Are our data safe? last week we were shocked by the news that lastpass, one of the most popular password managers, had been hacked and thousands of user accounts across the globe had been compromised. and we are not talking about an account in which we store photos, but about a system to which we trust all passwords.
These services promise, in theory, greater security by allowing the user to assign a password to each access and encrypt the content, and doubts soon arose. Is there anything really safe on the internet? There seems to be agreement among experts that two-step verification (that is, the service sends a temporary code to the mobile via SMS) is the most secure system. but our peace of mind will not last long, since symantec has warned of a very simple way to access accounts protected with double verification, such as gmail, for example. and in a few steps.
The security firm has found a vulnerability in the two-step verification method not so much in the system, but in its execution. In the case discovered by Symantec, the attacker must know two pieces of information about the victim in order to access his account: his email and her mobile. As you can see, it is not a very difficult information to obtain.
Once you have obtained this data, the operation of this fraud practice is as follows: the user tries to access one of the services that use this security method and deliberately enters a wrong password (after all, he does not know the real password). ). From that point on, the system alerts of the error and proposes its recovery, sending a security code via text message to the mobile.
This is where the security method falters, as you might guess, due to human intervention. Once the sms to gmail has been requested, the attacker sends another text message from a mobile identifying himself as google and warning that the account is being attacked and that this message must be answered indicating the code that will arrive in another sms.
put yourself in the shoes of the victim: a sequence of messages with just a few seconds of difference and the alert of an attack on your account. if you get caught with your head somewhere else or you’re not very tech-savvy, it’s easy for the impulse to send the security code to the hacker, who with it, will be able to access the account with a new password . Graham Culley also warns of an added danger of this attack.
the victim sooner or later will realize unwanted access to his account, and the first thing he will change the password, thinking that with this action the nightmare will end. but not. the hacker will continue to access your mail from the program with which you have configured it unless the victim modifies the accesses in the configuration, something that, logically, not everyone will take into account or be able to do.
First of all, common sense
how to prevent this attack? we often have a false sense of security in believing that we won’t be stupid enough to fall into the trap, but unfortunately, our level of alertness can drop under certain circumstances. symantec explains that no service will ask you for a reply to a message or mail. the same thing happens with banks, which take care to inform their clients well that they will never request information from them via email.
In this horrible week of internet security, another giant, apple, in this case, is also in the hunt. not because of one but because of several weaknesses in its different security systems. In the case of those from Cupertino, several patches are already being worked on to solve this situation, and in the meantime, our best ally will always be common sense.