Summary:
•A security researcher recently revealed that a large database containing companies’ two-factor authentication codes was publicly exposed.
•The data is related to a service used by Google, Meta and TikTok that is designed to send text messages containing verification codes in order to verify the user's identity as quickly as possible.
•These two-factor authentications present a variety of forms of crime, from hacking into a person’s iCloud to stealing their phone number to bypassing encryption.
A security researcher has discovered an unprotected database that manages access to services at some of the world's largest tech companies. The database belonged to a short message service (SMS) routing operator responsible for sending two-factor authentication (2FA) codes to users of Meta, Google, and possibly crypto companies.
Researcher Anurag Sen found that the company's YX International database was left unprotected on the public internet, allowing anyone with a public Internet Protocol (IP) address to view the data.
Users affected by the two-factor authentication breach
YX International sends security codes to users logging into Meta, Google and TikTok platforms. The company ensures that users' messages are delivered quickly via global mobile networks. The messages it sends include security codes that form part of the two-factor authentication scheme used by many large companies to protect user accounts.
Some service providers, such as Google, can verify the user's authenticity by sending a text message code after entering a password. Other authentication options include generating a code from an authentication app to supplement the password.
While two-factor authentication is intended to improve security, it is not a panacea. As a result, crypto exchange Coinbase warns that 2FA is a minimum security measure, but not a surefire way to steal funds from crypto wallets.
Coinbase said:
"While 2FA is designed to increase security, it is not foolproof. A hacker who gains access to two-factor authentication can still gain unauthorized access to an account. Common methods include phishing attacks, account recovery programs, and malware. Hackers can also intercept text messages used in 2FA."
Criminals are using these methods to bypass 2FA
Last year, reports emerged about how criminals were able to bypass 2FA on Apple devices. Hackers were able to access Apple's cloud platform iCloud and replace the user's phone number with their own. This scheme compromised funds in crypto wallet apps on Apple devices, as some apps could send verification codes to the compromised phone number.
Criminals can also use SIM swapping to conduct two-factor authentication crypto scams. In this attack, criminals convince mobile carriers like AT&T or Verizon to transfer a phone number from the legitimate owner to a fraudster. After that, the criminal only needs one more piece of information to access the self-hosted wallet app that actually owns the phone number.
In light of the surge in quantum technology, Apple recently improved the security of the Secure Enclave hardware device embedded in the iPhone. Post-quantum encryption schemes create new keys every time a malicious actor compromises an old key.
This feature can help crypto wallet developers improve their customers’ crypto security by storing critical information in the Secure Enclave. So far, at least one vendor has used the Secure Enclave to grant access to its wallet app.
The reporter contacted Binance and Coinbase, the world's largest cryptocurrency exchanges, to find out whether the XY International data breach affected their users. As of the time of publication, neither company responded.
#安全漏洞 #2FA
