It’s now well known that usernames and passwords aren’t enough to securely access online services. A recent study highlighted more than 80% of all hacking-related breaches happen due to compromised and weak credentials, with three billion username/password combinations stolen in 2016 alone. As such, the implementation of two-factor authentication (2FA) has become a necessity. Generally, 2FA aims to provide an additional layer of security to the relatively vulnerable username/password system. It’s now well known that usernames and passwords aren’t enough to securely access online services. A recent study highlighted more than 80% of all hacking-related breaches happen due to compromised and weak credentials, with three billion username/password combinations stolen in 2016 alone. As such, the implementation of two-factor authentication (2FA) has become a necessity. Generally, 2FA aims to provide an additional layer of security to the relatively vulnerable username/password system. It works too. Figures suggest users who enabled 2FA ended up blocking about 99.9% of automated attacks. But as with any good cybersecurity solution, attackers can quickly come up with ways to circumvent it. They can bypass 2FA through the one-time codes sent as an SMS to a user’s smartphone. Yet many critical online services in Australia still use SMS-based one-time codes, including myGov and the Big 4 banks: ANZ, Commonwealth Bank, NAB, and Westpac. Major vendors such as Microsoft have urged users to abandon 2FA solutions that leverage SMS and voice calls. This is because SMS is renowned for having infamously poor security, leaving it open to a host of different attacks. For example, SIM swapping has been demonstrated as a way to circumvent 2FA. SIM swapping involves an attacker convincing a victims’ mobile service provider they themselves are the victim and then requesting the victim’s phone number be switched to a device of their choice. SMS-based one-time codes are also shown to be compromised through readily available tools such as Modlishka by leveraging a technique called a reverse proxy. This facilitates communication between the victim and the service being impersonated. So in the case of Modlishka, it will intercept communication between a genuine service and a victim and will track and record the victims’ interactions with the service, including any login credentials they may use). In addition to these existing vulnerabilities, our team has found additional vulnerabilities in SMS-based 2FA. One particular attack exploits a feature provided on the Google Play Store to automatically install apps from the web to your android device. If an attacker has access to your credentials and manages to log into your Google Play account on a laptop (although you will receive a prompt), they can then install any app they’d like automatically onto your smartphone. Experiments revealed a malicious actor can remotely access a user’s SMS-based 2FA with little effort, through the use of a popular app (name and type withheld for security reasons) designed to synchronize user’s notifications across different devices. Specifically, attackers can leverage a compromised email/password combination connected to a Google account (such as This email address is being protected from spambots. You need JavaScript enabled to view it.) to nefariously install a readily available message mirroring app on a victim’s smartphone via Google Play. This is a realistic scenario since it’s common for users to use the same credentials across a variety of services. Using a password manager is an effective way to make your first line of authentication — your username/password login — more secure. Once the app is installed, the attacker can apply simple social engineering techniques to convince the user to enable the permissions required for the app to function properly. For example, they may pretend to be calling from a legitimate service provider to persuade the user to enable the permissions. After this, they can remotely receive all communications sent to the victim’s phone, including one-time codes used for 2FA. Although multiple conditions must be fulfilled for the aforementioned attack to work, it still demonstrates the fragile nature of SMS-based 2FA methods. There is more of this post on OUR FORUM.

The European Commission is on the brink of adopting its long-awaited legislation that will require all mobile phones and other electronic devices sold in Europe to have a common charging standard. According to Reuters, the Commission will be ready to present the legislation as soon as next month, which has been hotly debated within its ranks for the past few years. Sources say that the EU executive is now in the process of drafting the new rules, and although the details aren’t clear, they’re widely expected to give the nod to USB-C as the new common standard. Currently, mobile phones sold throughout the 27 countries in the European Union use a hodgepodge of different charging connectors, with Reuters noting that half of the chargers sold in 2018 had a micro USB connector, while 29 percent used USB-C, and 21 percent used Apple’s Lightning connector. The problem with this, as far as EU regulators are concerned, is that it increases the amount of electronic waste as consumers are forced to buy new chargers and discard old ones when upgrading to newer smartphones. According to a resolution passed in late 2019, around 50 million metric tons of e-waste are generated globally per year, with about a quarter of that coming from Europe. The European Parliament describes this as “an unnecessary environmental footprint that can be reduced,” and points to charging accessories as a linchpin of the problem. The resolution, which passed in a 582-40 vote in the EU’s parliament, originally ordered the Commission to adopt new rules by last July, but this deadline was extended as the world wrestled with the global COVID-19 pandemic. Now, however, it looks like they’re finally ready to proceed. Will Apple Actually Ditch Lightning? Firstly, if you’re hoping that this will prompt a wholesale switch to USB-C on Apple’s next-generation iPhone models, we’d suggest not holding your breath. Like most of these kinds of regulatory laws, these get implemented at the speed of government, which means that it could be years before Apple is actually forced to make a change — by which time Apple will likely have released its much-rumored portless iPhone, and wired charging ports will be a thing of the past. To be fair, the European Parliament also recommended that the Commission regulate wireless chargers to ensure that they’re completely interoperable, but this is far less of an issue, as it’s already covered by the Qi standard, and even Apple’s MagSafe charging technology remains fully Qi compliant — just at lower charging speeds. It’s unlikely that the EU will go so far as to mandate minimum power levels for Qi charger compatibility. To give you an idea of how slow the EU moves in this area, however, it’s worth considering that the European Union has been pushing for a common charging standard for well over a decade already, although back then it expected companies to voluntarily comply with its standards, which were published back in 2010 and mandated micro USB as the common charging standard. Apple actually signed on to this “voluntary memorandum of understanding” back in 2009, but it also arguably cheated a bit. Instead of putting micro USB directly into the iPhone, it forged ahead with its proprietary Lightning connector and offered a $19 Lightning to Micro USB Adapter to satisfy the European Union’s requirements. It remains to be seen whether Apple would get with pulling a similar trick this time around, but several Members of the European Parliament (MEPs) saw through Apple’s game last time, and have begun calling for ”binding measures” that would force all devices sold in the EU to directly support the same chargers. For its part, Apple has naturally been vocal in opposing the legislation, suggesting that it would “freeze innovation” and be “unnecessarily disruptive” for consumers. Apple does have a point, to be fair, since it’s sold over a billion Apple devices with Lightning connectors over the past nine years, and there’s still a sizeable market of third-party accessory makers that build their devices for the Lightning port. Want more, visit OUR FORUM.