Originally published at: https://tidbits.com/2020/01/31/alternative-ways-to-protect-yourself-from-being-spearfished/
Having good passwords may protect you from drive-by attacks, but if you are individually targeted, online thieves can steal your cell phone number and reset all your passwords in minutes. Google Voice used with two-factor authentication is an answer for those for whom authentication apps don’t work well.
Originally published at: https://tidbits.com/2020/01/31/alternative-ways-to-protect-yourself-from-being-spearfished/
I am a huge fan of authenticator apps (I use OTP Auth), and with Apple’s Handoff technology, authenticators are a breeze to use (copy on the iPhone, paste on the Mac). I have a work-around for the what was cited as a limitation: “If an assistant, colleague, or consultant needs to access an account, both people have to configure the authenticator app for the account at the same moment, with the same seed.”
When the QR-like code (or seed number) is on-screen, I print a hard copy – which I store in a very safe location (e.g., safe deposit box or equivalent). This can be used any time later to seed another device, such as an assistant’s (and is a great backup in case an iPhone is lost or destroyed).
Ivan, I would have named that section of the article “The Utility of Authenticator Apps” and I suggest you look into OTP Auth (which isn’t pretty, but it is very well designed) for your clients.
This brings up a question: I have exactly one account that supports authentication, for which I use the built-in feature of 1Password. I remember it was slightly tedious to set up, but once done, it’s worked great for the last couple of years.
But I was disturbed to read in the article about this possibly breaking when you get a new phone. Then I realized I’ve gotten at least two new phones set I set it up and it still works fine. Is that because I’m using 1P instead of a different app?There was no QR code to save or print out that I remember.
While I got authenticator working, I remember being frustrated that there was zero info about exactly how it worked or what was going on. I’m assuming it’s secure, and it seems way better than SMS (the other choice), but the whole thing is rather mysterious.
I do wish more sites, especially banking and financial sites, supported more than just SMS for two-factor.
Google Authenticator is the main culprit with losing data between iPhone upgrades. Mine is completely empty now, even though I used it quite a bit before I found Authy (which syncs online).
The problem is that Google Authenticator was among the first, and is probably the best-known of these apps, even though it’s the worst.
I use Authy, but have never been able to get it to work on the Mac so I’m always looking up 2FA codes in its iOS widget and then typing them into the Mac.
Behind the scenes is a well-known, open algorithm, described in this Wikipedia article: HMAC-based One-time Password algorithm. Any device using this approach simply starts with the seed code, and calculates the current value. Keeping the seed code safe is the key to security (hence my suggestion of printing it and storing the paper safely).
I tend not to trust free software, and am willing to pay a little for software authored by a reputable source with a business motive to sell product (not your data). Good OTP authenticators take the extra step of being locked either by a passcode/PIN or biometrics (TouchID or FaceID), and encrypting the keys on the device (using the PIN or biometrics to decrypt them). I don’t use Google’s anymore.
Although 1Password and LastPass can handle OTP authentication, my recommendation is not to put both factor “eggs in one basket.” In the very unlikely event that one of them is breached, an attacker will have both factors.
For the Mac, I use the Authy Desktop app that appeared recently. It works like a charm although by appearance, it appears to be a Catalyst app, so its UI is less than terrific. Nevertheless, I’ve been using it for Mac authentication. Download it from https://authy.com/download/
Ah, I remember what happened. I’d had some trouble with the Chrome extension that was eventually resolved by Authy support telling me to delete it and reinstall. And then I switched to Brave and forgot to reinstall the extension. So I do have it working on the Mac now. It’s not great, but better than pulling out my iPhone each time.
@davidson if you have the organization and infrastructure to print and save QR codes, that’s super smart. Also, I haven’t checked out OTP Auth. Thanks for the tip.
I’d still be interested in any feedback as to whether SMS codes via Google Voice present any significant security flaws.
What’s dangerous about using normal SMS is that carriers do not make it difficult to SIM jack a phone, meaning that a clever person can trick a carrier to activate a new SIM on your line to them rather than you, and then that person gets all of your SMS messages (and phone calls, but for two factor auth that uses SMS, obviously that’s the vulnerability.)
A google voice number doesn’t use a SIM, so you are protected so long as your Google account is protected. However, you’d definitely want to turn off the message forwarding option that forwards any messages received on the Google Voice number to your cell phone number - you’d again be vulnerable to SIM jacking. You want to get the messages from the Google Voice app. The security “flaw” would be only that your Google account is sufficiently protected (strong password with two factor auth.)
Authy works on Apple Watch as well.
@ace I had the same bad experience with Google Authenticator, and I think you said this well. It’s the one I see most frequently suggested on web sites for 2FA, as well.
I use Authy as my 2FA application for Google Authenticator codes. I have versions on my iPhone, iPad, Apple Watch, and Mac computers (see my earlier comments about Authy Desktop). As I use Safari as my primary web browser, I don’t have it directly linked to my web browsing and must paste or type any of the codes.
You would think the Watch version (which I keep readily accessible in the Dock), would be one that I most often use, but it has one major failing; for some sites, there is no text showing the name of site being used–only the user name. Those sites, in other implementations, use the associated graphic to identify the site, but the Watch app only shows a generic graphic. So the watch app can be ambiguous for sites that use my usual email address for logging into them. Other implementations of Authy do show any associated graphics.
So, my usual procedure has become to start Authy on the device I am using during the login procedure; start the login in the app; and go to the appropriate Authy pane to get the code. If less than 15 seconds remain until a new code is generated, wait; otherwise, hit the 'copy to clipboard button and the go to the login page, paste the code, and tap enter. That usually allows enough time for the site to process the code before it changes.
So it sounds like 1P stores the “seed” in your vault so it remains valid even after device swaps, which makes sense. It also works between devices, which is good.
I’m not too worried about 1P holding both password and 2FA code; if someone gets into my 1P, I’m screwed anyway, so it’s not likely to matter that they have both. It’s worth the microscopic risk to keep things simpler and just have one app to hassle with.
The one thing I want to know. The only thing that interests me is how exactly did Bezos’ iPhone X get hacked with a simple video on WhatsApp?
Is there an issue with WhatsApp? If so, why would WhatsApp gain access to your entire phone? Is there a known bug in iOS? Was there a profile sent to Bezos and he had it installed that gave them access to everything on his phone? Did they have physical access to his phone?
Being an iPhone owner, I’d like to know exactly what types of attacks can be used on what is supposed to be the most secure device on the market.
The simple answer is that the details are not yet known, and the hack of the phone by a WhatsApp video remains a claim, not a publicly demonstrated and proved fact. We can assume that this was a security flaw in iOS as it existed two years ago, when this alleged hack reportedly happened, and, if true, is a security flaw that has since hopefully been patched.
The NY Times had an article about this: https://www.nytimes.com/2020/01/22/technology/jeff-bezos-hack-iphone.html and it was originally reported in the Guardian: https://www.theguardian.com/technology/2020/jan/21/amazon-boss-jeff-bezoss-phone-hacked-by-saudi-crown-prince
All that is publicly known at this point are in those two articles.
Yeah, I realize there isn’t a lot of information. Most security issues in iOS tend to be small leaks — a way to access someone’s contacts, etc. Rarely is it some exploit that lets you download everything on the phone.
However, I did find this article about several security flaws:
Google security researchers have discovered a total of six vulnerabilities in Apple’s iOS software, one of which the iPhone manufacturer has yet to successfully patch. ZDNet reports that the flaws were discovered by two Google Project Zero researchers, Natalie Silvanovich and Samuel Groß, and five of them were patched with last week’s iOS 12.4 update, which contained several security fixes.
All of the vulnerabilities discovered by the researchers are “interactionless,” meaning they can be run without any interaction from a user, and they exploit a vulnerability in the iMessage client. Four of them (including the as-yet-unpatched vulnerability) rely on an attacker sending a message containing malicious code to an unpatched phone and can execute as soon as a user opens the message. The remaining two rely on a memory exploit.
This maybe the right timeframe, and if it is, it looks like these vulnerabilities have been patched. However, I guess we don’t know what the next state backed hacker group has already discovered and keeping it secret.
The stuff I’ve seen about keeping your phone safe about the hack are things like "Don’t click on email links and enter your password. Always lock your iPhone. Maybe this is good advice, but it doesn’t stop these state actors.
An expensive zero-day exploit (or multiple) that hadn’t yet been patched in WhatsApp (and likely is now, for sure). Repressive dictatorships typically pay gray-hat surveillance firms who routinely purchase zero days, sometimes for very large amounts of money, to deploy those. A few years ago, the United Arab Emirates allegedly hijacked a UAE activist using three zero-days delivered through a single text message.
iPhone vulneralbilities? First two articles are from exactly 1 year ago, describing hacking that occurred earlier:
Inside the UAE’s secret hacking team of American mercenaries - Ex-NSA operatives reveal how they helped spy on targets for the Arab monarchy — dissidents, rival leaders and journalists.
AE used cyber super-weapon to spy on iPhones of foes:
and then a followup article in April by the same authors:
American hackers helped UAE spy on Al Jazeera chairman, BBC host
“Karma provided Raven operatives access to the contacts, messages, photos and other data stored on iPhones. It did not allow them to monitor phone calls.”
“The hacking of Americans was a tightly held secret even within Raven, with those operations led by Emiratis instead. Stroud’s account of the targeting of Americans was confirmed by four other former operatives and in emails reviewed by Reuters.”
I’m a big fan of the Google Voice method for exactly what Ivan proposes. And his list of drawbacks is dead on. I’ve been using Google Voice for certain financial accounts when either I can’t use my main phone number (because it’s associated with another account at the same institution, and that institution has a one phone-per-institution limit!) or for access when I’m traveling.
I discovered a couple of years ago that due to (smart) protections added to my credit-union accounts, logging in from an unusual location would prompt a requirement to enter a second factor texted to a phone number. Unfortunately, at the time, I was in the UK and was using a local SIM, so I was unable to access text messages sent to my US number! I switched authentication on my return to a 2FA-protected Google account’s Google Voice number. (I wrote this up for Macworld’s Mac 911 in December, along with some other suggestions.)
Ideally, 2FA systems would let you entirely disable the use of text messaging, but I also agree with Ivan that most people can’t navigate the complexity of using 2FA with current setups. 2FA with SMS can be better than nothing, but for systems that let you use a text message to receive a password reset, a password-only account could be safer than a 2FA one! Someone can be unable to obtain my password, but steals my number via SIM hijacking — in this case, for sure, the Google Voice idea is much better than plain SMS.
Another thing not mentioned: Use differing email accounts. Many email services allow you to fudge the service. For example, periods in user email address names in GMail are meaningless. You can add periods to your gmail address to make it different for each service you use that email address as a user account:
firstname.lastname@example.org email@example.com david.19.@gmail.com
are all the same email address to GMail.
In FastMail, I can append a pound sign, and then add anything I want after the pound sign:
firstname.lastname@example.org email@example.com firstname.lastname@example.org
are all the same email address.
It’s pretty easy to see the actual email address, but the hacker doesn’t know how it was modified as the user name from account to account. One of the first thing a hacker does when they break into service A is they go to service B and try the same user name and password. Now, they don’t know the user name or the password.