Google’s Authenticator Update Raises Security Concerns

Google has published an update to its Authenticator app that keeps a “one-time code” in cloud storage. This update is part of the company’s endeavor to assist customers in maintaining access to their two-factor authentication (2FA) systems. Users who have misplaced their device that contained their authenticator may still access their two-factor authentication using this code. The storage of one-time codes in a user’s Google Account, as recommended by Google, is said to improve both convenience and security and shield users from being locked out of their accounts. However, this approach is causing other people to worry about their safety.

In a post made to the r/Cryptocurrency forum, the user u/pojut pointed out that keeping one-time codes in cloud storage connected with the user’s Google account might render users more susceptible to attacks from cybercriminals. If a hacker were to get the user’s Google password, they would be able to gain complete access to all of the user’s authenticator-linked applications. An outdated phone that is utilized just for the purpose of housing the authenticator app was recommended by user u/pojut as a solution to this problem.

Developers of cybersecurity software called Mysk have also taken to Twitter to provide a warning about the extra issues that come with using Google’s cloud storage-based approach to two-factor authentication (2FA). Users that use Google Authenticator as a second factor of authentication for logging into their cryptocurrency exchange accounts and other services linked to finance may find this to be a substantial cause for worry. The two-factor authentication (2FA) system is vulnerable to a variety of attacks, the most prevalent of which is known as “SIM swapping.” This kind of identity theft allows con artists to take control of a phone number by deceiving a telecoms operator into associating the number with their own SIM card.

A recent example of this may be seen in a lawsuit that was recently filed against the cryptocurrency exchange Coinbase, which is situated in the United States. In the case, a client claimed that he had lost “90% of his life savings” as a result of being a victim of such an assault. Notably, Coinbase itself recommends using authenticator applications for two-factor authentication rather than sending a verification code by text message. The company calls SMS two-factor authentication the “least secure” type of authentication.

An upgrade to Google Authenticator may benefit users who have misplaced their authenticator app, but it has caused some users to be concerned about the service’s level of security. The use of cloud storage to store one-time codes leaves users open to attack by cybercriminals, who may then be able to discover the user’s Google password and, as a result, acquire complete access to all of the authenticator-linked applications used by the user. Users who use Google Authenticator for two-factor authentication should take precautions to safeguard themselves, such as installing their authentication app on a different device and avoiding two-factor authentication through SMS.


Tagged : / / / / /

Mobile Firm Employee Charged for Aiding Crypto SIM Swap Attacks Targeting 19

A 36-year-old Florida-based telco employee was charged Monday over a SIM swapping scam that stole one victim’s cryptocurrency.

Stephen Defiore, 36, received a one-count Bill of Information – a waiver of indictment and agreement to prosecution in court – with conspiracy to commit wire fraud, according to a U.S. Department of Justice press release.

Defiore is the second person charged in connection with a scheme that hit 19 victims in SIM swap attacks, and stole a “significant portion” of cryptocurrency held by a doctor in New Orleans.

According to the report, Defiore worked as a sales representative between August 2017 and November 2018 for an unnamed phone company. Having access to the company’s customer accounts, he allegedly performed SIM swaps – reassigning a SIM card to another user – as part of a $500 per day arrangement with a co-conspirator.

For each SIM swap, which netted Defiore over $2,300 in total via 12 payments, co-conspirator Ricard Li sent him a customer’s cellphone number, a four-digit PIN and a new SIM-card number for the swap. Li was charged for his alleged involvement in June 2020.

A SIM swam hack occurs when an attacker gains access to a victim’s cellphone account, allowing incoming calls and text messages to be routed to a different device. The attacker is then able to change passwords on a victim’s various accounts including emails and cryptocurrency exchange and bank accounts via SMS verification.

If convicted of the charge, Defiore faces a maximum of five years in prison and a fine of up to $250,000, as well as up to three years of supervised release after imprisonment and a mandatory $100 special assessment per count.



Tagged : / / / / / /
Bitcoin (BTC) $ 27,584.39 1.70%
Ethereum (ETH) $ 1,666.01 3.46%
Litecoin (LTC) $ 66.16 2.02%
Bitcoin Cash (BCH) $ 242.01 0.35%