Showing posts with label security. Show all posts
Showing posts with label security. Show all posts

Wednesday, April 4, 2018

Wednesday, January 4, 2017

Google's FIDO U2F Security Key: Taking two-step authentication to another level

A prominent Computer Science professor, Dr. Ramzi Haraty, said once "No system is fully and 100% secure". I was 18 years old when I heard that statement back then, and I didn't really take it seriously.

However, as I grew older, I realized how that statement was entirely true, beyond any reasonable doubt. Matter of fact, there isn't any service, login page, software, database or website that cannot be hacked and penetrated.

Even NSA's hidden and encrypted servers were hacked. However, each security system haps his own drastic security measures; some are challenging and tough to break into, and others are trivial.

One company that takes security extremely seriously is: "Google Inc." Behind this simple-looking login page you see on the right; there a monster security system that is beyond any person's imagination:

Matter of fact, if you can hack (not hijack) this page and access a consumer's account, your hack is worth at least: USD 25,000,000.

What Google does to protect the consumer Gmail accounts of their members is astonishing. This includes but not limited:


1. Bug bounty programs: Google pays millions of dollars each year for hackers and security researchers that report bugs to their system. In return, Google would pay cash in exchange for the information. That does push bored and opportunist programmers to start searching for the bugs on the system for hoping to get paid. Eventually, as bugs get reported over the years. They get minimized.

2. Encrypting the web, literally. In summary, this means HTTPS. This encrypts your communications: including passwords, credit card numbers, with many websites, making your browsing more secure. Without HTTPS, anyone spying on your Wifi could get personal information from you.

3. Locking your Gmail if it is signed up via Tor or a different country. If you access your Gmail from another country, it will be locked.

4. Obsessing about the sandbox. Google's security system is designed in a way where they have multiple security layers. That is, if you find one bug inside Google's page and access one protected page, you'll have to find a bug in the next security layer, then move to the next security layer, and so on. So, your chances of getting bugs and breaking this page are close to 0.

Allowing users to set up two-step authentication on their account is another way Google Inc. implemented security on their website. That means, if you log in from a new device, you will have to receive a 6-digit code on your mobile to be able to access the account (the secret code can be provided by a phone call, SMS, or an application known as Google Authenticator or Authy).  That is, even if you know the password of one account, you will not be able to access the account unless you receive that 6-digit code.

That's cool, right?


Not really. Google recently realized, due to their advanced artificially intelligent technologies, that governments are targeting social activists and breaking into their account. So, the standard two-step authentication feature (mobile) would be weak too.

Wait, how come?


Very simple; I'll give you one example. Imagine that you have a Gmail account, and I figured out your password. However, you're an intelligent person and have set up two-step authentication by receiving a phone call.

So, I get stuck here. What do I do? I can impersonate you and go to your mobile provider and claim that I lost your phone number and receive a new SIM card with your phone number.

It might not work in a phone company like Version or AT&T, but in other third world country countries (like Lebanon, for example) it would apparently work due to their pathetic security checks (Alfa or Touch).

Now imagine this. 


A corrupt government targets a journalist or a rebel's Gmail and get his password by spying on him. They can, for example, get access to his phone number and reset the password very quickly by collaborating with the phone company. 

In fact, this has happened as Google announced in a blog spot that since 2012 users have been targeted by state-sponsored attackers.

It might not be the method that I alleged of but I highly suspect it does. They said that they can't reveal the tip-off because hackers can adapt but however they said "Enable two-factor authentication and set up a Security Key" which could highly mean that the attempt goes on by targeting the mobile phone.

Google said they've sent those notices to 0.1% of their users which is a huge number considering there are more than one billion users with Google accounts. 0.1% of 1 billion is 1 million.

Google ended their post with "The security of our users and their data is paramount." which is clear illustrated and because of that you should trust and respect Google more.


So what is a security key?

It is a small USB that can be plugged into your machine to allow access to an account. It is a two-step authentication code that doesn't require a phone number. The full name being "FIDO U2F Security Key"; the security key is based on a U2F is an open authentication standard that empowers two-factor authentication using specialized USB or NFC devices based on similar security technologies found in smart cards. It has been developed by Google and Yubico. U2F security keys can also be used on Dropbox, GitLab, and Bitbucket.

How does it work? 

Once you've got two-step verification enabled and configured the security key. Each time you log in on a new (or unsaved) device, you will be asked to input your own safety key inside the machine, and press a button.

While you may keep the phone call as a backup verification method, I do not recommend since it defeats the primary purpose of the security key.

It is wise to generate backup codes and memorize them (not write them down anywhere) in case you lose the security key or want to login on a mobile phone.

If you decide to use one for your own safety, it is wise not to inform anyone of your friends, colleagues or anyone that you're using this type of security mechanism.

Hackers will adapt to the security features in whatever shape and forms. Let them be surprised if they access your account instead of letting them plan ahead.

Do I use a security key?

Yes, definitely. I have purchased this item on July 14, 2016, and added on July 25, 2016. My experience has been phenomenal as I gradually reduced two-step authentication. I've treated the security as any other standard security key and implemented it as a regular key on a key ring. I've had a bit of a hard time explaining what is this to my family and friends but eventually they got used to it.


How do I buy one?


You can purchase one from Amazon.com (provided by Yubico) for as cheap as $17.99. Configuration is easy and can be done easily on websites like Google or Dropbox.



In Summary

No matter where you go. You will never find anything as secure as your Google account: be it online bank accounts, Microsoft accounts, Facebook accounts, Akamai accounts, etc.  This company is obsessed security and breathes security. If you have sensitive information on your Google account or any critical material, it would be wise to purchase and configure a security key to take advantage of Google's security.
Share:

Thursday, March 17, 2016

It is 2016 and Payoneer still does not offer two-step authentication

In summary, this blog post is about Payoneer not offering two-step authentication for its members despite numerous requests.

As of March 17, 2016, Payoneer, a world-renowned company with more than 3 million customers, does not offer a two-step authentication protection for its members.

Founded in 2005, Payoneer provides financial services and online money transfer services worldwide. It is available in more than 200 countries and supports more than 150 currencies. 

Payoneer's concept is simple: you get an international credit card from Payoneer that allows you to get paid from any valuable american company. You will be able to use the credit card literally on any ATM machine anywhere in the world and withdraw the funds. You don't have to deal with banks, their headaches and contracts.

Payoneer had extreme success in the past and recently posted those stats on their website:


After massive success and being 10 years in business, the security department at Payoneer still doesn't get it: two-step authentication matters; all large and small tech giants include it such as: Apple, Amazon, Google, Amazon, Microsoft, etc...

Apparently, Payoneer is not aware that it is a company that handles financial accounts, not a social media accounts. Would thieves and hackers be interested to hack or hijack a simple social media account or a financial account that lets you gain access to a decent amount of cash? 

Computersolving.com said

Here goes my first criticism for Payoneer, besides no 2 factor authentication being available, I find it unbelievable that a company processing payments will not allow me to use special characters in my password, only letters and numbers are allowed, this will greatly help malicious hackers trying to break into my account using a brute force attack.

What Payoneer doesn't understand is that is not difficult to get to know someone's password, whether be it: installing some spyware on the victim's machine, standing behind the victim while s/he types  the password, or any type security vulnerability in the service's website and database. In addition to that, Payoneer does not force members to add characters in their passwords.

The community has been asking for this feature since forever, for example:




4. November, 2015: Security at Payoneer


I have personally contacted Payoneer's customer support team and this is the response I have received from them:

Thank you for contacting us. We understand your concern. Unfortunately the service is not available at present. We are working hard to make this available in future.

From this blog, I send a wake-up call to the security department of Payonner- it is time to fall out of the coma and straighten-up the security department.


Share: