication weaknesses tied to a system developed by NetNumber , a private company in Lowell, Mass. Usually, this is a mobile app like Authy or Google Authenticator that generates a one-time code.

Telecommunications

Telecommunications Mobile Accountability Wireless

It’s Still Easy for Anyone to Become You at Experian

Krebs on Security

NOVEMBER 11, 2023

I immediately suspected that Experian was still allowing anyone to recreate their credit file account using the same personal information but a different email address, a major authentication failure that was explored in last year’s story, Experian, You Have Some Explaining to Do. 9, 2022 and Dec.

Accountability

Accountability Authentication Passwords Identity Theft

GUEST ESSAY: Everything you should know about the cybersecurity vulnerabilities of AI chatbots

The Last Watchdog

FEBRUARY 20, 2024

Authentication and authorization vulnerabilities: Weak authentication methods and compromised access tokens can provide unauthorized access. Multi-factor authentication: Implement multi-factor authentication for administration and privileged users to enhance access control and prevent unauthorized entry.

Cybersecurity

Cybersecurity Penetration Testing Authentication Social Engineering

GUEST ESSAY: How the ‘Scattered Spiders’ youthful ring defeated MFA to plunder Vegas

The Last Watchdog

NOVEMBER 19, 2023

As the companies face nine federal lawsuits for failing to protect customer data, it’s abundantly clear hackers have checkmated multi-factor authentication (MFA). But the coup de gras was how easily they brushed aside the multi-factor authentication protections. How they steamrolled multi-factor authentication is a reason for pause.

Social Engineering

Social Engineering Passwords Authentication Marketing

Failures in Twitter’s Two-Factor Authentication System

Bypassing Two-Factor Authentication

Trending Sources

Defeating Phishing-Resistant Multifactor Authentication

Problems with Multifactor Authentication

Beware of Pixels & Trackers on U.S. Healthcare Websites

Using “Master Faces” to Bypass Face-Recognition Authenticating Systems

The Consumer Authentication Strength Maturity Model (CASMM)

Apple to Add Manual Authentication to iMessage

CASMM (The Consumer Authentication Strength Maturity Model)

Leaving Authentication Credentials in Public Code

MY TAKE: Businesses gravitate to ‘passwordless’ authentication — widespread consumer use up next

Fooling a Voice Authentication System with an AI-Generated Voice

What Is Passwordless Authentication?

GUEST ESSAY: Why it’s high time for us to rely primarily on passwordless authentication

Passwordless Authentication without Secrets!

CVE-2024-8698: Keycloak Vulnerability Puts SAML Authentication at Risk

Not All MFA is Equal, and the Differences Matter a Lot

Man-in-the-Middle Phishing Attack

New iPhone Security Features to Protect Stolen Devices

CVE-2024-40715: Authentication Bypass Threat in Veeam Backup Enterprise Manager

GUEST ESSAY: Massive NPD breach tells us its high time to replace SSNs as an authenticator

GitLab Patches Critical SAML Authentication Bypass Flaw in CE and EE Editions

Backdoor Added — But Found — in PHP

RADIUS Vulnerability

Google Cloud to Enforce Multi-Factor Authentication by 2025 for All Users

PIN-Stealing Android Malware

Google Workspace Authentication Vulnerability Allowed Thousands of Emails to be Compromised

Brute-Forcing a Fingerprint Reader

The Rise of One-Time Password Interception Bots

Recycle Your Phone, Sure, But Maybe Not Your Number

Crime Shop Sells Hacked Logins to Other Crime Shops

NIST Recommends Some Common-Sense Password Rules

Crooks Bypassed Google’s Email Verification to Create Workspace Accounts, Access 3rd-Party Services

Microsoft Patch Tuesday, November 2024 Edition

FBI Hacker Dropped Stolen Airbus Data on 9/11

How 1-Time Passcodes Became a Corporate Liability

Okta: Breach Affected All Customer Support Users

The FBI Warns About A Google Voice Scam That Is Not New, But Still Finding Plenty Of Victims

The Internet is Held Together With Spit & Baling Wire

Are You One of the 533M People Who Got Facebooked?

Can We Stop Pretending SMS Is Secure Now?

It’s Still Easy for Anyone to Become You at Experian

GUEST ESSAY: Everything you should know about the cybersecurity vulnerabilities of AI chatbots

GUEST ESSAY: How the ‘Scattered Spiders’ youthful ring defeated MFA to plunder Vegas

Stay Connected