2 way authenticator got hacked

AxeMurderer

Elite
Joined
Nov 15, 2010
Posts
3,229
Avatar Name
Wand AxeMurderer Silva
So I installed this free game on my phone and it wanted some permissions I didn’t look at and next day my 2 way authenticator got hacked. Please help.

PS. Ops it was supposed to say 2 way authenticator in the title not gold card, that thing is solid. If a loving horse climbs at it – it moves 2 steps backwards. :makelove:

EDIT: I was joking about the title and put it in OFFTOPIC to be more obvious this is not real. It was hypothetical joke expressing my concern of software security on phones that got hacked daily to be used for investments of tens of thousands of dollars.

Original title: Gold card got hacked
 
Last edited:
It's an offline authenticator. Good luck
 
It's an offline authenticator. Good luck

So you have to be offline to use it? If not, then while you are online, anyone can Access it.
 
So you have to be offline to use it? If not, then while you are online, anyone can Access it.

Ahh no? The app is offline so it generates the code offline. Ever wonder how your gold card works?
 
If the google works the same as MS' on principle, it cycles through a 6-7 digit number every 30 seconds. so it either:-
1) syncs every 30 seconds with the server
2) works from a list synced on a regular basis
3) as (2) but set pattern, so the server can track your position (like GC).

either way, a rogue app could steal enough data to get the code for 30 seconds, but without getting access to the list on the MS/Google server it can't plan ahead (unless the list is stored on the phone too for method 3)

either way, android users should already be well aware of malware on their devices and should only download from their correct stores (Play/Amazon/Manufacturer) and expect malware from other sources, especially ones that give premium games for free

PS. This is my opinion, i have no deep knowledge of how Auth Apps work, this is how I feel they work
 
Last edited:
/mod note/ thread title edited as indicated in OP - also moved from Offtopic to Security section, as this relates to recent announcement about planned changes to secure EU login.
 
Last edited:
Google made it, end of story. Do you really think google would make something that could be easily hacked? Can you imagine how damaging it would be for their business? They have probably had the best hackers in the business in to pen test it.
 
I am a fan of Gold Card, as someone either has to break into my home and steal it. Or set up a fake webpage to lure me in.

As I have never downloaded something i shouldnt, I am very chuffed with the gold card.

Not only that, i have also been a fan of google , text me the number. But alas even that there is a way round even Googles 2-step. People can call your provider and get them to change your phone number, with very few details required.

Then all future texts to gain access get sent to the new number the hacker has, and then has unlimited access to your account.

The phone companies say, it is not their responsibility.

Think i will stick with Gold Card for as long as possible.


Rgds

Ace
 
/mod note/ thread title edited as indicated in OP - also moved from Offtopic to Security section, as this relates to recent announcement about planned changes to secure EU login.

I was joking about the title it was suposed to be mistake ;)
 
We have got a couple of penetration testers in at my work atm and I asked one of them about Google authenticator and he says he uses it for everything. He says you can't hack it unless you get hold of the phone or I think he said authentication codes that you also get.
 
We have got a couple of penetration testers in at my work atm and I asked one of them about Google authenticator and he says he uses it for everything. He says you can't hack it unless you get hold of the phone or I think he said authentication codes that you also get.

They don't need to get hold of the phone at all. Check my link above


Rgds

Ace
 
We have got a couple of penetration testers in at my work atm and I asked one of them about Google authenticator and he says he uses it for everything. He says you can't hack it unless you get hold of the phone or I think he said authentication codes that you also get.

i'd love to be on a night out and getting talking to a lass and she asks what job do i have?
 
Ahh no? The app is offline so it generates the code offline. Ever wonder how your gold card works?

Where is this app located? On device that can be connected to internet? If yes, then it is unsafe.
 
The reason they have to use it, is because compet users aren't going to want ow carry around a gold card.
 
Anecdotal. Need more information.. not theoretics.
 
We have got a couple of penetration testers in at my work atm and I asked one of them about Google authenticator and he says he uses it for everything. He says you can't hack it unless you get hold of the phone or I think he said authentication codes that you also get.

The problem with it is well known, if someone manages to convince your mobile provider that they are you and they give them a new sim or redirect the calls to another phone then the text messages will be sent to another device possibly giving them access.

http://www.howtogeek.com/212219/here’s-how-an-attacker-can-bypass-your-two-factor-authentication/

http://www.scmagazineuk.com/gmail-account-gets-hacked-despite-2fa/article/381157/
 
The problem with it is well known, if someone manages to convince your mobile provider that they are you and they give them a new sim or redirect the calls to another phone then the text messages will be sent to another device possibly giving them access.

http://www.howtogeek.com/212219/here’s-how-an-attacker-can-bypass-your-two-factor-authentication/

http://www.scmagazineuk.com/gmail-account-gets-hacked-despite-2fa/article/381157/

the google authenticator app doesn't use text message, you open the app and it displays a code for you to enter. The ways it could be caught out is

- if your phone is stolen
- installing malware infected apps on a jailbroken/no AV protection which has the intention of hijacking the authentication app in a method google havn't patched yet.
- your google account credentials stolen and then effectively clone your phone and app

either way the lowlife also requires your username too.

while the GC is obviously safer, its more expensive to manufacture (a cost we have to cover) and less portable. The app is very secure if you dont install suspect apps, or don't use android :cowboy:
 
Two weeks ago a friend of mine got his steam account hijacked. How? The support (derp) got super easily engineered. The "hacker" told support that he had lost his phone AND his email changed. Support said, 'Oh okay, we'll take your phone number off and change that email address for you!"

BAM. Account hijacked. It was that easy. The tools themselves work very well. So well, we forget that there are still people out there with the power to simply give your account away. :eyecrazy:
 
Where is this app located? On device that can be connected to internet? If yes, then it is unsafe.

I can't even anymore... :banghead:

Some people just don't understand. You're all thinking this app can easily be hacked. Hows your bank account? Hacked lately? :laugh:
 
I can't even anymore... :banghead:

Some people just don't understand. You're all thinking this app can easily be hacked. Hows your bank account? Hacked lately? :laugh:

I dont have such authenticator there, and my authenticator is not connected to internet. So what are you talking about?

I am not saying this APP can be hacked, but DEVICE this app is located can be hacked. If you gold card reader would be connected to computer, i am sure someone could Access it also.

Trojan+hijack on your device and nothing will stop them using the authenicator.
 
I can't even anymore... :banghead:

Some people just don't understand. You're all thinking this app can easily be hacked. Hows your bank account? Hacked lately? :laugh:

Nope cos I use a device I slide my bank card into and enter my pin , not connected to the internet my PC , smartphone or anything else.
(Bit like a gold card reader ;) )
 
Nope cos I use a device I slide my bank card into and enter my pin , not connected to the internet my PC , smartphone or anything else.
(Bit like a gold card reader ;) )

Than all of a sudden theres a card skimmer :rolleyes:
 
Than all of a sudden theres a card skimmer :rolleyes:

Card skimmer needs to be physically installed to this specific card reader. You cant hack solid item that is not connected to internet.

Connected to internet = hackable from any location in the world.
Not connected to internet = needs physical contact to be hacked.
 
Than all of a sudden theres a card skimmer :rolleyes:

Dunno what that is , but the device I use resides in my desk draw , so I guess they also have to break into my house to install that onto my reader hoping that I wouldnt notice it had been done ?
:laugh:
 
Card skimmer needs to be physically installed to this specific card reader. You cant hack solid item that is not connected to internet.

Connected to internet = hackable from any location in the world.
Not connected to internet = needs physical contact to be hacked.

You need to think of the app as the gold card. You're not going to hack this google auth. No one can. I would love to see them try. Nothing is impossible in the security field, but this is really close.
 
Back
Top