Read more at https://www.channelnewsasia.com/news/singapore/singapore-airlines-krisflyer-miles-woman-loses-76-000-hack-10147092
(Updated: )
Anthony Chan
At this era, password is not enough to safeguard any online transaction. Why SIA not adopting 2FA for their website.
Ricky Lim ·
For eCommerce transaction, it is imperative for Corporation to adopt 2FA to prevent phishing attacks.
So that when hackers manage to phish userid and passwords from users - the hackers will not be able to perform eCommerce transactions - because it will need a 2FA to complete the eTransactions - as userid and passwords are not good enough.
As hackers will not have the SMS 2FA or secure-token generated random numbers - such phishing attack will not be successful.
SIA should seriously consider 2FA for eCommerce transactions.
The only problem is --- overseas members will have difficulty using 2FA - as SMS is need to use local telcos and distributing secured token to overseas members will be a challenge. (To mitigate this challenge, a 2FA generated number can be sent to the email of the overseas member).
So that when hackers manage to phish userid and passwords from users - the hackers will not be able to perform eCommerce transactions - because it will need a 2FA to complete the eTransactions - as userid and passwords are not good enough.
As hackers will not have the SMS 2FA or secure-token generated random numbers - such phishing attack will not be successful.
SIA should seriously consider 2FA for eCommerce transactions.
The only problem is --- overseas members will have difficulty using 2FA - as SMS is need to use local telcos and distributing secured token to overseas members will be a challenge. (To mitigate this challenge, a 2FA generated number can be sent to the email of the overseas member).
Like · Reply · 1m
Jeremey Wong
I am fine with just password but at least need longer password with all the nasty characters mandatory. Must have capital letter la, lower case la, numeric la and strange characters and must be minimum 12 characters for the password.
Reply · 36m
Ricky Lim ·
Jeremey Wong - when a keylogger malware get into your end-device - whether smartphone or your laptop --- no matter how fantastic your password is - is useless.
Eg. a keylogger malware is loaded into your laptop - whatever you type - the keylogger will capture your keystroke one by one - and pipe back to hacker server who can later retrieve your userid and password.
If if you use OTP 2FA (One time password - 2-factor authentication) - even if the keylogger capture your keystroke on the 2FA - the hacker can't use it to login into your account because it is only valid once unlike your userid and password which are used everytime you login.
Eg. a keylogger malware is loaded into your laptop - whatever you type - the keylogger will capture your keystroke one by one - and pipe back to hacker server who can later retrieve your userid and password.
If if you use OTP 2FA (One time password - 2-factor authentication) - even if the keylogger capture your keystroke on the 2FA - the hacker can't use it to login into your account because it is only valid once unlike your userid and password which are used everytime you login.
Ricky Lim ·
Moreover OTP 2FA (sms or secure token) - are randomly generated numbers that cannot be hacked by brute force - because it is time sensitive where the Authentication Servers time must synch with NTP (Network Time Protocol) - where the random generated numbers are only valid within a few minutes time frame that synch with Stratum 0 and 1 of atomic clock of the satellite.
Thus when hackers capture the 2FA - it will not be able to key in faster than the user, also if the user use it once, the hacker cannot use it the 2nd time and also the limited valid time limit to keyin the 2FA is too short for hacker to login.
So in short, 2FA is almost foolproof for eCommerce transaction - and is highly recommended for Corporations that offer eCommerce via the Web.
Thus when hackers capture the 2FA - it will not be able to key in faster than the user, also if the user use it once, the hacker cannot use it the 2nd time and also the limited valid time limit to keyin the 2FA is too short for hacker to login.
So in short, 2FA is almost foolproof for eCommerce transaction - and is highly recommended for Corporations that offer eCommerce via the Web.
Like · Reply · 1m
ビンオマール宗作
Ricky Lim 2FA only goes some way as a solution, but the weakest link is always the user. Did you notice how there are still successful hacking attempts of bank accounts even today with 2FA? A malware on the phone can intercept 2FA smses and send it to an attacker fast enough to let them enter an account, especially if the entire operation is automated. Secure tokens are costly to deploy, and are probably not worth it for SIA to deploy just to protect flyer miles, as they have to foot the bill, or pass it on to the end user. So although 2FA helps as part of a layered approach to security, it is not the silver bullet you make it out to be.
Ricky Lim ·
ビンオマール宗作 - If you do your eTransaction with your laptop and receive your 2FA with your handphone - how do hackers reconcile the userid, password with the 2FA whereby laptop is going through internet and sms is going via phone network?
Both internet and voice network are 2 separate network.
Both internet and voice network are 2 separate network.
Like · Reply · 1m
Ricky Lim ·
Unless you do your eTransaction using your smartphone - by keying in your userid and password and receiving the SMS 2FA on the same smartphone. Then 1 malware in your smartphone can capture both your user credential from Internet and your SMS 2FA from voice network that landed in the same smartphone.
This method is not recommended - because your Andrioid phone or iPhone - will not have sufficient protection as oppose to your laptop.
Security in Android or iPhone are weak - as compare to laptop personal firewall, anti-virus or anti-malware software or security updates.
Moreover, 2FA means using 2 separate devices - and not 1 smartphone to do eTransaction via Internet and receiving 2FA from the voice network in the same devices.
Or if a laptop use a soft-token resided in the laptop instead of a separate hard token or a soft-token resided in the user smartphone. Then 1 malware in your laptop can capture both your user credential from Internet and your soft-token 2FA that is generated and landed in the same laptop.
This method is not recommended - because your Andrioid phone or iPhone - will not have sufficient protection as oppose to your laptop.
Security in Android or iPhone are weak - as compare to laptop personal firewall, anti-virus or anti-malware software or security updates.
Moreover, 2FA means using 2 separate devices - and not 1 smartphone to do eTransaction via Internet and receiving 2FA from the voice network in the same devices.
Or if a laptop use a soft-token resided in the laptop instead of a separate hard token or a soft-token resided in the user smartphone. Then 1 malware in your laptop can capture both your user credential from Internet and your soft-token 2FA that is generated and landed in the same laptop.
Like · Reply · 1m
Ricky Lim ·
But if you insist on using smartphone and not laptop to do eTransaction, can and still be safe.
(1) Use 2 smartphone or 1 smartphone and 1 tablet.
(2) Use 1 smartphone or 1 tablet with wifi to access Web page via Internet, key in your wser id and password.
(3) Receive your 2FA SMS via another smartphone via your SIM LTE connection through the voice network (not through internet).
(4) key in 2FA in the 1st smartphone or 1 tablet - and complete the web transaction.
Foolproof - Silver bullet !
(1) Use 2 smartphone or 1 smartphone and 1 tablet.
(2) Use 1 smartphone or 1 tablet with wifi to access Web page via Internet, key in your wser id and password.
(3) Receive your 2FA SMS via another smartphone via your SIM LTE connection through the voice network (not through internet).
(4) key in 2FA in the 1st smartphone or 1 tablet - and complete the web transaction.
Foolproof - Silver bullet !
No comments:
Post a Comment