Tag Archives: Google Authenticator

Instagram’s New Security Tools are a Welcome Step, But Not Enough

August 29, 2018

Instagram users should soon have more secure options for protecting their accounts against Internet bad guys. ¬†On Tuesday, the Facebook-owned social network said it is in the process of rolling out support for third-party authentication apps. Unfortunately, this welcome new security offering does nothing to block Instagram account takeovers when thieves manage to hijack a target’s mobile phone number — an increasingly common crime.

Reddit Breach Highlights Limits of SMS-Based Authentication

August 1, 2018

Reddit.com today disclosed that a data breach exposed some internal data, as well as email addresses and passwords for some Reddit users. As Web site breaches go, this one doesn’t seem too severe. What’s interesting about the incident is that it showcases once again why relying on mobile text messages (SMS) for two-factor authentication (2FA) can lull companies and end users into a false sense of security.

SSA.GOV To Require Stronger Authentication

May 10, 2017

The U.S. Social Security Administration will soon require Americans to use stronger authentication when accessing their accounts at ssa.gov. As part of the change, SSA will require all users to enter a username and password in addition to a one-time security code sent their email or phone. In this post, we’ll parse this a bit more and look at some additional security options for SSA users.

The Limits of SMS for 2-Factor Authentication

September 7, 2016

A recent ping from a reader reminded me that I’ve been meaning to blog about the security limitations of using cell phone text messages for two-factor authentication online. The reader’s daughter had received a text message claiming to be from Google, warning that her Gmail account had been locked because someone in India had tried to access her account. The young woman was advised to expect a 6-digit verification code to be sent to her and to reply to the scammer’s message with that code.

Attackers Hit Weak Spots in 2-Factor Authentication

June 5, 2012

An attack late last week that compromised the personal and business Gmail accounts of Matthew Prince, chief executive of Web content delivery system CloudFlare, revealed a subtle but dangerous security flaw in the 2-factor authentication process used in Google Apps for business customers. Google has since fixed the glitch, but the incident offers a timely reminder that two-factor authentication schemes are only as secure as their weakest component.

In a blog post on Friday, Prince wrote about a complicated attack in which miscreants were able to access a customer’s account on CloudFlare and change the customer’s DNS records. The attack succeeded, Prince said, in part because the perpetrators exploited a weakness in Google’s account recovery process to hijack his CloudFlare.com email address, which runs on Google Apps