Pardon the Intrusion #11: No more passwords

Pardon the Intrusion #11: No more passwords

Subscribe to this bi-weekly newsletter here!

Welcome to the latest edition of Pardon The Intrusion, TNW’s bi-weekly newsletter in which we explore the wild world of security.

Here’s a double dose of good news for those who value their personal device security. (So, hopefully everyone.)

First off, Google has open-sourced its security key technology, allowing anyone to build their own hardware security key for the strongest level of two-factor authentication (2FA). Because, as we all know, SMS is no longer a secure means for 2FA.

By opening up OpenSK, Google hopes it will be embraced by the wider community, making it easier to spot bugs, add features, and customize it.

Security keys are phishing-resistant, which basically means that they can protect your accounts from being hijacked. The underlying principle is based on the FIDO — Fast IDentity Online — standard that aims to solve the problem of over-reliance on passwords.

Which brings us to the second piece of good news: Apple is the latest company to join the FIDO Alliance, the open industry association that oversees the FIDO standard and already counts Google, Amazon, ARM, and Intel as some of its members.

That’s not all though. The iPhone maker is also proposing a new standard that upgrades the one-time passwords (OTP) that you receive as SMS. We are all aware that SMSes can be hijacked or intercepted, and Apple is aware of that risk.

The solution attempts to reduce the chances of phishing by standardizing the format of such 2FA messages:

747723 is your XYZ authentication code.
@XYZ.com #747723

As it stands, these SMSes come in a variety of text formats.

Switching to a unified format makes it easy for apps and services to automatically extract the OTP from the SMS and complete the login operation without your intervention. All good. But…

Even if, let’s assume, all companies come aboard for this, there’s a major red flag — SMS text verification is an inherently insecure idea, period.

That Apple is pushing for this standard is baffling to the say the least. What’s more, it does little to disrupt the status quo and steer users (and companies) away from SMS-based authentication. At best, it’s a stopgap solution.

Hopefully, now that Apple has joined the FIDO Alliance, we can soon start taking a step forward in putting passwords to rest.

***

Do you have a burning cybersecurity question, or a privacy problem you need help with? Drop them in an email to me, and I’ll discuss it in the next newsletter! Now, onto more security news.

What’s trending in security?

In the past two weeks, Maastricht University paid 30 Bitcoin in ransom to hackers, a software bug exposed personal identification (CPR) numbers for 1.26 million Danish citizens, and Israel’s election day app had a flaw that potentially allowed access to a database containing the personal info of 6.4 million citizens.

  • Codebreakers ahoy! Jim Sanborn, the man behind the cryptographic sculpture Kryptos, has offered a fresh clue to solve it. It’s a word: “NORTHEAST.”  [The New York Times]
  • You can create a virtual traffic jam in Google Maps by walking around the streets with 99 smartphones. [Simon Weckert]
  • The US government claimed Huawei can secretly access mobile-phone networks around the world through “back doors” designed for use by law enforcement. But Huawei has fired back, pointing out that the US itself has a long history of spying on phone networks. [The Wall Street Journal / Huawei]
  • India’s data protection bill seeks to penalize re-identification of user data, even when it’s for purposes of cybersecurity research. [WIRED]
  • How North Korea is evading international sanctions to make money illicitly off the internet — bank theft, cryptocurrency mining, and counterfeit video games. [Recorded Future]
  • The US has charged 4 members of the Chinese People’s Liberation Army (PLA) 54th Research Institute with hacking into Equifax in 2017. [CyberScoop]
  • Online sneaker marketplace StockX finally added two-factor authentication, almost six months after a massive data breach last August. But too bad, it’s SMS based. [StockX]

  • Netherlands-based Maastricht University paid 30 Bitcoin in ransom to hackers — dubbed “TA505” — who encrypted some of its critical systems in a cyberattack late December, as ransomware gangs are increasingly tampering with industrial control systems and dumping stolen data for all to see. [Maastricht University]
  • Cybercriminals are abusing code repository platform Bitbucket to deliver a variety of malware. The malicious repositories have since been deactivated. [Cybereason
  • Scammers are playing on Coronavirus fears to send malicious phishing emails in an attempt to breach companies. [IBM X-Force / Proofpoint]
  • The Emotet botnet is now leveraging insecure Wi-Fi networks to infect devices that are connected to them, thereby rapidly increasing its spread. [Binary Defense]
  • A software bug, that went unfixed for 5 years between February 2, 2015, and January 24, 2020, exposed personal identification (CPR) numbers for 1.26 million Danish citizens, a fifth of the country’s total population. [ZDNet]

  • Electorthe website for an election app used by Prime Minister Benjamin Netanyahu’s party, Likud, made it possible to view full names, addresses, and identity card numbers of 6.5 million voters. The software error exposed an API that returned the site administrator’s credentials, which could then be used to gain access to the voter registry database. [Internet Israel]
  • Antivirus firm Avast shuts down data collection arm Jumpshot after getting caught amassing and selling users’ browsing habits to its clients. There’s only one word for this: good! [Motherboard / Avast]
  • Facebook, Google, LinkedIn, and Twitter demand Clearview AI stop scraping their social networks to funnel its facial recognition tool that it pitches to law enforcement agencies. [The Verge]
  • WhatsApp fixed a flaw in its desktop app that allowed access to files on your computer. [TNW via PerimeterX]
  • Google blocked 790,000 potentially harmful apps before they were published to the Play Store in 2019, and prevented more than 1.9 billion malware installs from non-Google Play sources. All that effort hasn’t stopped malware-laced appsfrom sneaking in, though.  [Android Developers]
  • The NSO Group, which makes the Pegasus spyware used by governments to spy on activists, dissidents, and journalists, is under investigation by the FBI. [Reuters]
  • Google’s data export tool, Takeout, suffered from a bug that accidentally delivered users’ private photos to the wrong people. The four-day security lapse in November last year affected “less than 0.01%” of Photos users. [Ars Technica]
  • Facebook left a security flaw open for nine months after it was first raised that eventually culminated in a data breach impacting 29 million users. [The Telegraph]

Data Point

FBI’s Internet Crime Complaint Center (IC3) published the 2019 Internet Crime Report, and revealed that cybercrime contributed to individual and business losses of $3.5 billion in 2019 alone, up from $2.7 billion in 2018. IC3 received 467,361 complaints, an average of nearly 1,300 every day. Of the age groups impacted, those between 20 to 29 suffered the least loss — of $174.6 million.

“The most frequently reported complaints were phishing and similar ploys, non-payment/non-delivery scams, and extortion. The most financially costly complaints involved business email compromise, romance or confidence fraud, and spoofing, or mimicking the account of a person or vendor known to the victim to gather personal or financial information,” the report says.

Takeaway: With phishing, smishing (SMS phishing) and pharming (redirecting users to bogus websites) being the most common entry points for cybercrime, it’s crucial that you double-check everything you receive, whether it’s emails or SMSes. Moral of the story: don’t click suspicious links.

That’s it. See you all in a couple of days. Stay safe!

Ravie x TNW (ravie[at]thenextweb[dot]com)

Read next: Safari will soon reject any HTTPS certificate valid for more than 13 months

Corona coverage

Read our daily coverage on how the tech industry is responding to the coronavirus and subscribe to our weekly newsletter Coronavirus in Context.

For tips and tricks on working remotely, check out our Growth Quarters articles here or follow us on Twitter.