A reader response to Two-factor authentication hackable.
I confess, I remain baffled whenever I read the statement, "this can be hacked". In this world, everything can be hacked, given enough time, enough of this and of that. Everything is vulnerable, based on the simple fact that WE are humans and, consequently, we are vulnerable.
The hack presented in this article appears based on many given premises:-
- The phishing email needs to pass through email filters.
- The code downloaded (likely using port 443) has to pass through proxy filters.
- The user needs to not realize that this is phishing, and has to click (alright, I know, that's an easy one).
- The workstation has to not notice that there is basically a keylogger lurking behind the scene, stealing credentials.
- And, finally, that the session is just that - a session; cookies expire, so the hacker would have to be right there, waiting in the dark, to grab that cookie, and use it, right there and then
In reality, no one should ever claim that something is 'un-hackable'. But, by the same token, we also need to stop being so cynical about it. There are things we can do to improve our security, and we should do them. Two-factor authentication is one of them. To propagate the mentality that “two-factor is hackable” amounts to justifying, or worse, encouraging, the discourse of those who persist on not using it. You see, two-factor improves our security by several orders of magnitude. In fact, it is the best we've been able to come up with (even if it's taken PCI 15 years to catch up).
I myself have been the victim of many, many MANY attempts to steal my O365 credentials. If it weren't for MS two-factor, used when you want to change your password, I'm positive I would've been hacked by now. But they did not succeed, because each time I received a message on my phone saying “enter this code to proceed changing your password”, I simply ignored it, knowing that whoever is trying to access my account, could not proceed without that 6 digit passcode.
So, rather than saying it can be hacked (which is tautological), we should instead encourage every website to use it. No, we should _demand_ it. I mean, we all have smartphones, and two-factor using smartphones is free, it's easy. That being the case, why are we not using it? I'd add that to credit cards too. When I am trying to use a CC, send me a 6 digit code to be entered (yes the chip does just that, but what if the card is stolen and someone is attempting to use it before I can get the bank to block it?).
At the end of the day, two-factor may not be the ultimate solution (and we all know it isn't) but it is certainly a hell of a lot better than the alternative. So, use it, and be smart about it.