Post Reply Crunchy should add 2 step verification
47512 cr points
Send Message: Send PM GB Post
22 / M / Sweden
Online
Posted 1/6/18 , edited 1/6/18
I've been a member on here for a long ass time now. And I love the site! However one feature that I really think is missing is a 2 step verification!

Why?


2 step verification systems make your account more secure and it becomes harder to steal someones account as you in addition to your password also need a unique code generated on your phone via a app or message that's only valid for a certain amount of time. This means that for a hacker to get access to your account they not only need your password but also your phone to gain access to your account, which is far harder for hackers who oftenly just brute force attack passwords or have a keylogger and gain access that way.

I actually had a friend who lost their account on here and I know that a lot of similar situations would be avoided by having a 2-step verification system before log in
14716 cr points
Send Message: Send PM GB Post
☆Land of sweets☆
Online
Posted 1/6/18 , edited 1/6/18
in addition to having 2-factor, CR should not use SMS and instead use 2-factor apps - to mitigate the risk of social engineering


A software developer says a thief siphoned cash from his PayPal account – after a dumbass AT&T rep handed control of his cellphone account to a hacker, thus defeating his two-factor authentication.
...
Williams said the breach occurred last Thursday, when the hacker made multiple calls to AT&T support asking to transfer his account to a new phone. Initially, Williams said, AT&T staffers blocked the attempts when the caller could not give the phone account's correct passcode.

Eventually, however, someone at AT&T relented and, breaking protocol, agreed to reassign the phone to the new SIM card, it is claimed. At that point, the attacker was able to receive text messages to Williams' number on the new phone.

This allowed the attacker to go to PayPal and use the service's two-factor authentication (which sends a one-time code via SMS) to reset the password on his account and take control of that.
...
While SMS two-factor authentication is extremely handy, and blocks the vast majority of account takeovers, it is not infallible – to social engineering and SS7 attacks. Time and time again, we've heard of crooks tricking wireless support staff into handing over control of devices. If you can, now's the time to consider a hardware token or app-based two-factor authentication method.

https://www.theregister.co.uk/2017/07/10/att_falls_for_hacker_tricks/



108970 cr points
Send Message: Send PM GB Post
57 / M / U.S.A. (mid-south)
Offline
Posted 1/6/18 , edited 1/7/18

namealreadytaken wrote:

in addition to having 2-factor, CR should not use SMS and instead use 2-factor apps - to mitigate the risk of social engineering

I have to wonder if a hacker would go to that much trouble to hijack someone's CR account. It isn't nearly as valuable as someone's financial account or even their e-mail account.

47512 cr points
Send Message: Send PM GB Post
22 / M / Sweden
Online
Posted 1/7/18 , edited 1/7/18

namealreadytaken wrote:

in addition to having 2-factor, CR should not use SMS and instead use 2-factor apps - to mitigate the risk of social engineering


A software developer says a thief siphoned cash from his PayPal account – after a dumbass AT&T rep handed control of his cellphone account to a hacker, thus defeating his two-factor authentication.
...
Williams said the breach occurred last Thursday, when the hacker made multiple calls to AT&T support asking to transfer his account to a new phone. Initially, Williams said, AT&T staffers blocked the attempts when the caller could not give the phone account's correct passcode.

Eventually, however, someone at AT&T relented and, breaking protocol, agreed to reassign the phone to the new SIM card, it is claimed. At that point, the attacker was able to receive text messages to Williams' number on the new phone.

This allowed the attacker to go to PayPal and use the service's two-factor authentication (which sends a one-time code via SMS) to reset the password on his account and take control of that.
...
While SMS two-factor authentication is extremely handy, and blocks the vast majority of account takeovers, it is not infallible – to social engineering and SS7 attacks. Time and time again, we've heard of crooks tricking wireless support staff into handing over control of devices. If you can, now's the time to consider a hardware token or app-based two-factor authentication method.

https://www.theregister.co.uk/2017/07/10/att_falls_for_hacker_tricks/


Getting people's accounts through social engineering is pretty much only something a hacker will do if it's a well known target, like youtubers where it's actually pretty common. It's also common for banks where extreme amounts of money is involved, but I highly doubt someone would do that on come random CR user.

If anything I think CR might go for a app only due to it being cheaper to have a internal app system over paying for every SMS through a carrier.
You must be logged in to post.