Wednesday, December 5, 2018

Mistake by Two Factor Authentication Company Compromises Users vis SMS

Text messaging.jpg
Most of us use 2 factor authentication at least some of the time with some of the websites we work with.  Usually banking, Google, Apple, and others will help prevent data theft through this process.
In a nutshell, you log into a site and before you can access your info, the site sends you a text message with a multiple digit “security code” that you must then enter before the website will allow you entry.  Since most of us live and die on our phones nowadays and always have it with us, sending a message to your phone is a pretty good way of ensuring your identity.
That is, it’s a pretty good way IF the company providing the security code is practicing good security themselves.  However, a recent case has come to light where just the opposite was happening.
It seems that a company called Vovox is one (of many) companies that act as a "gateway” which sends the 2-factor codes to the user’s phone.  The idea, of course, is that the 2-factor process allows for better confirmation that the person requesting access to the site is indeed the individual who needs access.  It’s  another link in the security chain that helps prevent data and identity theft.  Now, thanks to security researcher Sebastien Kaul it has come to light that Vovox had made a critical mistake in safeguarding the data of the individual’s requesting the 2-factor authentication.
What Kaul discovered is that Vovox had a database of over 26 million text messages sitting on a server.  The database was not encrypted nor was it password protected.
The information contained passwords in plain text, account security codes, package tracking info, medical appointment reminders, and more.
The communications were from companies the likes of Google, Microsoft, banks, medical institutions, and others.
According to TechCrunch, “Each record was meticulously tagged and detailed, including the recipient’s cell phone number, the message, the Voxox customer who sent the message and the shortcode they used.” 
When notified, Vovox promptly removed the database.  The problem here is that even if users provide *perfect* security, we are still at the mercy of people further downstream from us.  Obviously, the best course for anyone to pursue is to remain “security vigilant”, but to also be aware that even with our best efforts, leaks are possible.  A tip of the electron to Sebastien Kaul for discovering this and helping to make sure the info was secured.

1 comment: