Arthur
Honorary Master
Scary. From report:
-----
Computer security researchers warn security shortcomings in Android/Playstore undermine the security offered by all SMS-based two-factor authentication (2FA).
...A paper about the issue was published at the Financial Crypto conference back in February. A research paper looking at the wider issues of phone-based 2FA, How Anywhere Computing Just Killed Your Phone-Based Two-Factor Authentication on can be found here (PDF). In the paper, the researchers argue that Apple's Continuity feature that brings iOS and Mac OS X devices closer together is equally dangerous.
...To support our findings, we present practical attacks against Android and iOS that illustrate how a Man-in-the-Browser attack can be elevated to intercept One-Time Passwords sent to the mobile phone and thus bypass the chain of 2FA mechanisms as used by many financial services.
El Reg source.
-----
Computer security researchers warn security shortcomings in Android/Playstore undermine the security offered by all SMS-based two-factor authentication (2FA).
...A paper about the issue was published at the Financial Crypto conference back in February. A research paper looking at the wider issues of phone-based 2FA, How Anywhere Computing Just Killed Your Phone-Based Two-Factor Authentication on can be found here (PDF). In the paper, the researchers argue that Apple's Continuity feature that brings iOS and Mac OS X devices closer together is equally dangerous.
...To support our findings, we present practical attacks against Android and iOS that illustrate how a Man-in-the-Browser attack can be elevated to intercept One-Time Passwords sent to the mobile phone and thus bypass the chain of 2FA mechanisms as used by many financial services.
El Reg source.