2 way authenticator got hacked

AxeMurderer

Elite
Joined
Nov 15, 2010
Posts
2,918
Avatar Name
Wand AxeMurderer Silva
So I installed this free game on my phone and it wanted some permissions I didn’t look at and next day my 2 way authenticator got hacked. Please help.

PS. Ops it was supposed to say 2 way authenticator in the title not gold card, that thing is solid. If a loving horse climbs at it – it moves 2 steps backwards. :makelove:

EDIT: I was joking about the title and put it in OFFTOPIC to be more obvious this is not real. It was hypothetical joke expressing my concern of software security on phones that got hacked daily to be used for investments of tens of thousands of dollars.

Original title: Gold card got hacked
 
Last edited:

golddude

Elite
Joined
Jul 25, 2007
Posts
2,787
Location
South Dakota, USA
Society
Irken Invaders
Avatar Name
Ary Steve Hunter
It's an offline authenticator. Good luck
 

whiteknut

Elite
Joined
Nov 4, 2006
Posts
3,049
Location
Estonia
Society
Vikings of Calypso
Avatar Name
Snablesnot Male Young
It's an offline authenticator. Good luck
So you have to be offline to use it? If not, then while you are online, anyone can Access it.
 

golddude

Elite
Joined
Jul 25, 2007
Posts
2,787
Location
South Dakota, USA
Society
Irken Invaders
Avatar Name
Ary Steve Hunter
So you have to be offline to use it? If not, then while you are online, anyone can Access it.
Ahh no? The app is offline so it generates the code offline. Ever wonder how your gold card works?
 

The Jetman

Prowler
Joined
Jul 3, 2010
Posts
1,409
Location
Sheffield UK
Society
Freelancer
Avatar Name
Paul Jetman Masters
If the google works the same as MS' on principle, it cycles through a 6-7 digit number every 30 seconds. so it either:-
1) syncs every 30 seconds with the server
2) works from a list synced on a regular basis
3) as (2) but set pattern, so the server can track your position (like GC).

either way, a rogue app could steal enough data to get the code for 30 seconds, but without getting access to the list on the MS/Google server it can't plan ahead (unless the list is stored on the phone too for method 3)

either way, android users should already be well aware of malware on their devices and should only download from their correct stores (Play/Amazon/Manufacturer) and expect malware from other sources, especially ones that give premium games for free

PS. This is my opinion, i have no deep knowledge of how Auth Apps work, this is how I feel they work
 
Last edited:

Serica

Moderator
Moderator
Joined
Oct 31, 2006
Posts
5,356
Location
Australia
Society
Antipodean Army
Avatar Name
Harena Serica Turbinis
/mod note/ thread title edited as indicated in OP - also moved from Offtopic to Security section, as this relates to recent announcement about planned changes to secure EU login.
 
Last edited:

Ancient

Stalker
Joined
Sep 27, 2006
Posts
1,506
Location
UK
Society
TheAncients
Avatar Name
Jack Ancient O'Neill
Google made it, end of story. Do you really think google would make something that could be easily hacked? Can you imagine how damaging it would be for their business? They have probably had the best hackers in the business in to pen test it.
 

Ace Flyster

Elite
Joined
Aug 31, 2006
Posts
4,970
Location
England, London
Society
Rangers
Avatar Name
Dave Ace Flyster
I am a fan of Gold Card, as someone either has to break into my home and steal it. Or set up a fake webpage to lure me in.

As I have never downloaded something i shouldnt, I am very chuffed with the gold card.

Not only that, i have also been a fan of google , text me the number. But alas even that there is a way round even Googles 2-step. People can call your provider and get them to change your phone number, with very few details required.

Then all future texts to gain access get sent to the new number the hacker has, and then has unlimited access to your account.

The phone companies say, it is not their responsibility.

Think i will stick with Gold Card for as long as possible.


Rgds

Ace
 

AxeMurderer

Elite
Joined
Nov 15, 2010
Posts
2,918
Avatar Name
Wand AxeMurderer Silva
/mod note/ thread title edited as indicated in OP - also moved from Offtopic to Security section, as this relates to recent announcement about planned changes to secure EU login.
I was joking about the title it was suposed to be mistake ;)
 

Serica

Moderator
Moderator
Joined
Oct 31, 2006
Posts
5,356
Location
Australia
Society
Antipodean Army
Avatar Name
Harena Serica Turbinis

Ancient

Stalker
Joined
Sep 27, 2006
Posts
1,506
Location
UK
Society
TheAncients
Avatar Name
Jack Ancient O'Neill
We have got a couple of penetration testers in at my work atm and I asked one of them about Google authenticator and he says he uses it for everything. He says you can't hack it unless you get hold of the phone or I think he said authentication codes that you also get.
 

Ace Flyster

Elite
Joined
Aug 31, 2006
Posts
4,970
Location
England, London
Society
Rangers
Avatar Name
Dave Ace Flyster
We have got a couple of penetration testers in at my work atm and I asked one of them about Google authenticator and he says he uses it for everything. He says you can't hack it unless you get hold of the phone or I think he said authentication codes that you also get.
They don't need to get hold of the phone at all. Check my link above


Rgds

Ace
 

The Jetman

Prowler
Joined
Jul 3, 2010
Posts
1,409
Location
Sheffield UK
Society
Freelancer
Avatar Name
Paul Jetman Masters
We have got a couple of penetration testers in at my work atm and I asked one of them about Google authenticator and he says he uses it for everything. He says you can't hack it unless you get hold of the phone or I think he said authentication codes that you also get.
i'd love to be on a night out and getting talking to a lass and she asks what job do i have?
 

Ancient

Stalker
Joined
Sep 27, 2006
Posts
1,506
Location
UK
Society
TheAncients
Avatar Name
Jack Ancient O'Neill
i'd love to be on a night out and getting talking to a lass and she asks what job do i have?
I had to edit my post cause my phone auto spelled it to penetrative tester lol
 

whiteknut

Elite
Joined
Nov 4, 2006
Posts
3,049
Location
Estonia
Society
Vikings of Calypso
Avatar Name
Snablesnot Male Young
Ahh no? The app is offline so it generates the code offline. Ever wonder how your gold card works?
Where is this app located? On device that can be connected to internet? If yes, then it is unsafe.
 

Ancient

Stalker
Joined
Sep 27, 2006
Posts
1,506
Location
UK
Society
TheAncients
Avatar Name
Jack Ancient O'Neill
The reason they have to use it, is because compet users aren't going to want ow carry around a gold card.
 

Ace Flyster

Elite
Joined
Aug 31, 2006
Posts
4,970
Location
England, London
Society
Rangers
Avatar Name
Dave Ace Flyster
The reason they have to use it, is because compet users aren't going to want ow carry around a gold card.
Compet and Entropia are seperate? :scratch2:


Rgds

Ace
 

atomicstorm

Marauder
Joined
Aug 21, 2013
Posts
7,367
Location
Tennessee, USA
Society
Entropialoot.com
Avatar Name
MeLoveYou LongTime FiveDolla
Anecdotal. Need more information.. not theoretics.
 

SpikeBlack

Elite
Joined
Jun 22, 2006
Posts
4,987
Location
U.K.
Society
Entropia Directory
Avatar Name
Spike Spike Black
We have got a couple of penetration testers in at my work atm and I asked one of them about Google authenticator and he says he uses it for everything. He says you can't hack it unless you get hold of the phone or I think he said authentication codes that you also get.
The problem with it is well known, if someone manages to convince your mobile provider that they are you and they give them a new sim or redirect the calls to another phone then the text messages will be sent to another device possibly giving them access.

http://www.howtogeek.com/212219/here’s-how-an-attacker-can-bypass-your-two-factor-authentication/

http://www.scmagazineuk.com/gmail-account-gets-hacked-despite-2fa/article/381157/
 

The Jetman

Prowler
Joined
Jul 3, 2010
Posts
1,409
Location
Sheffield UK
Society
Freelancer
Avatar Name
Paul Jetman Masters
The problem with it is well known, if someone manages to convince your mobile provider that they are you and they give them a new sim or redirect the calls to another phone then the text messages will be sent to another device possibly giving them access.

http://www.howtogeek.com/212219/here’s-how-an-attacker-can-bypass-your-two-factor-authentication/

http://www.scmagazineuk.com/gmail-account-gets-hacked-despite-2fa/article/381157/
the google authenticator app doesn't use text message, you open the app and it displays a code for you to enter. The ways it could be caught out is

- if your phone is stolen
- installing malware infected apps on a jailbroken/no AV protection which has the intention of hijacking the authentication app in a method google havn't patched yet.
- your google account credentials stolen and then effectively clone your phone and app

either way the lowlife also requires your username too.

while the GC is obviously safer, its more expensive to manufacture (a cost we have to cover) and less portable. The app is very secure if you dont install suspect apps, or don't use android :cowboy:
 

Eli

Prowler
Joined
Jan 5, 2006
Posts
1,269
Avatar Name
Elissia Eli Talor
Two weeks ago a friend of mine got his steam account hijacked. How? The support (derp) got super easily engineered. The "hacker" told support that he had lost his phone AND his email changed. Support said, 'Oh okay, we'll take your phone number off and change that email address for you!"

BAM. Account hijacked. It was that easy. The tools themselves work very well. So well, we forget that there are still people out there with the power to simply give your account away. :eyecrazy:
 

golddude

Elite
Joined
Jul 25, 2007
Posts
2,787
Location
South Dakota, USA
Society
Irken Invaders
Avatar Name
Ary Steve Hunter
Where is this app located? On device that can be connected to internet? If yes, then it is unsafe.
I can't even anymore... :banghead:

Some people just don't understand. You're all thinking this app can easily be hacked. Hows your bank account? Hacked lately? :laugh:
 

whiteknut

Elite
Joined
Nov 4, 2006
Posts
3,049
Location
Estonia
Society
Vikings of Calypso
Avatar Name
Snablesnot Male Young
I can't even anymore... :banghead:

Some people just don't understand. You're all thinking this app can easily be hacked. Hows your bank account? Hacked lately? :laugh:
I dont have such authenticator there, and my authenticator is not connected to internet. So what are you talking about?

I am not saying this APP can be hacked, but DEVICE this app is located can be hacked. If you gold card reader would be connected to computer, i am sure someone could Access it also.

Trojan+hijack on your device and nothing will stop them using the authenicator.
 

SoReal

Stalker
Joined
Oct 31, 2005
Posts
1,829
Society
Titans Of Space
I can't even anymore... :banghead:

Some people just don't understand. You're all thinking this app can easily be hacked. Hows your bank account? Hacked lately? :laugh:
Nope cos I use a device I slide my bank card into and enter my pin , not connected to the internet my PC , smartphone or anything else.
(Bit like a gold card reader ;) )
 

golddude

Elite
Joined
Jul 25, 2007
Posts
2,787
Location
South Dakota, USA
Society
Irken Invaders
Avatar Name
Ary Steve Hunter
Nope cos I use a device I slide my bank card into and enter my pin , not connected to the internet my PC , smartphone or anything else.
(Bit like a gold card reader ;) )
Than all of a sudden theres a card skimmer :rolleyes:
 

whiteknut

Elite
Joined
Nov 4, 2006
Posts
3,049
Location
Estonia
Society
Vikings of Calypso
Avatar Name
Snablesnot Male Young
Than all of a sudden theres a card skimmer :rolleyes:
Card skimmer needs to be physically installed to this specific card reader. You cant hack solid item that is not connected to internet.

Connected to internet = hackable from any location in the world.
Not connected to internet = needs physical contact to be hacked.
 

SoReal

Stalker
Joined
Oct 31, 2005
Posts
1,829
Society
Titans Of Space
Than all of a sudden theres a card skimmer :rolleyes:
Dunno what that is , but the device I use resides in my desk draw , so I guess they also have to break into my house to install that onto my reader hoping that I wouldnt notice it had been done ?
:laugh:
 

golddude

Elite
Joined
Jul 25, 2007
Posts
2,787
Location
South Dakota, USA
Society
Irken Invaders
Avatar Name
Ary Steve Hunter
Card skimmer needs to be physically installed to this specific card reader. You cant hack solid item that is not connected to internet.

Connected to internet = hackable from any location in the world.
Not connected to internet = needs physical contact to be hacked.
You need to think of the app as the gold card. You're not going to hack this google auth. No one can. I would love to see them try. Nothing is impossible in the security field, but this is really close.
 
Top