Multi-Factor Authentication is Not Foolproof Protection

T-Mobile is Warning that a data breach has exposed the names, date of birth, Social Security number and driver’s license/ID information of more than 40 million current, former or prospective customers who applied for credit with the company. Get Secured Now with Norton 360

Multi-Factor Authentication (MFA) has become increasingly common both in business and personal use. Yet, despite MFA providing increased security, threat actors are using the availability of sophisticated technology and even legitimate infrastructure to bypass this and access corporate networks and personal data.

To the uninitiated, MFA is when a user is required to provide two or more verification factors. The most typical type of MFA employed is Two Factor Authentication (2FA), when a user signs on to a site with their username and password and receives a code sent to a secondary device such as a mobile phone, email, or authenticator app. Once this code is entered into the site, it grants access. Until now, this security has been reasonably effective, and therefore users feel assured that it is entirely tamper-proof if the attacker does not have access to the secondary device which receives the code.

However, the bad actors have found ways to bypass MFA, putting network security at risk.

Man-in-the-Middle or Web Proxy Attack
The first technique bad actors employ is a man-in-the-middle (MitM) or reverse web proxy attack. This is when an attacker sends the user a link either through email or SMS that directs them to a phishing website. The link leads the user to a fake replica of a legitimate site – one that is nearly impossible to recognize as not legitimate for the average user.

For example, assume a Chase bank login page employs 2FA (Example 1). The attacker knows that even if they get the username and password, they still cannot access the site. And so, they use a reverse Web proxy between the phishing page and the actual service i.e., the man-in-the-middle.

Once the user enters the credentials, the phishing page will ‘talk’ to the original service, which will send the user the token or code to enter. At this point, the phishing page gets the code because the user enters it assuming s/he is on the official site. This gives the attacker the username, password, and code to authenticate with the real service and compromise the account.


Example 1: A phishing site using reverse web proxy to hijack session cookies

Even more troubling, this type of attack is…


Automotive cyber security must be efficient, scalable and foolproof, says Kaspersky

T-Mobile is Warning that a data breach has exposed the names, date of birth, Social Security number and driver’s license/ID information of more than 40 million current, former or prospective customers who applied for credit with the company. Get Secured Now with Norton 360

Vehicle exteriors have undergone sizeable changes over the last ten years, but the real transformation has taken place under the hood. One change is the sheer number of electronic control units (ECUs) modern vehicles contain. Today’s high-end vehicle can require as many as 100 ECUs to function as intended. Complex computing operations such as advanced driver assistance systems (ADAS) and autonomous driving will only add to the required computing power. Though these ECUs can enable connected services or automated driving, every additional link in the chain opens up potential cyber security flaws.

“The autonomous, connected, electric and shared (ACES) trends bring new requirements which modern automotive operating systems need to be capable of handling,” Ilya Efimov, Head of Technology Solutions Development, KasperskyOS told Automotive World. As he detailed, ADAS functionality requires significant computing power. While this power can be integrated, Kaspersky is concerned over the potential vulnerabilities which could be unlocked within safety-critical components. “As more cars are connected to the internet, it is clear that modern internet threats that we see on desktop computers or mobile devices will come to automotive too. Connected cars open a new attack vector,” he added.

Adaptive security

Kaspersky is no stranger to cyber security, and to tackle this new field it has developed the Kaspersky Automotive Adaptive Platform. The company says it offers a software development kit (SDK) with a ‘security-first’ design specifically for automotive, based on the company’s own operating system, KasperskyOS. “We see that this platform will be a solution for automotive vendors to reduce their cost. As the cyber security trend grows in automotive, our operating system is a great fit to combat a rising problem,” said Efimov. “Right now we have a version that automotive developers can use to develop their own applications, and we’re working on launching it commercially next year.”

“As vehicles start to communicate with other vehicles, with road infrastructure, with the wider network, they will also need additional cyber security solutions”

How does…


McDonald’s fans share their best McHacks to make your meal REALLY happy – including a foolproof way to get fresh chips

FROM the secret menu to unusual food combinations, there are plenty of McDonald’s hacks floating around on the Internet. And now fans are sharing their very best tips for making every meal a …
mac hacker – read more

These 7 Easy TikTok Mug Recipes Are Basically Foolproof Cooking Hacks

From banana bread to mac and cheese, here are some of the best one mug options TikTokers are using to hack your favorite baking and cooking recipes. TikTok user @JoleyGow hacked a pizza recipe by …
mac hacker – read more