Black Lives Matter

Backup options in many Android #TOTP #2FA apps share personal info w/ 3rd parties, have serious crypto flaws, and/or allow app devs to access TOTP secrets 😱 A 🧵 on our @USENIXSecurity '23 📜 "Security and Privacy Failures in Popular 2FA Apps" github.com/blues-lab/totp… #infosec

Come join us!

I am recruiting 1~3 PhD students in CS or ML to join NLP X lab at Georgia Tech. Topics include but not limited to: (1) multilingual multimodal LLM (2) RLHF, text generation models (3) NLP+X (X = privacy, science, etc) Apply by Dec 15: cc.gatech.edu/prospective-gr… (📷Colin Gough)

@spazef0rze Sadly, I still see this regularly for many US banks and credit unions

Something I didn't expect to see in 2023: enter your banking username and password and a code if required so we can automatically log in for you and find your account number. We'll delete it, we promise🤞

Are you implementing 2FA for your mobile or web app? You need to understand the privacy and security risks associated with various 2FA apps. Today's comic is inspired by a recent paper written by @conorgil, Fuzail Shakir, @Noura_7N, and @v0max. 🧵[1/8] #privacy #cybersecurity

Police auction off many of the items they come into possession of. This includes cellphones. In a study led by @stack__trace we asked: are police wiping phones before they sell them? @briankrebs wrote about our study. In this 🧵, I'll give some highlights. krebsonsecurity.com/2023/05/re-vic…

Texas Republicans are trying to force public schools to display the Ten Commandments in every classroom. I told the bill author: “This bill is not only un-constitutional and un-American, it’s deeply un-Christian.” #txlege

Big news from Chrome Security Team! With HTTPS encryption now nearly ubiquitous, they're finally killing off the browser🔒icon, which tends to give users a false sense of security about other threats. blog.chromium.org/2023/05/an-upd… A huge milestone for web security. h/t @dadrian

"You can do this in R, and R is free!" R: twitter.com/Figensport/sta…

@GeekyxNerdy @mysk_co We recently analyzed the backup mechanisms of the top 22 Android authenticator apps and will be presenting our work at the USENIX Security conference. Details and the paper: allthingsauth.com/totp-apps

@mysk_co May you recommend an alternative with encryption and backup support?

Google has just updated its 2FA Authenticator app and added a much-needed feature: the ability to sync secrets across devices. TL;DR: Don't turn it on. The new update allows users to sign in with their Google Account and sync 2FA secrets across their iOS and Android devices. We analyzed the network traffic when the app syncs the secrets, and it turns out the traffic is not end-to-end encrypted. As shown in the screenshots, this means that Google can see the secrets, likely even while they’re stored on their servers. There is no option to add a passphrase to protect the secrets, to make them accessible only by the user. Why is this bad? Every 2FA QR code contains a secret, or a seed, that’s used to generate the one-time codes. If someone else knows the secret, they can generate the same one-time codes and defeat 2FA protections. So, if there’s ever a data breach or if someone obtains access to your Google Account, all of your 2FA secrets would be compromised. Also, 2FA QR codes typically contain other information such as account name and the name of the service (e.g. Twitter, Amazon, etc). Since Google can see all this data, it knows which online services you use, and could potentially use this information for personalized ads. Surprisingly, Google data exports do not include the 2FA secrets that are stored in the user's Google Account. We downloaded all the data associated with the Google account we used, and we found no traces of the 2FA secrets. The bottom line: although syncing 2FA secrets across devices is convenient, it comes at the expense of your privacy. Fortunately, Google Authenticator still offers the option to use the app without signing in or syncing secrets. We recommend using the app without the new syncing feature for now. #Privacy #Cybersecurity #InfoSec #2FA #Google #Security

@Filip_G_Loco @mysk_co the new syncing feature is off by default, so if you do not opt-in, then you are not using it

@mysk_co 'We recommend using the app without the new syncing feature for now.' How can you do it? There is no option in the settings of the app.

@Myceliyum19 @mysk_co yup! There are dozens of apps that support time-based one-time passwords (TOTP). I analyzed the backup and recovery features of the top 22 Android authenticator apps, which you can read about here: allthingsauth.com/totp-apps

@mysk_co Are there other versions of authenticators besides Google's??

@adrianlovell @mysk_co allthingsauth.com/totp-apps

@mysk_co Have you run similar tests on other Authenticators that offer cloud sync?

@stevetranby @mysk_co We analyzed Authy's backup mechanism in detail as part of recent research on 2FA apps: allthingsauth.com/totp-apps

Good things come to those who wait. New and improved @Google Authenticator. (Feels like an appropriate start to @RSAConference week). security.googleblog.com/2023/04/google…

When your institution has a >$50B endowment and accepts an unrestricted $500 million but can’t pay their grad student workers and employees wages that align with cost of living and inflation 💖

If guns made us safer, America would be the safest place in the world. But the opposite is true. Nowhere else do students, concertgoers and bank patrons get slaughtered on a daily basis. Because as it turns out, it's all the guns that make us so unsafe.

Happy to be part of the @SOUPSConference poster session - You can submit until May 25, 2023 🙂 usenix.org/conference/sou… #UsableSecurity #soups2023

As @PrivacyMatters speculated, Authy sends too much analytics for an authenticator app. It associates analytics with the user's ID, which is tied to phone number and email. The analytics include the issuer name of each scanned QR code. Try to use a different #2FA app. #Privacy