Search This Blog

Showing posts with label One Time Password. Show all posts

Apple Engineers unveils a proposal to standardize the two factor authentication process and Google backs it up!


Apple known for it's off the charts security features was recently troubled with hacks, malware and phishing attacks staining its reputation and customer trust. And to counter that, Apple has again risen to strengthen its security and user experience - the tech company is planning on standardizing two-factor authentication (2FA) to prevent security issues and phishing scams.

PhoneArena.com reported that Apple engineers have put forward a proposal to enable a standardized format for a two-factor authentication login method where users receive a one time password (OTP) via SMS during login. The suggestion was given by engineers of Apple Webkit, from the Safari browser - the default mackintosh browser. The suggestion was also backed by engineers working on Chromium, Google.

The feature would use SMSs containing the login URL. Usually, with two-factor authentication users have to see their mobile or write down the code and then try to login which makes the whole process long and frustrating but Apple always tries to give the customer the best experience and to tackle this they have come up with a standardize and automated method.

What's different with this feature than the other two factor authentications is that it will standardize the process and format for the browser and mobile applications. The incoming messages will be easily identified by the browser or mobile applications, the browser will recognize and identify the web domain in the SMS and automatically extract the One Time Password (OTP) and complete the login. This will prevent the user from being scammed as the process will be automated and the browser or the mobile app will recognize the authentic source.

 According to the report, "The proposal has two goals. The first is to introduce a way that OTP SMS messages can be associated with a URL. This is done by adding the login URL inside the SMS itself. 
The second goal is to standardize the format of 2FA/OTP SMS messages, so browsers and other mobile apps can easily detect the incoming SMS, recognize web domain inside the message, and then automatically extract the OTP code and complete the login operation without further user interaction." 
After enabling the feature, browsers and apps will be automated and complete the login through 2FA (two-factor authentication ) by obtaining the OTP. In case of a mismatch, the automatic process will fail and the user will be able to see the website URL and complete the login process.

Russian Telegram Accounts Hacked by Intercepting One Time Password (OTP)


According to a firm Group-IB, in the last few weeks a dozen Russian entrepreneurs saw their Telegram accounts hacked. And what's disturbing is the way these accounts were accessed. The attackers intercepted the codes used to authenticate user and give access.

A Telegram App logo in QR code

 How the attackers gained access?

In normal procedure, whenever someone logs into Telegram using a different device, a one-time password (OTP), is texted to them and the user can log into their account using this secret code. Now, these hackers managed to access this one-time secret code and snooped on Telegram chats of various users.

Dmitry Rodin, one of the victims of this attack, runs a coding school in Russia. He told the media, he was given a warning by telegram, that someone is trying to access his account. He ignored the notification but another notification came saying some has successfully logged in from Samara, Russia, he immediately terminated all active sessions except for his.

Like Group-IB, he also believes that there was a problem with the telecom operators or his phone was hacked and not the messaging app Telegram. “Perhaps someone logged into my account by intercepting the SMS, which suggests that there might be a problem on the side of the telecom operator,” he said. “This means that other accounts using SMS as an authentication factor are also threatened.” 13 such cases have been reported so far.

"However, this number is likely to increase since we are speaking about a new threat, which has just started spreading,” a company spokesperson said.

 Is SS7 being abused?

The most worrying part is that One-time password (OTP) were hacked, if this hypothesis is indeed true then we are looking at a very big security threat as this technology is used in many log-ins and financial transactions. Another hypothesis is that victim's devices were hacked and the attackers were spying on their messages but Group-IB found no traces of such activity on the victims' phones. And thus Group-IB is tilting towards a mobile network SS7, that's being abused.

Forbes reported, "Think of SS7 as the part of telecom infrastructure that deals with shifting users between networks as they travel abroad. It also manages the changes in charges when traversing different nations’ networks. But in recent years, hackers have learned that if they can get leverage on that network they can silently intercept text messages. Previously, such attacks have been used in bank account breaches and by surveillance companies."

Now, this same network could be used for hacking Telegram accounts.

 Selling access to accounts on the dark web 

Group-IB also suspects that access to these accounts is being sold on the dark web-based Hydra forum for 3,900$ as well as selling access to WhatsApp messages and user info. Now, they think that these could be linked.

“What made us think that the attacks might have something in common with these advertisements is the fact that the incidents coincided with the time the posts were published,” the company spokesperson added.“But we cannot rule out that there are far more connections between these  two events, which is yet to be established in the course of an investigation.”