One Article Review
| Source |  NoticeBored |
|---|---|
| Identifiant | 1779400 |
| Date de publication | 2020-03-05 09:44:29 (vue: 2020-06-29 11:00:30) |
| Titre | NBlog March 5 - SIM swap fraud |
| Texte |  I've heard rumours about the possibility of SIM-swap "identity theft" (fraud) but wasn't aware of the details ... until reading a couple of recent articles pointing to an academic paper from a team at Princeton University.The fraud involves socially-engineering the cellphone companies into migrating a victim's cellphone number onto a new SIM card, one in the fraudster's possession. That gives the fraudster control of a factor used in several multifactor authentication schemes ... and in some cases, that's enough to take full control (e.g. resetting the victim's password - another factor). Otherwise, it might take them a bit more effort to guess, steal or brute-force the victim's password or PIN code first. Authentication is usually a key control, yet authentication schemes often turn out to have vulnerabilities due to:Fundamental design flaws (e.g. saving passwords unencrypted or weakly encrypted) Bugs in the software and firmware (e.g. cheat codes - bypasses and backdoors in production, and broken crypto in CPU microcode)Physical hardware limitations (e.g. the tolerances needed for biometrics, allowing fakes and forgeries)Issues in their implementation, configuration and administration (e.g. giving new users the same well-known default passwords or weak password reset mechanisms) Operational "user" issues (e.g. naively falling for phishing attacks)Multifactor is stronger than single factor authentication but still not perfect ... hence aside from addressing the vulnerabilities, we should also anticipate control failures and put in place further, supplementary controls to detect and respond to incidents.The risks are there for authentication to networks, systems, apps and online services in general, but the greater potential impacts in the case of, say, banking, law enforcement and defence imply greater risks, justifying the investment in stronger controls. |
| Envoyé | Oui |
| Condensat | authentication bugs cheat operational about academic addressing administration allowing also another anticipate apps are articles aside attacks authentication aware backdoors banking biometrics bit broken brute but bypasses card case cases cellphone code codes companies configuration control controls couple cpu crypto default defence design details detect due effort encrypted enforcement engineering enough factor failures fakes falling firmware first flaws force forgeries fraud fraudster from full further general gives giving greater guess hardware have heard hence identity impacts implementation imply incidents investment involves issues justifying key known law limitations march mechanisms microcode might migrating more multifactor naively nblog needed networks new not number often one online onto otherwise out paper password passwords perfect phishing physical pin place pointing possession possibility potential princeton production put reading recent reset resetting respond risks rumours same saving say schemes services several should sim single socially software some steal stronger supplementary swap systems take team than that theft them to:fundamental tolerances turn unencrypted university until used user users usually victim vulnerabilities wasn weak weakly well yet |
| Tags | |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.