If you thought you were safe because you use multi-factor authentication (MFA), there is bad news for you: MFA can be broken.
While MFA is still a recommended practice and is much safer than having just a password, it does not, however, guarantee your safety. You cannot afford to be complacent.
There are multiple ways to work around MFAs:
For example, like how the Twitter account of Jack Dorsey was hacked, your SIM too can be swapped.
Or if the site using MFA is not securely developed, an attacker can bypass MFA anyway and get at your private data.
Finally, the ubiquitous ‘social engineering attacks’ can get you to divulge your information to an attacker voluntarily enabling them to inject themselves into the MFA cycle.
I do not want you to panic unnecessarily – after all, the FBI still says "Multifactor authentication continues to be a strong and effective security measure to protect online accounts, as long as users take precautions to ensure they do not fall victim to these attacks, …". I would only ask you to make note of the caveat. - Sridhar Parthasarathy
A massive security loophole at Just Dial has just been discovered. The flaw, discovered by an independent security researcher, has exposed almost 156 million unique users across the Just Dial ecosystem, that includes its web, mobile website, app and voice
JustDial claims to have addressed this issue.
The Microsoft Threat Intelligence Center (MSTIC) has released a blog post describing an increase in malicious cyber activity from the Iranian group known as Phosphorus. These threat actors are exploiting password reset or account recovery features to take control of targeted email accounts.
The Cybersecurity and Infrastructure Security Agency (CISA) encourages users to review the Microsoft blog for additional information.
Vulnerabilities have been discovered in MAC OS Terminal Emulator iTerm2, as per US-CERT information on vulnerability (CVE-2019-9535). Visit iTerm2’s downloads page for patch information and additional details for more information.
Dozens of Amazon workers based in India and Romania review select clips captured by Cloud Cam, according to five people who have worked on the program or have direct knowledge of it. Those video snippets are then used to train the AI algorithms to do a better job distinguishing between a real threat and a false alarm.
Twitter admitted to ‘inadvertently’ using data provided for multi-factor authentication for targeting ads. The company did not divulge how long this has been going on or the extent of the misuse of data.
FBI Director Christopher Wray shared cases where the support of technology companies helped law enforcement rapidly identify and save children being sexually abused. He followed by asking for the renewed and ongoing support of the industry in investigations into child pornography, terrorism, and other crimes.
A ransomware victim that paid Bitcoin to unlock his files has enacted sweet vengeance on his attackers, by hacking them right back. As part of his retaliation, German programmer Tobias Frömel (aka “battleck”) released almost 3,000 decryption keys to assist others hit by the Muhstik ransomware, along with free decryption software.