Menu
What's New
By:
Filters

How safe are two factor authentication apps?

K

KijkkiJikki

Stalker
Joined
Jun 16, 2010
Posts
1,601
Location
Australia
Society
Dark Knights
Avatar Name
Kikki KJ Jikki
As we know MA are developing a new 2 factor authentication app that will eventually supersede the Gold Card system. https://www.planetcalypsoforum.com/...ation-Update&p=3463902&viewfull=1#post3463902

But while software based two-factor authentication is convenient it is inherently more vulnerable than physical solutions (such as the Gold Card).

As an example, here is a recent article alerting to android malware that circumvents two-factor authentication on these devices.

http://www.smh.com.au/technology/co...eals-twofactor-sms-codes-20160309-gnf528.html

I'm not sure what can be done to mitigate these sorts of risks. I'm in favour of the new app since it will encourage more people to improve their account security but I think I will be sticking with the Gold Card for as long as possible.
 
It's an app that's already on the market. Google Authenticator. Google it. It's safe.
 
So it's not vulnerable to malware that spoofs the interface? How do you know that?

Regards,
KikkiJikki
 
The article that you put in your previous post was not Google Authenticator but another authenticator. The vulnerability came from Flash Player and a fake version of it.Flash is a very risky program to install on any device because there are so many flaws. Plus Google Authenticator is downloaded from the Google Play Store or Apple Store. Google athenticator works offline just like the gold cards.
 
Hi golddude.

Yep I understand that Google Authenticator would not have the specific vulnerability described in the article l linked.

However I searched online and found a number of articles describing security issues encountered with this app. I would hope that google fixes vulnerabilities as when they are found but it still points to some degree of risk.

Even so, its obviously way more secure than simply relying on password security.
 
The Gold Card system is vulnerable to attack from a cyber standpoint.

Anything that connects to or is associated with either an online or offline piece of hardware is vulnerable once the correct exploit is discovered. One-Time cryptographic key generators have been broken in the past and will in the future.

To be honest the proposed new system is as safe as the current system the only difference being the vulnerability will be on both the client side (MA) and the users side (Our device)
 
Plus, must I add. The google authenticator generates a new 6 digit random password every 30 seconds.
 
Both systems have a similar security problem.

Imagine your computer is infected by a malware with the purpose of getting acces to EU accounts.

It could replace the login screen with a faked one and grab all the data you enter.
Loginname, Password and two factor code.
After grabbing your data it will block you from login and show an error message.

If the malware is able to infect also your device with the app then they would be able to generate codes on their own and you wont notice anything.


In short:
With both systems a hacker could get access 1 time.
If device with app is infected he can access multiple times.
 
Vlooe said:
In short:
With both systems a hacker could get access 1 time.
If device with app is infected he can access multiple times.
Click to expand...

The risk that someone is able to both hack your computer to get your EU login password and also hack your mobile and the security app must be close to zero. And also, even if the account is hacked, it hard for the hacker to steal anything, with withdrawals taking a couple of month. Of course they can do a bit of shit for the player, but it's hard for them to actually earn any money from it.
 
Its actually very easy to infect someone's computer and mobile device.

The vast majority of people either connect their mobile device to their computer for backups, content transfer/download or even just power, This provides quite an easy path to infect multiple devices.

In addition opening your email on computer and from a mobile can have the same effect.
 
Lets assume we have 50k aktive players.
1% of them gets hacked -> 500 players.
Lets assume the average gain after moneyloundering is 500PED/50$
So that would be 500*50 = 25k$ for the hacker

A hacker that is able to do it could gain alot more by hacking someting else.

In short: EU is not worthwhile to be hacked.
When the count of active player gets values like WoW then i am sure this will change.
 
2 way authentication is per definition more vulnerable then any offline solution, thats just a fact by the virtue of how a network functions. Getting root access remotely on a phone and masking the remote connection to apps is not a very hard thing to do for someone with knowledge in that area.

Couple that with the fact that most mobile carriers dont provide automatic security updates the second they become available like microsoft or apple for PC/Mac(the manufacturer generally pushes out the update a few weeks in advance before all carriers forwards them along to the phones) and in my opinion we have a complete shitstorm on our hands if hackers decide to target EU.

The main reason why i trust my banks phone app(although i dont use it myself for different reasons) and im sceptic about MAs is because if some low life hacks my bank account my bank will sort that out for me, they have to, its the law. But what happens to my EU account is uncertain, do i get my money back? do i get locked for 6 months and then told sorry we cant help you?

In short: im fine with 2way authentication overall, but the company offering it should really have a ironclad "you are sorted no matter what" policy in place for me to be fine with it.

Cheers
Jonas
 
if-it-s-not-broke-don-t-fix-it.jpg
 
MA intends to use google authentication.
 
Vlooe said:
Both systems have a similar security problem.

Imagine your computer is infected by a malware with the purpose of getting acces to EU accounts.

It could replace the login screen with a faked one and grab all the data you enter.
Loginname, Password and two factor code.
After grabbing your data it will block you from login and show an error message.

If the malware is able to infect also your device with the app then they would be able to generate codes on their own and you wont notice anything.


In short:
With both systems a hacker could get access 1 time.
If device with app is infected he can access multiple times.
Click to expand...
Only takes one time
 
The New applikationer sounds good for daily login.
But I recommend that MA combine it whit the way STEAM login works.
Like the steam authentication email. You get if steam detects changes in your settings.
 
Darcon said:
The New applikationer sounds good for daily login.
But I recommend that MA combine it whit the way STEAM login works.
Like the steam authentication email. You get if steam detects changes in your settings.
Click to expand...

Steam is very unstable. I wouldn't recommended anything that steam does. I'v had friends lose accounts/locked accounts because of their system.
 
You must log in or register to reply here.
Back
Top