Numeric passwords ‘extremely weak’, can be easily cracked, say cybersecurity experts
Experts say that passwords using just numbers, such as those required by Singapore Airlines' KrisFlyer and Qantas’ Frequent Flyer programmes, can be easily cracked using methods like brute-force attacks.
(Updated: )
Ricky Lim ·
Ms Sherie Low told Channel NewsAsia that Krisflyer should update its security system, which requires members to log in with their membership account number and a six-digit personal identification number (PIN).
"At the very least it should be protected with a one-time password," she said. "They cannot have such a flimsy system that allows hackers to get into accounts so easily and also add nominees so easily."
==
Posted on :-18 Apr 2018
Ricky Lim ·
Singapore
For eCommerce transaction, it is imperative for Corporation to adopt 2FA to prevent phishing attacks.
So that when hackers manage to phish userid and passwords from users - the hackers will not be able to perform eCommerce transactions - because it will need a 2FA to complete the eTransactions - as userid and passwords are not good enough.
As hackers will not have the SMS 2FA or secure-token generated random numbers - such phishing attack will not be successful.
SIA should seriously consider 2FA for eCommerce transactions.
The only problem is --- overseas members will have difficulty using 2FA - as SMS is need to use local telcos and distributing secured token to overseas members will be a challenge. (To mitigate this challenge, a 2FA generated number can be sent to the email of the overseas member).
Jeremey Wong
I am fine with just password but at least need longer password with all the nasty characters mandatory. Must have capital letter la, lower case la, numeric la and strange characters and must be minimum 12 characters for the password.
Ricky Lim ·
Singapore
Jeremey Wong - when a keylogger malware get into your end-device - whether smartphone or your laptop --- no matter how fantastic your password is - is useless.
Eg. a keylogger malware is loaded into your laptop - whatever you type - the keylogger will capture your keystroke one by one - and pipe back to hacker server who can later retrieve your userid and password.
If if you use OTP 2FA (One time password - 2-factor authentication) - even if the keylogger capture your keystroke on the 2FA - the hacker can't use it to login into your account because it is only valid once unlike your userid and password which are used everytime you login.
Ricky Lim ·
Moreover OTP 2FA (sms or secure token) - are randomly generated numbers that cannot be hacked by brute force - because it is time sensitive where the Authentication Servers time must synch with NTP (Network Time Protocol) - where the random generated numbers are only valid within a few minutes time frame that synch with Stratum 0 and 1 of atomic clock of the satellite.
Thus when hackers capture the 2FA - it will not be able to key in faster than the user, also if the user use it once, the hacker cannot use it the 2nd time and also the limited valid time limit to keyin the 2FA is too short for hacker to login.
So in short, 2FA is almost foolproof for eCommerce transaction - and is highly recommended for Corporations that offer eCommerce via the Web.
ビンオマール宗作
Ricky Lim 2FA only goes some way as a solution, but the weakest link is always the user. Did you notice how there are still successful hacking attempts of bank accounts even today with 2FA? A malware on the phone can intercept 2FA smses and send it to an attacker fast enough to let them enter an account, especially if the entire operation is automated. Secure tokens are costly to deploy, and are probably not worth it for SIA to deploy just to protect flyer miles, as they have to foot the bill, or pass it on to the end user. So although 2FA helps as part of a layered approach to security, it is not the silver bullet you make it out to be.
Ricky Lim ·
Singapore
ビンオマール宗作 - If you do your eTransaction with your laptop and receive your 2FA with your handphone - how do hackers reconcile the userid, password with the 2FA whereby laptop is going through internet and sms is going via phone network?
Both internet and voice network are 2 separate network.
Like · Reply · 1m
Ricky Lim ·
Unless you do your eTransaction using your smartphone - by keying in your userid and password and receiving the SMS 2FA on the same smartphone. Then 1 malware in your smartphone can capture both your user credential from Internet and your SMS 2FA from voice network that landed in the same smartphone.
This method is not recommended - because your Andrioid phone or iPhone - will not have sufficient protection as oppose to your laptop.
Security in Android or iPhone are weak - as compare to laptop personal firewall, anti-virus or anti-malware software or security updates.
Moreover, 2FA means using 2 separate devices - and not 1 smartphone to do eTransaction via Internet and receiving 2FA from the voice network in the same devices.
"At the very least it should be protected with a one-time password," she said. "They cannot have such a flimsy system that allows hackers to get into accounts so easily and also add nominees so easily."
==
Posted on :-18 Apr 2018
Ricky Lim ·
Singapore
For eCommerce transaction, it is imperative for Corporation to adopt 2FA to prevent phishing attacks.
So that when hackers manage to phish userid and passwords from users - the hackers will not be able to perform eCommerce transactions - because it will need a 2FA to complete the eTransactions - as userid and passwords are not good enough.
As hackers will not have the SMS 2FA or secure-token generated random numbers - such phishing attack will not be successful.
SIA should seriously consider 2FA for eCommerce transactions.
The only problem is --- overseas members will have difficulty using 2FA - as SMS is need to use local telcos and distributing secured token to overseas members will be a challenge. (To mitigate this challenge, a 2FA generated number can be sent to the email of the overseas member).
Jeremey Wong
I am fine with just password but at least need longer password with all the nasty characters mandatory. Must have capital letter la, lower case la, numeric la and strange characters and must be minimum 12 characters for the password.
Ricky Lim ·
Singapore
Jeremey Wong - when a keylogger malware get into your end-device - whether smartphone or your laptop --- no matter how fantastic your password is - is useless.
Eg. a keylogger malware is loaded into your laptop - whatever you type - the keylogger will capture your keystroke one by one - and pipe back to hacker server who can later retrieve your userid and password.
If if you use OTP 2FA (One time password - 2-factor authentication) - even if the keylogger capture your keystroke on the 2FA - the hacker can't use it to login into your account because it is only valid once unlike your userid and password which are used everytime you login.
Ricky Lim ·
Moreover OTP 2FA (sms or secure token) - are randomly generated numbers that cannot be hacked by brute force - because it is time sensitive where the Authentication Servers time must synch with NTP (Network Time Protocol) - where the random generated numbers are only valid within a few minutes time frame that synch with Stratum 0 and 1 of atomic clock of the satellite.
Thus when hackers capture the 2FA - it will not be able to key in faster than the user, also if the user use it once, the hacker cannot use it the 2nd time and also the limited valid time limit to keyin the 2FA is too short for hacker to login.
So in short, 2FA is almost foolproof for eCommerce transaction - and is highly recommended for Corporations that offer eCommerce via the Web.
ビンオマール宗作
Ricky Lim 2FA only goes some way as a solution, but the weakest link is always the user. Did you notice how there are still successful hacking attempts of bank accounts even today with 2FA? A malware on the phone can intercept 2FA smses and send it to an attacker fast enough to let them enter an account, especially if the entire operation is automated. Secure tokens are costly to deploy, and are probably not worth it for SIA to deploy just to protect flyer miles, as they have to foot the bill, or pass it on to the end user. So although 2FA helps as part of a layered approach to security, it is not the silver bullet you make it out to be.
Ricky Lim ·
Singapore
ビンオマール宗作 - If you do your eTransaction with your laptop and receive your 2FA with your handphone - how do hackers reconcile the userid, password with the 2FA whereby laptop is going through internet and sms is going via phone network?
Both internet and voice network are 2 separate network.
Like · Reply · 1m
Ricky Lim ·
Unless you do your eTransaction using your smartphone - by keying in your userid and password and receiving the SMS 2FA on the same smartphone. Then 1 malware in your smartphone can capture both your user credential from Internet and your SMS 2FA from voice network that landed in the same smartphone.
This method is not recommended - because your Andrioid phone or iPhone - will not have sufficient protection as oppose to your laptop.
Security in Android or iPhone are weak - as compare to laptop personal firewall, anti-virus or anti-malware software or security updates.
Moreover, 2FA means using 2 separate devices - and not 1 smartphone to do eTransaction via Internet and receiving 2FA from the voice network in the same devices.
No comments:
Post a Comment