On Sunday, Yahoo launched a new service called “on-demand” passwords, which lets someone log into a Yahoo account using a unique, one-time code that is delivered via text message. It’s basically two-factor authentication without the first step.
Sounds interesting, but it begs the question, how secure are on demand passwords?
The whole point of multi-factor authentication is that if one authentication factor is compromised, access is still protected with an additional authentication factor. If a password is compromised, then a one-time token (delivered via text or a time-based token) protects access. For example, if the smart phone that receives or generates the second authentication factor is lost or stolen, a third party has access to the 2nd factor, but still does not have access to the password (assuming it is not stored clear-text somewhere on the phone).
Password-less authentication is nothing more than traditional “2-factor” authentication minus the password, and if your phone is lost or stolen (or the sim card is stolen), then a hacker would have the ability to receive the Yahoo one-time password and access your Yahoo account.
Yahoo’s one-time password is nothing new, and is less secure than using a complex password in addition to a second authentication mechanism, such as a time-based token or SMS delivered one-time password. If my smartphone were ever lost or stolen, I would rather have the piece of mind that my accounts are protected by a unique and complex password AND a second authentication factor. My recommendation would be to keep your Yahoo password in place, use a password manager, ensure that your passwords meet complexity and length requirements, and always activate 2-factor authentication where available.
IBM has discovered a security flaw that can leave file storage accounts of mobile users open to hackers. The IBM researchers identified sloppy coding in Dropbox’s SDK Version 1.5.4 for Android that caused the vulnerability.
76% of the applications that link to Dropbox accounts using the Dropbox SDK are vulnerable, including other password managers. Keeper does not rely on any 3rd party storage providers and is not vulnerable to this flaw.
Read more here
During a Cybersecurity panel discussion on Tuesday with members of Homeland Security, the theme was not “if you get hacked”, it’s “when you get hacked.” Companies need to start thinking this way, no one is immune to cyber attacks and it’s critical to have cybersecurity prevention tools in place and a plan for when it happens. While most cybercrime issues are preventable, cybercrime affects everyone.
Read more here: http://www.bizjournals.com/boston/blog/techflash/2015/03/homeland-security-official-your-company-might-get.html
Google’s expert team of hackers at Project Zero have discovered a serious flaw in modern DRAM devices. The flaw encourages computer vendors to cough up more information about hardware flaws, and is exploitable on x86 laptops. Google is encouraging vendors to release information about affected devices so that researchers and further evaluate the rowhammer problem.
Read more here: http://www.zdnet.com/article/rowhammer-dram-flaw-could-be-widespread-says-google/
Apple’s latest iOS release includes a fix for the FREAK exploit, which allows hackers to attack encrypted networks, including Secure Sockets Layer (SSL) and Transport Layer Security (TLS) connections. Most iPhones and iPads were affected by the bug.
Read more here: http://www.zdnet.com/article/apple-fixes-freak-security-flaw-with-ios-8-2-update/
Here are the top 5 stories from MWC 2015 Day 3:
- Pebble followed up their smartwatch announcement with a Time Steel model with a metal body. The watch will have 10 days of battery life, and run for $299
- Leia is bringing 3D holograms to mobile devices
- Flir One showcased a smartphone dongle with thermal imaging
- Sony’s SmartEyeglass apps were displayed for it’s SmartEyeglass wearable
- Acer debuted a Fitness tracker with the Liquid Leap+
Yesterday, cryptographers discovered a security flaw dating back to the 90’s, that affects OS X, iOS, and Android users on over 64,000 websites. The FREAK exploit allows hackers to force a lower-grade of encryption, so that affected sites (with your personal information) can be cracked within a few hours.
Visit freakattack.com for more info, or click here to see the list of affected sites.
Keeper is not vulnerable to the RSA FREAK vulnerability.
Here are our top 5 developments from Day 2 at MWC 2015:
- Fujitsu showed off a prototype smartphone that uses an infrared camera to scan your irises for your password
- Qualcomm announced ultrasonic 3D fingerprint authentication
- Intel revealed three new mobile chips, the Atom x3, x5, and x7
- BlackBerry showed their new Leap smartphone, a $275 device that claims to have a battery that lasts 25 hours with heavy use
- Silent Circle announced their second-edition Blackphone secure smartphone.
Check back tomorrow for Day 3 updates!
Our team has made it safely on the ground in Barcelona to discover and share the latest technology in the mobile industry.
Here are the top #MWC15 day 1 highlights:
- Huawei announced its Android Wear-powered device, the Huawei Watch. It will have a sapphire glass screen, 6-axis motion sensor and a heart rate monitor
- Mozilla will be launching new Firefox OS phones, planned to launch in 2016
- The HTC One M9 was announced – it will come with a higher quality camera that allows better-quality selfies even when taken indoors
- Samsung revealed the Galaxy S6 and Galaxy S6 Edge, as well as “Samsung Pay”
Check back tomorrow for Day 2 highlights!
Uber is now revealing that their database of over 50,000 drivers was hacked back in May, and they have subpoenaed GitHub to hand over IP addresses of the suspects.
The lawsuit reads, “On or around May 12, 2014, from an IP address not associated with an Uber employee and otherwise unknown to Uber, John Doe used the unique security key to download Uber database files containing confidential and proprietary information from Uber’s protected computers.”
Read more here.