[liberationtech] Time validation for 2-step verification codes

Wed Aug 27 17:05:17 PDT 2014

In this case, it appears that the victims were deceived by a well-attended
phishing campaign into giving up both their password and their SMS-provided
2FA code. Amin is simply asking what the lifetime of that code is, since it
is not nearly as short as the Authenticator-provided number.

On Wed, Aug 27, 2014 at 6:46 PM, John Adams <jna at retina.net> wrote:

> I don't know where you're getting your information from, but I audited
> Google's 2FA when I worked at Twitter.  The attack scenario that is
> described here is simply not possible without the endpoint being
> owned.
>
> Code replay is not possible. Once a code is accepted, it cannot be
> used again to log in.
>
> The SMS attack is substantially more likely, but you can disable SMS
> codes in preferences. You should not use SMS at all if you can avoid
> it.
>
> Additionally, in order to get past 2FA, the attacker would have to
> have the user's password. All of this points to some sort of remote
> access tool or keylogger being active on the activist's machine.
>
> -j
>
>
> On Wed, Aug 27, 2014 at 10:08 AM, Nadim Kobeissi <nadim at nadim.computer>
> wrote:
> > The two-step verification used by Google is based on the TOTP protocol
> [1]
> > which is the open standard for this sort of thing.
> >
> > To answer your questions Amin:
> >
> > 1. Tokens last 60 seconds according to the TOTP standard.
> > 2. Your journalist friends would be very well-advised to use an app [2]
> > instead of SMS codes. By using an authenticator app, they will be able to
> > obtain codes without using SMS and even with their phone completely not
> > connected to a network.
> >
> > [1] http://tools.ietf.org/html/rfc6238
> > [2] https://support.google.com/accounts/answer/1066447?hl=en
> >
> >
> >
> > On Wed, Aug 27, 2014 at 11:29 AM, Amin Sabeti <aminsabeti at gmail.com>
> wrote:
> >>
> >> Hi,
> >>
> >> Recently, a bunch of Iranian journalists/ activists have been targeted
> by
> >> Iranian hackers.
> >>
> >> Some of them said their 2-step verification was active during the attack
> >> but hacker could reuse the code that sent by Google via SMS and passed
> >> 2-step verification!
> >>
> >> I was wonder to know if some folks here know the validation time for the
> >> 2-step verification code that users receive through SMS not the app.
> >>
> >> Cheers,
> >>
> >> Amin
> >>
> >> --
> >> Liberationtech is public & archives are searchable on Google. Violations
> >> of list guidelines will get you moderated:
> >> https://mailman.stanford.edu/mailman/listinfo/liberationtech.
> Unsubscribe,
> >> change to digest, or change password by emailing moderator at
> >> companys at stanford.edu.
> >
> >
> >
> > --
> > Liberationtech is public & archives are searchable on Google. Violations
> of
> > list guidelines will get you moderated:
> > https://mailman.stanford.edu/mailman/listinfo/liberationtech.
> Unsubscribe,
> > change to digest, or change password by emailing moderator at
> > companys at stanford.edu.
> --
> Liberationtech is public & archives are searchable on Google. Violations
> of list guidelines will get you moderated:
> https://mailman.stanford.edu/mailman/listinfo/liberationtech.
> Unsubscribe, change to digest, or change password by emailing moderator at
> companys at stanford.edu.
>
>

-- 
*Collin David Anderson*
averysmallbird.com | @cda | Washington, D.C.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20140827/7a3bcaee/attachment.html>