In this case, it appears that the victims were deceived by a well-attended phishing campaign into giving up both their password and their SMS-provided 2FA code. Amin is simply asking what the lifetime of that code is, since it is not nearly as short as the Authenticator-provided number.
On Wed, Aug 27, 2014 at 6:46 PM, John Adams <j...@retina.net> wrote: > I don't know where you're getting your information from, but I audited > Google's 2FA when I worked at Twitter. The attack scenario that is > described here is simply not possible without the endpoint being > owned. > > Code replay is not possible. Once a code is accepted, it cannot be > used again to log in. > > The SMS attack is substantially more likely, but you can disable SMS > codes in preferences. You should not use SMS at all if you can avoid > it. > > Additionally, in order to get past 2FA, the attacker would have to > have the user's password. All of this points to some sort of remote > access tool or keylogger being active on the activist's machine. > > -j > > > On Wed, Aug 27, 2014 at 10:08 AM, Nadim Kobeissi <nadim@nadim.computer> > wrote: > > The two-step verification used by Google is based on the TOTP protocol > [1] > > which is the open standard for this sort of thing. > > > > To answer your questions Amin: > > > > 1. Tokens last 60 seconds according to the TOTP standard. > > 2. Your journalist friends would be very well-advised to use an app [2] > > instead of SMS codes. By using an authenticator app, they will be able to > > obtain codes without using SMS and even with their phone completely not > > connected to a network. > > > > [1] http://tools.ietf.org/html/rfc6238 > > [2] https://support.google.com/accounts/answer/1066447?hl=en > > > > > > > > On Wed, Aug 27, 2014 at 11:29 AM, Amin Sabeti <aminsab...@gmail.com> > wrote: > >> > >> Hi, > >> > >> Recently, a bunch of Iranian journalists/ activists have been targeted > by > >> Iranian hackers. > >> > >> Some of them said their 2-step verification was active during the attack > >> but hacker could reuse the code that sent by Google via SMS and passed > >> 2-step verification! > >> > >> I was wonder to know if some folks here know the validation time for the > >> 2-step verification code that users receive through SMS not the app. > >> > >> Cheers, > >> > >> Amin > >> > >> -- > >> Liberationtech is public & archives are searchable on Google. Violations > >> of list guidelines will get you moderated: > >> https://mailman.stanford.edu/mailman/listinfo/liberationtech. > Unsubscribe, > >> change to digest, or change password by emailing moderator at > >> compa...@stanford.edu. > > > > > > > > -- > > Liberationtech is public & archives are searchable on Google. Violations > of > > list guidelines will get you moderated: > > https://mailman.stanford.edu/mailman/listinfo/liberationtech. > Unsubscribe, > > change to digest, or change password by emailing moderator at > > compa...@stanford.edu. > -- > Liberationtech is public & archives are searchable on Google. Violations > of list guidelines will get you moderated: > https://mailman.stanford.edu/mailman/listinfo/liberationtech. > Unsubscribe, change to digest, or change password by emailing moderator at > compa...@stanford.edu. > > -- *Collin David Anderson* averysmallbird.com | @cda | Washington, D.C.
-- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
