Over 1,500 SingPass accounts hacked: IDA
By Nurul Azliah Aripin | Yahoo Newsroom – 13 hours ago
ricky l • Remove
2 FA OTP whether through hard-token or SMS will have prevent the changing of userid and password.Reply
Even if userid and password are stolen by key-logger malware or by brute force, hackers still cannot change the password without getting through the 2FA which is not possible for hackers to break the One Time Password.
ricky l • Remove
Using soft token may not be a good idea because if an end-device is infected by keylogger malware, the keylogger will capture the keystroke when key in userid and password and the passcode that appear from the soft token can also be captured by the keylogger. If the keylogger allow the hackers to key in the captured userid, password and passcode faster than the compromised user, than the hacker can hack in.
If someone use SMS OTP through a smartphone, the SMS passcode generated by the telco network infrastructure (separate from the Singpass network infra) will still appear on the same smartphone device. If key logger infected the smartphone, then it can capture all the userid, password and passcode - similar effect like soft token where hacker can hack in faster than the user.
This is especially so if hacker can remotely take control of user device eg. through RDP or remote control software.
ricky l • Remove
2FA using hardware token or SMS OTP that uses the smartphone different from the device that access the Singpass will be safest - because keylogger malware of an infected device - cannot capture the OTP of a separate network and device generated by hardware token or SMS OTP from another smartphone.
No comments:
Post a Comment