Google’s own data proves two-factor is the best defense against most account hacks

Every once in a while someone will ask me what is the best security advice.

The long answer is “it depends on your threat model,” which is just a fancy way of saying what’s good security advice for the vast majority isn’t necessarily what nuclear scientists and government spies require.

My short answer is, “turn on two-factor.” Yet, nobody believes me.

Ask almost any cybersecurity professional and it’ll likely rank as more important than using unique or strong passwords. Two-factor, which adds an additional step in your usual log-in process by sending a unique code to a device you own, is the greatest defense between a hacker and your online account data.

But don’t take my word for it. Google data out this week shows how valuable even the weakest, simplest form of two-factor can be against attacks.

The research, with help from New York University and the University of California, San Diego, shows that any device-based challenge — such as a text message or an on-device prompt — can in nearly every case prevent the most common kind of mass-scale attacks.

Google’s data showed having a text message sent to a person’s phone prevented 100% of automated bot attacks that use stolen lists of passwords against login pages and 96% of phishing attacks that try to steal your password.

Account takeover preventing rates by challenge type (Image: Google)

Not all two-factor options are created equal. We’ve explained before that two-factor codes sent by text message can be intercepted by semi-skilled hackers, but it’s still better than not using two-factor at all. Its next best replacement, getting a two-factor code through an authenticator app on your phone, is far more secure.

Only a security key, designed to protect the most sensitive accounts, prevented both automated bot and phishing attacks but … Read the rest

‘Crypto exchange’ Goxtrade caught using other people’s photos on its staff page

Alleged cryptocurrency exchange Goxtrade bills itself as a “trusted platform for trading bitcoins,” but its staff page is filled with photos of people pulled seemingly at random from the internet.

The alleged exchange, which claimed to debut in 2017 yet its website is only a little more than a week old, used photos taken from social media profiles and other company websites not associated with the company.

Bizarrely, the alleged exchange didn’t bother to change all of the names of the people whose photos it used.

Amber Baldet, co-founder of Clovyr, a prominent figure in the blockchain community, and listed in Fortune’s 40 Under 40, was one of the people whose name and photos appeared on the site.

“Fraud alert: I am not a developer at Goxtrade and probably their entire business is a lie,” she tweeted Friday.

Nearly all of the names are accurate but have no connection to the site (Image: TechCrunch)

Goxtrade claims to be an exchange that lets users “receive, send and trade cryptocurrency.” After we created an account and signed in, it’s not clear if the site even works. But the online chat room has hundreds of messages of users trying to trade their cryptocurrencies. The site’s name appears to associate closely with Mt. Gox, a failed cryptocurrency exchange that collapsed after it was hacked. At its 2014 peak, the exchange handled more than 70% of all bitcoin transactions. More than $450 million in bitcoins were stolen in the apparent breach.

Baldet isn’t the only person wrongly associated with the suspect site.

TechCrunch has confirmed the other photos on the site belong to other people seemingly chosen at random — including a claims specialist in Illinois, a lawyer in Germany and an operations manager in Melbourne.

Another person whose photo was used without … Read the rest

Google discloses security bug in its Bluetooth Titan Security Keys, offers free replacement

Google today disclosed a security bug in its Bluetooth Titan Security Key that could allow an attacker in close physical proximity to circumvent the security the key is supposed to provide. The company says the bug is due to a “misconfiguration in the Titan Security Keys’ Bluetooth pairing protocols” and that even the faulty keys still protect against phishing attacks. Still, the company is providing a free replacement key to all existing users.

The bug affects all Titan Bluetooth keys, which sell for $50 in a package that also includes a standard USB/NFC key, that have a “T1” or “T2” on the back.

To exploit the bug, an attacker would have to be within Bluetooth range (about 30 feet) and act swiftly as you press the button on the key to activate it. The attacker can then use the misconfigured protocol to connect their own device to the key before your own device connects. With that — and assuming that they already have your username and password — they could sign into your account.

Google also notes that before you can use your key, it has to be paired to your device. An attacker could also potentially exploit this bug by using their own device and masquerading it as your security key to connect to your device when you press the button on the key. By doing this, the attacker can then change their device to look like a keyboard or mouse and remote control your laptop, for example.

All of this has to happen at the exact right time, though, and the attacker must already know your credentials. A persistent attacker could make that work, though.

Google argues that this issue doesn’t affect the Titan key’s main mission, which is to guard against phishing attacks, and argues that … Read the rest

Binance pledges to ‘significantly’ increase security following $40M Bitcoin hack

Binance has vowed to raise the quality of its security in the aftermath of a hack that saw thieves make off with more than $40 million in Bitcoin from the exchange.

The company — which is widely believed to operate the world’s largest crypto exchange based on trading volumes — said today that it will “significantly revamp” its security measures, procedures and practices in response. In particular, CEO Changpeng Zhao wrote in a blog post that Binance will make “significant changes to the API, 2FA, and withdrawal validation areas, which was an area exploited by hackers during this incident.”

Speaking on a live stream following the disclosure of the hack earlier this week, Zhao said the hackers had been “very patient” and, in addition to targeting high-net-worth Binance users, he suggested the attack used both internal and external vectors. That might well mean phishing, and that’s an area where Zhao has pledged to work on “more innovative ways” to combat threats, alongside improved KYC and better user and threat analysis.

“We are working with a dozen or so industry-leading security expert teams to help improve our security as well as track down the hackers,” Zhao wrote. He added that other exchanges are helping as best they can to track and freeze the stolen assets.

The real focus must be to look forward, and in that spirit, Binance said it will soon add support for hardware-based two-factor-authentication keys as a method to log in to its site.

That’s probably long overdue and, perhaps to make up for the delay, Zhao said the company plans to give away 1,000 YubiKeys when the feature goes live. That’s a worthy gesture, but unless Binance is giving out a discount code to redeem on the website directly, security purists would likely recommend users buy their … Read the rest

Justice Department charges Chinese hacker for 2015 Anthem breach

U.S. prosecutors have brought charges against a Chinese national for his alleged involvement in the data breach at health insurance giant Anthem announced in 2015 that resulted in the theft of 78.8 million records.

Fujie Wang, 32, and other unnamed members of a China-based hacking group, are charged with four counts of conspiracy to commit fraud, identity theft and computer hacking.

Names, addresses, dates of birth, employment and income data, Social Security numbers and highly sensitive medical information were stolen in the breach.

The hackers are also accused of breaking into three other businesses — a tech company, a basic materials firm and a communications giant — none of which were named in the indictment.

The FBI-issued wanted posted for Fujie Wang, a China resident (Image: FBI)

Prosecutors said the hackers used “sophisticated techniques to hack into the computer networks of the victim businesses without authorization” — including spearphishing attacks. The hackers are said to have “patiently waited months” after they broke into the health insurance giant’s systems before they stole data.

The hackers are said to have stolen the 78 million records over a month between October and November 2014 by transferring large archive files from Anthem’s data warehouse back to China.

Anthem disclosed the breach in February 2015. The company later paid $115 million to settle lawsuits relating to the breach.

“The allegations in the indictment unsealed today outline the activities of a brazen China-based computer hacking group that committed one of the worst data breaches in history,” said U.S. assistant attorney general Brian Benczkowski in remarks. “These defendants allegedly attacked U.S. businesses operating in four distinct industry sectors, and violated the privacy of over 78 million people by stealing their personal identifiable information.”

Wang is currently wanted by the FBI.

Read the rest