Page 2 of 2 FirstFirst 12
Results 11 to 20 of 20
  1. #11
    Former KM Senior Tech 500+ Posts srvctec's Avatar
    Join Date
    Oct 2009
    Location
    Central Kansas
    Posts
    827
    Rep Power
    63

    Re: Two Factor Authentication

    Quote Originally Posted by SalesServiceGuy View Post
    Is it possible to defeat 2FA by "simm-jacking"?

    The mobile phone fraud scam has jumped up in popularity over the past couple of years, and there's very little to stop you from becoming a victim.

    https://www.vice.com/en/article/3kx4ej/sim-jacking-mobile-phone-fraud


    This relatively new crime is known as "SIM-jacking", and works like this: perpetrators obtain important details about their victims either by scouring social media or conning them into divulging personal information. Using these details, they pose as their victims, convince network providers to transfer their numbers to new SIM cards and post out those SIMs. Once the swap is complete, messages containing codes for those two-factor authentication systems we now all have can be intercepted, and fraudsters can hop into your email, social media or mobile banking accounts.

    SIM-jacking differs from other forms of hacking in that it doesn't require any technical know-how; all you need is a conman's skills of persuasion and a basic grasp of identity-theft. This is perhaps why it's growing at such a rapid rate, with incidents jumping 60 percent between 2016 and 2018.

    "One of the reasons SIM-swap attacks are so effective is that many mobile phone carrier representatives are easy to socially engineer," explained a former black hat hacker, who dabbled in SIM swaps before going straight and becoming a white hat hacker. "An attacker can call your phone provider, pretend to be you and spin some story to get the support agent to transfer your number to a SIM. If he runs into any friction, he can hang up and try again with another agent."

    ... if you receive 2FA passwords as a text message on your cell phone and someone successfully SIMM jacks your phone, 2FA is defeated.
    Exactly why I switched to Aegis several months ago.
    Started in the copier service business in the fall of 1988 and worked at the same company for 33.5 years, becoming the senior tech in 2004 but left to pursue another career on 4/29/22.

  2. #12
    Service Manager 10,000+ Posts
    Two Factor Authentication

    BillyCarpenter's Avatar
    Join Date
    Aug 2020
    Location
    Long Beach, Mississippi
    Posts
    13,375
    Rep Power
    448

    Re: Two Factor Authentication

    There's a lot of information to take in with this thread. It does pique my curiosity, though.


    But I'm still unclear about 2FA as it relates to a copier. My understanding is that 2FA is only required when first setting up an email account. Why would anyone want to have to go through the headache of 2FA every time you log into an email account? Doesn't make a lot of sense to me.

    What would make sense to me is if you had to go thru 2FA every time you tried to access your email account using new computer/device. I can see that being helpful.

  3. #13
    Senior Tech 100+ Posts
    Two Factor Authentication

    M94's Avatar
    Join Date
    Jul 2020
    Location
    Soldotna
    Posts
    158
    Rep Power
    33

    Re: Two Factor Authentication

    Quote Originally Posted by BillyCarpenter View Post
    There's a lot of information to take in with this thread. It does pique my curiosity, though.


    But I'm still unclear about 2FA as it relates to a copier. My understanding is that 2FA is only required when first setting up an email account. Why would anyone want to have to go through the headache of 2FA every time you log into an email account? Doesn't make a lot of sense to me.

    What would make sense to me is if you had to go thru 2FA every time you tried to access your email account using new computer/device. I can see that being helpful.
    It depends on situation and the level of security required. Yes having 2fa constantly run can be tedious\annoying. They should all have options for how often, or other triggers. New area login type stuff etc. That being said I've already mentioned elsewhere but I work at a local IT company, if one of my more central data storages was comprimised the attacker would have access to an uncomfortable amount of medical data as well as security information on many local companies, their records etc. The HIPAA fallout alone would be tens of thousands in fines in the wrong situation. What this is all getting to is yes, for these higher sensitivity objects it takes several steps and involves an authenticator on my phone. The authenticator acts essentially like a dedicated 2fa but it expires every 30s and you need to log into my phone, and the authenticator app itself to get anywhere. Meaning in total assuming my phone and laptop was already on (I also have a startup keys on both) you would need 2x passwords on my phone and one on the device you were trying to login to in order to get anywhere and you would have to do 2 of those passwords within that 30 second window to get into that particular pile of data.

    Obviously this is a potentially worst case scenario, and many would say I'm going overkill but I feel that it keeps my company and my clients as safe as possible so it's one of the places I am as thorough as I can possibly be.

  4. #14
    Service Manager 10,000+ Posts
    Two Factor Authentication

    BillyCarpenter's Avatar
    Join Date
    Aug 2020
    Location
    Long Beach, Mississippi
    Posts
    13,375
    Rep Power
    448

    Re: Two Factor Authentication

    Quote Originally Posted by M94 View Post
    It depends on situation and the level of security required. Yes having 2fa constantly run can be tedious\annoying. They should all have options for how often, or other triggers. New area login type stuff etc. That being said I've already mentioned elsewhere but I work at a local IT company, if one of my more central data storages was comprimised the attacker would have access to an uncomfortable amount of medical data as well as security information on many local companies, their records etc. The HIPAA fallout alone would be tens of thousands in fines in the wrong situation. What this is all getting to is yes, for these higher sensitivity objects it takes several steps and involves an authenticator on my phone. The authenticator acts essentially like a dedicated 2fa but it expires every 30s and you need to log into my phone, and the authenticator app itself to get anywhere. Meaning in total assuming my phone and laptop was already on (I also have a startup keys on both) you would need 2x passwords on my phone and one on the device you were trying to login to in order to get anywhere and you would have to do 2 of those passwords within that 30 second window to get into that particular pile of data.

    Obviously this is a potentially worst case scenario, and many would say I'm going overkill but I feel that it keeps my company and my clients as safe as possible so it's one of the places I am as thorough as I can possibly be.

    I like the way you think, M94.

    All of that makes perfect sense to me. Here's my question: If 2FA is running constantly, I'm guessing that email account isn't gonna work for SMB?

  5. #15
    Service Manager 5,000+ Posts tsbservice's Avatar
    Join Date
    May 2007
    Posts
    7,100
    Rep Power
    346

    Re: Two Factor Authentication

    Quote Originally Posted by BillyCarpenter View Post
    ...
    Here's my question: If 2FA is running constantly, I'm guessing that email account isn't gonna work for SMB?
    I'm a bit confused...you can still use MFP to send emails even with 2FA.
    A tree is known by its fruit, a man by his deeds. A good deed is never lost, he who sows courtesy, reaps friendship, and he who plants kindness gathers love.

    Blessed are they who can laugh at themselves, for they shall never cease to be amused.

    I don't reply to private messages from end users.

  6. #16
    Service Manager 10,000+ Posts
    Two Factor Authentication

    BillyCarpenter's Avatar
    Join Date
    Aug 2020
    Location
    Long Beach, Mississippi
    Posts
    13,375
    Rep Power
    448

    Re: Two Factor Authentication

    Quote Originally Posted by tsbservice View Post
    I'm a bit confused...you can still use MFP to send emails even with 2FA.

    I'm confused, too. At some point I'm gonna experiment and find out for myself.

    From what I gather, there are different levels of 2FA. One you only have to do when setting up the email account and another you have to use 2FA every time you log into an email account and the authentication password expires after a very short time.

    I could be wrong but that's what I gather.

    PS - I'm not sure about using a 2FA for sending only. Anyone?

  7. #17
    Senior Tech 100+ Posts
    Two Factor Authentication

    M94's Avatar
    Join Date
    Jul 2020
    Location
    Soldotna
    Posts
    158
    Rep Power
    33

    Re: Two Factor Authentication

    Quote Originally Posted by BillyCarpenter View Post
    I'm confused, too. At some point I'm gonna experiment and find out for myself.

    From what I gather, there are different levels of 2FA. One you only have to do when setting up the email account and another you have to use 2FA every time you log into an email account and the authentication password expires after a very short time.

    I could be wrong but that's what I gather.

    PS - I'm not sure about using a 2FA for sending only. Anyone?
    I'm still new to copiers so the only time 2fa was an issue (microsoft account) all we had to do to resolve it was login to a web browser from the same location and complete 2fa. I assume with a google account an app password is an acceptable responce. But no the way my email is setup it could never be used for SMTP or SMB we use dedicated addresses on a per device basis that don't have account level access to ANYTHING except maybe the permissions required for also doing SMB to a specific location.

  8. #18
    Service Manager 10,000+ Posts
    Two Factor Authentication

    BillyCarpenter's Avatar
    Join Date
    Aug 2020
    Location
    Long Beach, Mississippi
    Posts
    13,375
    Rep Power
    448

    Re: Two Factor Authentication

    Quote Originally Posted by M94 View Post
    I'm still new to copiers so the only time 2fa was an issue (microsoft account) all we had to do to resolve it was login to a web browser from the same location and complete 2fa. I assume with a google account an app password is an acceptable responce. But no the way my email is setup it could never be used for SMTP or SMB we use dedicated addresses on a per device basis that don't have account level access to ANYTHING except maybe the permissions required for also doing SMB to a specific location.

    Opps....I said SMB. I meant to say SMTP.

    This has been enlightening. I'm always grateful when I can learn from others. Cheers.

  9. #19
    Senior Tech 100+ Posts
    Two Factor Authentication

    M94's Avatar
    Join Date
    Jul 2020
    Location
    Soldotna
    Posts
    158
    Rep Power
    33

    Re: Two Factor Authentication

    Quote Originally Posted by BillyCarpenter View Post
    Opps....I said SMB. I meant to say SMTP.

    This has been enlightening. I'm always grateful when I can learn from others. Cheers.
    I just assumed you meant in a situation where there has to be an account associated with the share folder (to prevent it from just being an open share)
    I got to learn about this when my cooworker graciously pointed out the potential problems with insecure shares by pointing a random data generator at it and filling my laptop to within 500mb of it's total storage capacity

  10. #20
    Service Manager 5,000+ Posts
    Two Factor Authentication

    SalesServiceGuy's Avatar
    Join Date
    Dec 2009
    Location
    Nova Scotia
    Posts
    7,698
    Rep Power
    223

    Re: Two Factor Authentication

    Google is going to start automatically enrolling users in two-step verification

    If you use Google services, get ready for two-step verification to become the norm.


    Google will soon start pushing more Gmail users and Google Account holders to enable two-step verification — the extra layer of security that can protect people when their credentials have been phished or exposed through a data breach.

    May 6 is "World Password Day" which is largely about making people less reliant on them for securing online accounts.
    Google's contribution this year is to nudge more people into enabling two-step verification, otherwise known as two-factor authentication.

    Today, Google prompts its two billion Gmail users to enroll in two-step verification (2SV) but soon it will be automatically enrolling users.

    "Soon we'll start automatically enrolling users in 2SV if their accounts are appropriately configured. (You can check the status of your account in our Security Checkup)," Mark Risher, director of product management in Google's Identity and User Security group, notes in a blogpost.

    "You may not realize it, but passwords are the single biggest threat to your online security – they're easy to steal, they're hard to remember, and managing them is tedious," he says.

    That second factor, be it a security key or a smartphone, means that someone in possession of your username and password — in most cases — can't log into your account unless they have physical access to your device.

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
Get the Android App
click or scan for the Copytechnet Mobile App

-= -= -= -= -=


IDrive Remote Backup

Lunarpages Internet Solutions

Advertise on Copytechnet

Your Link Here