Pages:
Author

Topic: Brutal Truth (Read 489 times)

member
Activity: 103
Merit: 10
August 14, 2019, 05:16:15 AM
#21
Many people use the same password for their email as they do for their exchange accounts, and some exchanges will allow password reset emails to be sent to the same email which is being used to 2FA. Therefore you are reducing the security of your exchange account from 2 factors to 1, since both factors can be compromised with access to your email.


Thanks for quoting the above lines. It is actually risky thing to keep same password to exchange and gmail or having same password to multiple account. If the password is hacked or know then all of the accounts are gone(I mean as you said reduced to one factor authentication). And in this case if we have a weak second FA like SMS or email confirmation then it is like we have risked our accounts.

member
Activity: 141
Merit: 19
July 26, 2019, 08:21:11 AM
#20
I do fined it difficult to operate with google authentication. I do fined it confusing cos not everyone knows how to operate on it when asked to fill in your google authentication number. That's why so many people don't know or make use of it

I would suggest you to give it a try. When I comes to fund security investing some time is worth it. Also, the time you take out to know authy or google authenticator is not a waste it is an investment of time to secure your funds.
legendary
Activity: 2758
Merit: 6830
July 24, 2019, 01:20:49 PM
#19
Google authenticathor doesn't support this as well. I didn't knew bitwarden allowed.
They do in their pro version (only $10/year).

Quote
But you can always check the keys on the origina website where you activated the 2fa, and with Authy you won't have problems accessing those accounts.
99% of the websites don’t let you see your 2FA code (for obvious reasons). So you will actually need to disable it and enable again on Bitwarden, which is boring af. Some even have limitations for when you restart your 2FA (e.g Steam with the trade limitations).

I honestly don’t see any reasons why anyone would use an 2FA app like this when there are so many better open source alternatives that let you export your codes.
legendary
Activity: 2352
Merit: 6089
bitcoindata.science
July 24, 2019, 12:17:11 PM
#18
SO don't use Authy if you want access to your TOTP codes, you'll thank me later.

Google authenticathor doesn't support this as well. I didn't knew bitwarden allowed.

But you can always check the keys on the origina website where you activated the 2fa, and with Authy you won't have problems accessing those accounts.
full member
Activity: 154
Merit: 128
July 24, 2019, 11:31:04 AM
#17
Just on the topic of Authy, I wanted to make a point here:

Authy is great, but if you plan to use your TOTP codes in other places, please consider the absolute PAIN it is to access your own codes. Authy probably does this more as a security measure, but it's seriously annoying.

For example, in my case I use Bitwarden, and wanted to store my TOTP codes in there (for the autofill 2fa, which is super convenient), little did I know though, it's not that simple.

I did find a GitHub page explaining how to extract the "keys" from Authy via Chrome (weird) but the time I tried it, it never worked. It's most likely possible but it's a huge pain and a lot of people don't know about it.

SO don't use Authy if you want access to your TOTP codes, you'll thank me later.
member
Activity: 560
Merit: 14
July 23, 2019, 02:35:53 AM
#16
I do fined it difficult to operate with google authentication. I do fined it confusing cos not everyone knows how to operate on it when asked to fill in your google authentication number. That's why so many people don't know or make use of it
member
Activity: 244
Merit: 43
July 22, 2019, 10:59:57 AM
#15
The point of 2-fa wasn't to make an account bullet-proof, but to significantly improve security without being huge inconvenience.

For the average person, 2-fa is sufficient security. In order to login to one of your accounts, the hacker would have:

     [1] Your password

     [2] Your username

     [3] The website

     [4] Your phone

So unless you are worried about your roommate stealing phone and knowing all of this stuff, you are pretty safe.


Edit: As the post above me says: be careful with your TOTP codes. Even though a lot of people think they are harmless because they expire, they don't expire immediately. Often you can still use the code for up to 30 minutes, giving the hacker plenty of time to login and disable 2-fa + anything else.


Most important thing to realize: You are probably the biggest threat to your own security, always double check.

Yea I agree with the "you are probably the biggest threat to your own security" statement for sure. The most common incident I hear related to 2-fa is about someone losing or breaking their phone when they didn't backup their TOTP codes.

This is why I always recommend to use Authy (as some others have mentioned) because it is based on your phone number and you can always recover your codes. It is pretty secure, and at least you don't have to worry about backups which are a real hassle for the average person and they are likely to just forget about it.
legendary
Activity: 3542
Merit: 1965
Leading Crypto Sports Betting & Casino Platform
July 22, 2019, 02:32:52 AM
#14
Just remember Authy and Google authenticator is also a third part in this scenario and are also prone to vulnerabilities. We have seen this before, with https://shahmeeramir.com/4-methods-to-bypass-two-factor-authentication-2b0075d9eb5f and https://99bitcoins.com/which-cryptocurrency-sites-are-impacted-by-authy-2fa-security-exploit/

Also remember that Google is one of the companies working with the 3 letter agencies to provide sensitive information to governments.  Roll Eyes  Big brother creates their own tools to spy on people.  Roll Eyes
legendary
Activity: 2702
Merit: 4002
July 22, 2019, 02:27:04 AM
#13
You do not explain why these options are useless:
It is easy to hack your text messages using what is known as SIM swapping ----> https://en.wikipedia.org/wiki/SIM_swap_scam.
Any virus of your phone may cost you a lot.

This does not mean that Authy or google authenticator can not be hacked. But are more safer than SMS or email authentication.
All these options will be useless if you are neglected, so primitive advice may be useful.
Avoid downloading software randomly
Avoid Clicking on all links.
and so on.
member
Activity: 190
Merit: 15
Customer Support at https://coinswitch.co/
July 22, 2019, 12:59:24 AM
#12
It's a tough call to take, weather to go with GA, for 2FA, or choose a hardware wallet, In case of google authenticator, if you lose your phone and you have not backed up your keys, you may not be able to access the accounts for which you have set up 2FA. In case of hardware devices for 2FA. Even they can be hacked. What I mean is it is actually a Brutal Truth, everything is hackable. You just have to trust on the companies like google who claim to be hack proof.
member
Activity: 92
Merit: 15
Baronets is the Jet Cash domain management service
July 22, 2019, 12:56:15 AM
#11
Some sites are using 3FA ( three factors ), it isn't as convenient, but it does add another layer of security. Some also register access devices, and require extra authentication if you use a new device. I have a small card reader for my bank account, and this generates a one time access code for my account if the card reader, bank card, and PIN are all matching the account details.

member
Activity: 574
Merit: 14
July 21, 2019, 06:13:20 PM
#10
Point being made, your sms can be hijacked by hackers. It is possible to clone your phone number, cdma are more vulnerable in this regard. G.A offer better security
sr. member
Activity: 906
Merit: 263
July 21, 2019, 06:05:04 PM
#9
Just remember that none of this helps if you don't backup your backup passphrase to restore the F2A if you lose access to your phone. People always seem to forget to mention this and it is just too important not to.
I lost some funds because I lost access to a phone and I did nt realize they have me a phrase I should have backed up. I didn't understand how it quite worked so don't do what I did. Make sure when you open an account or edit it that you can restore it. This goes with all wallets, websites, the phone unlocks and whatever else. If you cannot restore your account you cannot get it back. So when you implement security measures make sure you do not lock yourself out in doing so
hero member
Activity: 2268
Merit: 669
Bitcoin Casino Est. 2013
July 21, 2019, 04:48:56 PM
#8
It is not the best choice to do by using email or your phone number (SMS) to activate 2FA security feature when there is another way which most of the time it is what they have used to have 2FA in your account by using authenticators like Authy or Google Authenticator. I have created a thread before on how to activate 2FA in your account using google auth or authy which I did use both authenticators to activate 2fa in an site where there is a feature that you can enable 2FA to increase your security. Using email or sms will help them know about your email and the number that you are using.
legendary
Activity: 3024
Merit: 2148
July 21, 2019, 03:09:17 PM
#7
So if SMS or Email isn't the correct 2FA to use (Which I agree with somewhat) What do you recommend people to use? Google Auth? Even Google Auth can be hacked and it did happen in the past if you look up on Google. A good 2FA to me is to have a physical device with buttons like a hardware wallet that only you should own to confirm access when you logging.It already exists such devices but they are not implemented in most services unfortunately.

Simply saying that something can be hacked doesn't discredit it, because with enough money and determination anything can be hacked. What you should be looking at is the probabilities hacks and how hard it is for hackers to do so.
This is why OP is correct when they say that Google Auth is better than SMS and Email - mobile numbers get hijacked with social engineering, emails get hacked when passwords are weak or being reused, but mobile devices have much better security, they don't allow problems to read/write anything they want, which makes it very hard for malware to steal some sensitive data. Google Auth is good for most users, unless they are whales who move millions in and out of exchanges.
legendary
Activity: 2268
Merit: 18748
July 21, 2019, 02:51:25 PM
#6
Many people use the same password for their email as they do for their exchange accounts, and some exchanges will allow password reset emails to be sent to the same email which is being used to 2FA. Therefore you are reducing the security of your exchange account from 2 factors to 1, since both factors can be compromised with access to your email.

Using SMS is a poor choice, not only because of old style intercepting or hacking your communications, but because it is pretty easy to social engineer access to your phone number. Scammers will phone up your mobile provider, and with a few details about you (details which most people will have openly shared on their social media accounts), they can transfer your number to a new SIM under their control.

And yes, the hacker most likely hacked the victim's phone to get into his app which is something that anyone can be exposed to if not being careful
Google Authenticator will work offline, so if this is your concern, then run it on an air gapped device.
full member
Activity: 154
Merit: 128
July 21, 2019, 11:24:43 AM
#5
The point of 2-fa wasn't to make an account bullet-proof, but to significantly improve security without being huge inconvenience.

For the average person, 2-fa is sufficient security. In order to login to one of your accounts, the hacker would have:

     [1] Your password

     [2] Your username

     [3] The website

     [4] Your phone

So unless you are worried about your roommate stealing phone and knowing all of this stuff, you are pretty safe.


Edit: As the post above me says: be careful with your TOTP codes. Even though a lot of people think they are harmless because they expire, they don't expire immediately. Often you can still use the code for up to 30 minutes, giving the hacker plenty of time to login and disable 2-fa + anything else.


Most important thing to realize: You are probably the biggest threat to your own security, always double check.
sr. member
Activity: 840
Merit: 375
July 21, 2019, 11:17:35 AM
#4
-snip-
It did happen in the past. And yes, the hacker most likely hacked the victim's phone to get into his app which is something that anyone can be exposed to if not being careful or they performed a phishing attack directly to get the 2FA code look:Article
As I said,as long as it has to do with something that is installed in a device connected (Like GA in a phone connected to Internet) it is vulnerable, that's why I prefer a physical device for 2FA.

Edit:Speaking of Authy, a vulnerability was also found on it years ago by Sakurity. See more: Authy Vulnerability
legendary
Activity: 2352
Merit: 6089
bitcoindata.science
July 21, 2019, 09:57:38 AM
#3
So if SMS or Email isn't the correct 2FA to use (Which I agree with somewhat) What do you recommend people to use? Google Auth? Even Google Auth can be hacked and it did happen in the past if you look up on Google.

I doubt this ever happened. Ga keys are not store online. Your phone may be hacked and the hacker got access to the installed app somehow, but the ga service was not.

The biggest problem with Google authenticator is that if you lose your phone and you didn't backed up the keys , your login is lost forever. This is why many people recommend using Authy instead.
Take a look here
https://bitcointalksearch.org/topic/2fa-important-precautions-with-google-authenticator-3178131

Sms and email are far less secure, just as op said. Phone service providers are not paid to keep so high security level, and a hacker can receive an sms that should be directed to you.
sr. member
Activity: 840
Merit: 375
July 21, 2019, 09:51:57 AM
#2
So if SMS or Email isn't the correct 2FA to use (Which I agree with somewhat) What do you recommend people to use? Google Auth? Even Google Auth can be hacked and it did happen in the past if you look up on Google. A good 2FA to me is to have a physical device with buttons like a hardware wallet that only you should own to confirm access when you logging.It already exists such devices but they are not implemented in most services unfortunately.
Pages:
Jump to: