![]() This allows a race condition vulnerability similar to the Kaminsky DNS vuln in 2008. Scary case: the site sends the credential to Symantec, and Symantec sends back the secret.Best case: the site sends the credential and code to Symantec, which are roughly equivalent to authentication as username and OTP, and Symantec sends the secret to the site.The next step is unclear, so here's speculation in order from OK to OMG:.Client uses the secret to generate a OTP code, then sends that code and the credential to the site.Symantec sends the secret and credential to the client.The client requests a key provision from Symantec, who creates the secret, along with a "credential" (8 digits).Symantec's VIP explicitly weakens this process: A breach at the site might expose all client TOTP secrets, but that's minor compared to the actual client info that might be exposed if the site is breached. Login security is stronger than with username/password. Now the secret only exists on the site and on the client.The site generates a random secret, then transfers it only once to the client, usually as a QR code to a smartphone.One of the design goals of TOTP is reducing exposure of the private key (the "secret"): In terms of threat models, the biggest risk here is that Symantec has created a proprietary key escrow wrapper around a public standard OTP algorithm (TOTP). It's exhausting and boring to care about security, and people out of necessity have to take a lot for-granted. But absolutely, someone posting some script to a finance subreddit does raise red flags and thank you for urging people to exercise caution. ![]() At some point you just have to hope for the best that application, OS, drivers are not compromised because you realistically can't review them all individually. If they need the 2FA, they just need you to eventually login on that machine and then hijack your session.Īs developers, I think we'd spend about 100x as long setting up any machine or updating -anything- if we needed to manually review the many open source script and applications we use daily. If someone has installed a trojan horse on your machine, they can hijack any account. I want to make the point that it doesn't matter as much that an unknown application is related to finance/2fa (like this) or is any other application. You're certainly right that one should be concerned about running any unknown application on your computer. While still a much better idea than one-password-for-everything or writing-everything-on-post-its, I am always concerned a compromised machine will give the 'kitchen sink' to a bad actor. I'm generally much more concerned about someone installing a trojan horse on one of my machines and gaining access to my password database. I guess I'd say I'm a lot less worried about just the 2FA being compromised for the exact reason one should use 2FA. I was being a bit flippant with that statement. To your second point, if you aren’t worried about someone having access to your 2FA keys, why have 2FA enabled? I was happy to find the workaround I posted as a way to have even one less app (or proprietary implementation) to worry about and have a uniform and standard way to protect accounts. It's already complicated with oath, totp, keepass, challenge-reponse, etc. I recently have started a personal security revamp where I'm using a Yubikey to enhance security into my password database. Not taking anything as a stab, I appreciate a debate - especially about security which is near and dear to me. I hope you aren’t taking everything I am saying as a stab at you, I just want people to be cautious when it comes to things like this - I have seen a few horror stories on this subreddit of peoples’ accounts getting hijacked and purchasing random Chinese securities, or wiring money to accounts that don’t belong to them. I agree that E*Trade’s 2FA system is garbage, and sometimes I have to make multiple attempts with VIP Access, however I would take that slight inconvenience over a potential security threat any day of the week. When it comes to money, I think it’s safe to say that trusting a third party with the security of it isn’t the best of ideas. All it would take is the reviewer to overlook a single line and those 2FA codes could be sent directly to a bad actor. In its current state, it is safe, however there have been various instances of obfuscated malicious code being pulled into open source projects via multiple pull, and that code going right under the original author’s nose because separately the code is entirely benign. I am a developer both professionally and as a hobby and read through the code.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |