Ask HN: Account Hijacking Risk of Email Accounts and Other Digital Identities
Ask HN: Account Hijacking Risk of Email Accounts and Other Digital Identities
2 by roastedpeacock | 0 comments on Hacker News.
Many online services (relative to the past) have reasonably secure login systems with two factor authentication using codes, hardware tokens, and so forth. However one aspect that doesn't get as much attention is how things are handled in cases of failures. Some services err on the paranoid side and strongly incentivize you to have backup methods of recovery (Such as backup tokens) or have things become very tricky which could be considered good from a defense (Google APP) In contrast, there have been other incidents such as the incident of the owner of the Twitter handle @N having one of his domains hijacked by social engineering of GoDaddy support to pivot to control of his Twitter account[1] Since then. GoDaddy has fallen victim to other incidents of this nature[2]. Not advocating the use of GoDaddy, but was just illustrating these as case studies. GoDaddy isn't alone with this, there have been other attempts at stealing domains with scans of falsified identity documents and similar fraud, as if verifying remote scans of passports from foreign countries is a trivial task[3] What are some best practices from an OPSEC perspective to mitigate the above risks for higher risk individuals? Note: Ignoring the issues of client-side cryptography in JavaScript, the fact that their SMTP gateway could be compromised logging plaintext, etcetera, would a hypothetical ProtonMail free account with 2FA enabled and password reset disabled fare well enough against some of the above mentioned attacks? As for the relevance email is used to "bootstrap" digital identities and unless services take further precautions to distrust unauthenticated email there is a fair amount of things that could be done by an attacker who can send and receive email at your address. [1] https://ift.tt/1uJGZ1p [2] https://ift.tt/35RtARz [3] https://ift.tt/310PcuS
2 by roastedpeacock | 0 comments on Hacker News.
Many online services (relative to the past) have reasonably secure login systems with two factor authentication using codes, hardware tokens, and so forth. However one aspect that doesn't get as much attention is how things are handled in cases of failures. Some services err on the paranoid side and strongly incentivize you to have backup methods of recovery (Such as backup tokens) or have things become very tricky which could be considered good from a defense (Google APP) In contrast, there have been other incidents such as the incident of the owner of the Twitter handle @N having one of his domains hijacked by social engineering of GoDaddy support to pivot to control of his Twitter account[1] Since then. GoDaddy has fallen victim to other incidents of this nature[2]. Not advocating the use of GoDaddy, but was just illustrating these as case studies. GoDaddy isn't alone with this, there have been other attempts at stealing domains with scans of falsified identity documents and similar fraud, as if verifying remote scans of passports from foreign countries is a trivial task[3] What are some best practices from an OPSEC perspective to mitigate the above risks for higher risk individuals? Note: Ignoring the issues of client-side cryptography in JavaScript, the fact that their SMTP gateway could be compromised logging plaintext, etcetera, would a hypothetical ProtonMail free account with 2FA enabled and password reset disabled fare well enough against some of the above mentioned attacks? As for the relevance email is used to "bootstrap" digital identities and unless services take further precautions to distrust unauthenticated email there is a fair amount of things that could be done by an attacker who can send and receive email at your address. [1] https://ift.tt/1uJGZ1p [2] https://ift.tt/35RtARz [3] https://ift.tt/310PcuS
Comments
Post a Comment