Just a friendly reminder, make sure your Microsoft account is extremely secure. Even with 2 part Authenticator… my account was hacked, and within one minute… my security protocol gone, alias made, email changed, and I was locked out. My Flight Simulator and a lot of software was gone with it. And even though I was able to recover the account today… everything under that account is compromised. I thought I was very secure… but I wasn’t.
3 Likes
Hey - sorry to hear this. But, I’m confused - how could you get hacked when you have mulfi-factor authentication?
9 Likes
It’s actually quite simple to bypass 2FA. Most folks use their phone. It cost a hacker 16 USD (!) to get the victim’s 2FA redirected to his phone. Bingo.
*Vice magazine, popular for its alternative journalism and extreme reporting, published an article last March about an experiment that caused a stir in the cybersecurity community: journalist Joseph Cox paid a hacker to try to break into his accounts without having any of his physical devices, such as his mobile phone, in their possession. The hacker succeeded very easily, and it only cost him the $16 to do so, which was the cost of a legitimate, off-the-shelf tool.
The hacker, named Lucky225, managed to do this without hacking the SIM card, which is the most common method in these cases. Instead, he took advantage of multi-factor authentication (MFA), which clearly wasn’t secure enough. How did he do it? He simply used a marketing campaign tool called Sakari, which allows companies to send bulk SMS messages to lists of mobile numbers for commercial purposes. Lucky225 sent Sakari a Letter of Authorization filled out with false data and claiming that he was the owner of the journalist’s phone number. As a result, SMS messages to the victim of the experiment started to be diverted to the application and the journalist no longer received them on his mobile phone. The hacker was able to access many of the victim’s online accounts: all he had to do was to ask for new passwords and the SMS sent by the portals with the new passwords were sent directly to the hacker.*
It’s harder to bypass if you’re using dedicated 2FA apps such as Google Authenticator or OKTA or similar.
1 Like
Dang that is scary!! You’d think with 2-part authentication, that would be very hard to do. Sorry!!
3 Likes
Thats insane that it could be done that easily.
3 Likes
To be fair, that hacking description is only for SMS text based 2FA, and that demonstrates exactly why SMS text based 2FA is not considered very secure.
Your best bet is with an authenticator app, like Google authenticator.
Email based 2FA is somewhat secure if you happen to have an manage your own email domain and servers, and you know how to do it right… and your IT sec discipline is well developed.
There was a time when authenticator apps were easily hacked because the device OS’es would allow apps to do a screen capture without the user ever having to grant that app permission. But mobile device OS’es have since been improved to not allow that.
No authentication method will ever be unbreakable. Whether it is a the first layer of authentication or the second… or third.
Which drives home the key point – you need strong/complex/non-memorable passwords and 2fFA. 2FA isn’t there to allow you to have a weak password, it is there to make it highly unlikely and pragmatically impossible for someone to breach your password AND breach your second layer of authentication.
2 Likes
Don’t people realize Microsoft has its own Authenticator app? Maybe not enough people here are dual PC/XBox gamers. I don’t know. Anyway, I’ve had this app installed for years and it works great.
1 Like
that is kinda what happened… but it was through the Microsoft Authenticator app. My mistake was having facial recognition on the Microsoft Authenticator enabled
The Microsoft Authenticator app is the one they hacked… actually
1 Like
I have since made all my passwords computer generated garbles of nonsense that even I can’t remember! 
“They”? That doesn’t make a lot of sense to me. Do you have a link to anything in the computer security/infosec press talking about attack vectors for app-based authentication? I know SMS attacks/hijacking as discussed above are a real-world thing but I’ve never heard of a major-vendor MS/Google/Duo Mobile/whatever authenticator app, distributed via the iOS App Store or Google Play Store, being an attack vector.
What happened was this… last Saturday I got a warning on the Authenticator app on my iPhone that XYZ was trying to log in to my Microsoft account… and the window said it was from Pakistan and of course I pressed “Deny”. That log in was unsuccessful. I changed my Microsoft account password. Monday came around and the same XYZ was trying to log in again, accept from Mexico. I hit “Deny” again… accept this time, my facial recognition popped up, scanned me… and he was in my account. I most definitely hit DENY… but it went through anyway. That’s all I can tell you.
That seems to me to be the key. Sounds like an inadvertent brush across the screen or some kind of spurious signal back from the app to the MS security server. Did you report the incident to Microsoft in some way to fully and completely explain what happened?
I’ve been using the MS Authenticator app and several other authentication apps for years for both personal and work use (in multi-million dollar projects) and never had anything like that kind of blatant wrong behavior from the app. And yes, once in a great while I get notice of someone trying to hijack an account and have always been able to deny the attack, even with iOS Face ID enabled.
I did indeed report it to Microsoft. It was the first time I have ever witnessed this behavior… it was extremely concerning. I believe with something so critical… there should be at least two checks in the Authenticator in order to deny or accept… just in case there is an “accidental brush” or anomaly. That’s just my opinion. Anyway, I’ve taken steps to hopefully mitigate this problem from happening again.
I think your real concern might be that you changed passwords, and they were able to capture both of them - otherwise the authenticator would not have even passed the request up for your approval. That to me would mean you have a vulnerability somewhere that’s exposing your passwords.
5 Likes
Right - a key logger trojan or something would be my real concern.
1 Like
I don’t get it, the phone company still isn’t compromised and Microsoft or others still send the SMS to your phone. How can a company or app called sakari tell Microsoft to change the phone number?
Ok i read it there are companys out there that just can do this. They can copy any number lol. How on earth law and phone companys let this happen.
Details here
So the phone companys must have made a deal to give such companys the power to reroute phone numbers, lol
1 Like
How did they know your phone number to send the key to/intercept?
The article explains in detail that the Telco industry is still effectively unregulated in the sense that there is no Consumer Protection oversight when it comes to the consent portion of having your number and associated services be changed or transferred without explicit owner consent being sought. That’s also how attackers can Social Engineer a target’s phone carrier to execute a number transfer easily.
1 Like
Yea i wonder how it’s technically possible. They must have an API to the phone carrier or something. They must have contracts with them too?
Otherwise everybody can program such tools.