assurance - [Assurance] can two-factor be hacked ?
Subject: Assurance
List archive
- From: Steven Carmody <>
- To:
- Subject: [Assurance] can two-factor be hacked ?
- Date: Fri, 07 Mar 2014 14:39:49 -0500
Hi,
I'll summarize the long back story.. a student recently brought us an new app that they had recently built. Its 120 lines of javascript, and leverages both node.js and the meteor platform. This app sits in front of our Banner student system and acts as a proxy. It presents its own login page, and immediately navigates thru Banner and retrieves how many dining hall points that user currently has. The good news is that while the student actually deployed this in the cloud (bearbucks.meteor.com), he also brought it to our attention. It didn't take much effort to develop this app. We've also determined that a slightly modified version of this app works just fine with our IDP login page.
Up until now, we had been thinking that 2-factor would provide a defense against phished and stolen passwords.
But, this is a little different. This proxy sits in front of our apps; it isn't a dead end that's just trying to trick people into entering their passwords.
Most worrisome, tho, is that we think that if we implemented some forms of two factor in the authN process of our apps that this proxy could quickly evolve to handle the extra step. If we TXTed a code to the person's mobile phone and presented a web form, the proxy could easily handle that. We also expect that the proxy could evolve to deal with CAPTCHA style approaches.
So, beyond user education, what might people suggest as a way to detect, block, or prevent this sort of potentially-password-stealing approach, that could even handle some forms of two-factor ?
- [Assurance] can two-factor be hacked ?, Steven Carmody, 03/07/2014
- Re: [Assurance] can two-factor be hacked ?, Cantor, Scott, 03/07/2014
- Re: [Assurance] can two-factor be hacked ?, David Langenberg, 03/07/2014
- RE: [Assurance] can two-factor be hacked ?, Eric Goodman, 03/10/2014
- Re: [Assurance] can two-factor be hacked ?, Tom Scavo, 03/10/2014
- RE: [Assurance] can two-factor be hacked ?, Jones, Mark B, 03/10/2014
- Re: [Assurance] can two-factor be hacked ?, Tom Scavo, 03/10/2014
- RE: [Assurance] can two-factor be hacked ?, Jones, Mark B, 03/11/2014
- Re: [Assurance] can two-factor be hacked ?, Farmer, Jacob, 03/11/2014
- RE: [Assurance] can two-factor be hacked ?, Brian Arkills, 03/11/2014
- Re: [Assurance] can two-factor be hacked ?, Cantor, Scott, 03/11/2014
- RE: [Assurance] can two-factor be hacked ?, Brian Arkills, 03/11/2014
- Re: [Assurance] can two-factor be hacked ?, Farmer, Jacob, 03/11/2014
- RE: [Assurance] can two-factor be hacked ?, Jones, Mark B, 03/11/2014
- Re: [Assurance] can two-factor be hacked ?, Tom Scavo, 03/10/2014
- RE: [Assurance] can two-factor be hacked ?, Jones, Mark B, 03/10/2014
Archive powered by MHonArc 2.6.16.