New
#11
Great explanation of authentification, and it's importance @Kari
Thanks Golden. I thought this is important.
Because I use two-step authentication with for instance Google, no password leak as with these massive leaks with Yahoo we have heard recently would pose any risk for someone else accessing my accounts; no one except me myself comes in to my Google accounts even if I publicly posted my password here.
@TairikuOkami is experienced user and in my opinion can manage the threats in his own way. This could be only irresponsible to inexperienced users. They can get a lot of good conclusion from debates as this one :)
Thanks @Kari for great explanation of 2 step verification process. You really are geek Guru (and I'm serious about that).
But I would like to add that this process doesn't eliminate possibility for hackers gaining access to users email. So stating that you can publish your email address online is a bit irresponsible too. So please can you be a bit gentler to us humans.
Could you please educate and civilize me and tell me how could for instance you access my Google or Microsoft account in case you knew my password if I have two-step authentication enabled, asking the security / verification code at every sign in from a not by me accepted trusted device?
You don't have to go details, just tell the method you would use to get the verification code.
Sincerely,
Kari
It happens in context of this thread title. First you get social attack (mail with attachment) and if you are not careful you get to gmail login page (like in description of this attack).
This doesn't apply to you as you would never put info into that fields...
user can put info in gmail login page, after that bad guys intercept that info and try to login to real gmail account. Now, there are at least two possibilities that you can give them access code..
1. code in that text attachment could also contain keylogger - you know the rest
2. if they can reproduce first login page, what stops them to reproduce false code interception page too??
One of this method have already been used by bad guys, other just came to mind... And if I can think of some methods, you can imagine what hackers could think of...
Keyloggers do not help to access accounts with two-step authentication, simply because all codes are for single use. I have no issues with you getting a code as soon as I have used it because it is no longer valid. You simply have no chance to get my codes, that's the point. Not with keyloggers. Only chance would be to physically get hold of my phones.
I want to stress the importance and security of two-step authentication, therefore I suggest the following:
If you are up to it, I'll send you valid credentials (complete email address and password) to one of my Microsoft accounts. I prove it to you first in a private online live meeting that username and password are valid. I will also prove later, after your agreed time to try to hack into my account that I have not accessed the account in the meantime and changed the password. I will save a valid, original Windows 10 PRO product key in a text file in OneDrive of that account.
You have then let's say a month to try to access that account. If you can manage it, you can keep the Windows license found in OneDrive. If not, you'll provide one Windows 10 PRO license for me.
OK?
Kari
no way Kari :)
You missed the point, that this is social attack. I don't have to gain access to your PC (and admit, that keyloger thing was my thought - bad thou). Other variant have been used before. You get the code and you are using it, but you don't use it for real account, but typing it in fake page (like the first one).
You are right, code can only be used once.
To be clear, 2 step verification is by miles more safe than single. But doesn't eliminate threats completely. And this is also dangerous - giving false feeling of total safety.
My point: let's say one of these days I do something stupid (it happens, take my word, depending on amount whisky I have consumed that day). Let's say I open a phishing site like this in question and enter my email address, password and a single use security code.
What happens? Nothing because that code was used and no longer valid. If the scammer would then contact Microsoft pretending to be me saying he / she has forgotten the password and phone was stolen but he needs to access the account, or clicked "I have forgotten password" and then selected "I can't access any of those" when the list of verification options would be shown, the account would immediately be locked for 30 days and I would receive an email about it to my primary verification email, plus a text message to that phone scammer told has been stolen. Those messages would contain a link for me to sign in, verify my identity, reset password and re-open the account.
Only if I would not react within this 30 day period would scammer gain access to my account.
Kari