Hi,
Recently, a bunch of Iranian journalists/ activists have been targeted by
Iranian hackers.
Some of them said their 2-step verification was active during the attack
but hacker could reuse the code that sent by Google via SMS and passed
2-step verification!
I was wonder to know if some folks
Botnet in the mobile (BITM) like Zeus in the mobile (ZITM)
usually gets around 2-step verification by tricking people
to install malware on their Android that intercepts SMS.
Can also be done by tricking the system to SMS another device
(done lately to attack German banks).
On 08/27/2014 11:29
On Aug 27, 2014, at 8:29 AM, Amin Sabeti aminsab...@gmail.com wrote:
Recently, a bunch of Iranian journalists/ activists have been targeted by
Iranian hackers.
Some of them said their 2-step verification was active during the attack but
hacker could reuse the code that sent by Google via
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On 08/27/2014 10:08 AM, Nadim Kobeissi wrote:
2. Your journalist friends would be very well-advised to use an app
[2] instead of SMS codes. By using an authenticator app, they will
be able to obtain codes without using SMS and even with their
I don't know where you're getting your information from, but I audited
Google's 2FA when I worked at Twitter. The attack scenario that is
described here is simply not possible without the endpoint being
owned.
Code replay is not possible. Once a code is accepted, it cannot be
used again to log
In this case, it appears that the victims were deceived by a well-attended
phishing campaign into giving up both their password and their SMS-provided
2FA code. Amin is simply asking what the lifetime of that code is, since it
is not nearly as short as the Authenticator-provided number.
On Wed,
Does your software have a friendly UI that shows the user sharing their
internet connection _exactly_ what requests they are making on another's
behalf? Does it store a log and require the user to read and analyze that log?
-Jonathan
On Wednesday, August 27, 2014 4:30 PM, Adam Fisk