Keep your accounts safe!

Hi All,

There has been a security incident, thankfully not with the site, but with a member of our forum.
They had their emails compromised by malware, and had various accounts taken over.

I helped them as best I could to get back into things but not much else could be done besides reaching out to the authorities. So I wanted to make this announcement to bring this to your attention.

How to prevent unauthorized access to my accounts

Firstly, do not install anything from these places: (they are malware distributers)
hxxps://vespersgame.com
hxxps://averond.com

Secondly, Setup MFA and Passkeys
Passkeys are the single most effective way to secure any account.
You should have them. Most password managers support them, this forum supports passkey authentication. There is no reason for your accounts to be stolen on this forum.

2FA not enough? What was the method that took over accounts? How did the attacker gain access to the passwords by malware?

I won’t go into details for privacy reasons but just so you know MFA is vulnerable to phishing.
Reverse Proxy phishing (which is becoming more common) is becoming easier and easier to do and MFA is specifically targetted by that.

Passkeys are the ONLY way to guarantee safety from phishing. Passkeys are also by design resistant to malware since a part of passkeys require user to intentionally Authenticate (fingerprint/button/face ID/etc.)

MFA is not enough. Use passkeys.

Session tokens are wild.

I all boils down to a primary refresh token. That’s a secret JWT (json web token) that you store locally that can create new keys to pass cryptographic challenges. If that’s stolen it’s really easy to persist in a login. This is why you should invalidate sessions when there’s unfamiliar traits about logins.

To be clear the safest method is: Add a passkey and just remove password usage on here in general?

Not exactly. You can keep the password/MFA for break glass access. But whenever possible, always use a passkey for authentication. Passkeys by design replace passwords and MFA.

The logic and reasoning are a bit complicated why but tl;dr MFA doesn’t mean what you think it means, and passkeys by design fulfill 2 or all of the factors depending on implementation.

Crazy that half of the people don’t want me to do a Q n A on security.

As no voter myself.
Experience is People don’t want MFA. It is annoying and complicated.
I know it is neither annoying, or complicated. But from the perspective of the average user, it is.

Why do I need to protect my email? I don’t have anything important in there?
Except it being the default mechanism for most services to reset your password? Including financial services?

Same argument with using a password manager. If I can remember the passwords, or I can write them in a notebook, why would I need a password manager?

Security is incredibly important. But either people already use “secure” methods, or they don’t care enough to actually get started changing habits. As long as services don’t enforce MFA, it won’t be adopted.

Ain’t that the truth. I should consider it, not sure if I can beyond admins. I’ll have to check.
The Q n A was to do an education on authentication security. I do this professionally. (I do contract ISO 127001 training)

I do the training quite a but differently though. I teach basic cryptography and how authentication works to average people. I do it from a threatmodeling perspective to help normal people understand the issues. It’s quite successful I often convince orgs to adopt usb keys and get them to proactively work on their authentication security.

One of the things I also do is I demonstrate how certain attacks work so they know how why certain rules exist like “why I can’t click on the link” (It’s because reflected XSS)

I also implemented MFA with various methods and user communication ISO27001, CRITIS and now NIS2.
But people see company/business different from private.
As long as there is no enforcement, it will be ignored.
Even if there is a popup recommending to set it up, every time you log in. It becomes a habit to close that popup instead.

I see little hope in getting people to adopt MFA into their habits.
Even just things like Windows Hello, which can make it more comfortable to log into Windows are getting ignored.

Passkeys are amazing. But handling that with multiple devices requires to set up a passkey per device, a Hardware Key, or a Password Manager with Cross Device Support. Making that a usability barrier for many people. And because of this, should in my opinion, never be the only way of signing into a service.
But this is probably already going too far for the average user

Bit Offtopic. Fun exercises to get into programming is writing proof of concept exploits for well documented vulnerabilities and testing them on test setups. That is how I am starting to practically learn python.

Yeah it looks like I can enforce MFA. looks like im going that direction.

Do you know of what software was malicious that those sites distributed? I’d check out those sites myself but I make a point of not walking into live firing ranges

The games themselves.

Yea i literally just loast my while google acount of 15 years and have no way to recover 600 passwords and 60000 photos caus i had my shit hacked and then something uploaded to my account

Still dont know how to use Passkey if I am not at home and connect remotely. Not possible? Another device is fine just not BT.

Password managers support syncable passkeys You can test it out at https://www.passkeys.io
That is a test site for enrolling and using passkeys

Passkeys are a part of MFA.
It handles the randomized portion of this authorization. Its essential to have such part when implementing MFA. Its ment so that a passkey only works at 1 place, and 1 place only. Which means even if the connection is hijacked, they cannot extend the scope.

However, in regular situations passkeys are only usefull during authorization (you even authorize the login), but are not foolproof when the authorization isnt required. Usualy once logged in, these are never checked.

Everything with browsers relies on session cookies, usualy combined with an IP. For a compromised device this is trivial to catch/mimic. And you can do a lot of actions with these. Passkeys wont help if they arent requested.

And you cannot expect people to use a passkey constantly. And thats where the internet is vulnerable.
This is why good encryption repeatedly alters the key to communicate with, as this behaves a bit more like a passkey then (it doesnt prevent decryption, but it does prevent authorization if you dont have the latest key).
And yes, CSRF is one of these methods, but its not the only one, and its still ineffective when the device is compromised.

MFA says multiple, without any number, because its ment to contain as many as possible. And this includes:

• Something you know (password, token, or anything basic that requires to be repeated as identifier)
• Something you have (You dont want anything on a single device, you need something disconnected to perform the 2nd ‘password’ like check)
• Something that identifies the action (If actions are anonymous, you might cause someone to hijack the sent key and use it somewhere else. So the verification must only work on the target. passkeys are very efficient here)

If any of these is missing, MFA breaks. Its also worth to note: there is no biometrics here. And this is because while its now hard to crack, its a hijackable feature that might be spoofable, and therefor will only work like a password. And without alterations being possible, its a weakness in MFA, because once known, its permanent. A password can be changed, a fingerprint cant.

A lot of tools are made to help at this. This is why your phone can use biometrics instead of a password. Websites use CSRF to identify the action. Codes are sent to mail to try to cover the ‘something you have’ (which these days is deemed weak because its usualy the same device).

But in short, stating passkeys as safe is giving false hope.
You can still do a lot of damage without needing these, because social engineering can often be done without these. All it takes is 1 DM to an admin, as a moderator, to potentialy mislead someone. The moderator might have logged in once, using a passkey, but after the login, on a compromised device, you essentialy give the hacker a huge amount of options.

Passkeys are just a layer within MFA. And yes, in critical situations, MFA is usualy not enough.
Most companies for critical things rely on Multi-person-authorization instead. No one can take a step alone, someone always need to authorize it a 2nd time. And even here, it has proven to still often fail.

This is really bad misinformation. Please take some time to read RFCs.

No FIDO2 credentials can be a factor, passkeys are a separate protocol. They replace MFA because part of their protocol is to enforce MFA as part of it’s own standard.

Passkeys rapidly evolved from being one thing to another.

No, MFA is a layer in Passkeys

The passkey protocol enforces 2 or more of the factors by design. Read the RFC.

MFA is a term, or a concept. Its not an RFC on its own.

And of these there are many RFCs that state they are MFA. FIDO is just one of the very first to implement this idea that got broad enough. The term states its authentication/authorization using multiple factors. Its extremely broad, and on that often a useless distinction as it doesnt say anything about what is being used exactly and how safe it is. This is where RFCs try to make implementations which do ensure its safe.

The misinformation from my side is that it has fixed standards (it doesnt, except there just being multiple factors). Those examples of factors came from things like FIDO, as that was generaly deemed a good set of layers to separate things that often can be handled without overlap.
But even then, its still deemed a good practice to have such list of vectors for potential attacks, and methods that can isolate those. Thats why i still gave the example.

Passkeys are just a single factor in the authentication/authorization. And yes, that they enforce 2 factors is part of its design. But as they do implement and enforce the 2, you can call it MFA on its own. As in the end, it does implement that.

But its still just a subset of MFA, as any authentication that has multiple factors is MFA. Thats why i say its part of MFA. You can still add an extra layer to passkeys to improve MFA, but the other way around doesnt work (you cant remove a factor, as then its no longer MFA).

Passkeys arent mandatory at all for MFA, and something better can still be invented. Passkeys are just an implementation of MFA.

MFA is ancient as concept. Banks used this for a long time where you had a login password, and the site generated a ‘random’ code, for which you did have a list of answer codes. This 2nd list was the extra factor, as it implemented an ‘unpredictable’ 2nd code, which usualy involved that you had to have something that a ‘hacker’ wouldnt have.
Its still MFA, but extremely weak.