On Wed, 11 Apr 2012 10:41:20 -0400 Jeffrey Walton wrote: > >> Two factor authentication using a cell phone was recently broken: > >> "Two-channel breached: a milestone in threat evaluation, and a floor > >> on monetary value", > >> http://financialcryptography.com/mt/archives/001349.html > > > > That's not broken. If you don't use it as "Two Factor" aka defense in > > depth then your just using it badly. "Two network" auth is how it should > > be used but it still adds some defense even when incorrectly used just > > on the phone as you'd need to either locally sniff sms traffic likely > > requiring permissions bypass or decrypt the sms traffic in the air or > > hack the Telcos network. All easier than you would think but still > > it does add to security and in the face of single sign-on systems. > Tell that to the folks who lost $45,000.
It still took longer. Of course a simple dedicated OTP device is more secure and they've been around for ages assuming the crypto is ok. With Barclays NFC cards automatically giving out numbers in plain text that can be used on Amazon. I wouldn't be surprised if it was terrible crypto though. -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.
