Can the Two Factor Authentication security measure be passed?

puzzle-1713170_1280So Two Factor Authentication is annoying but safe. Is an extra measure of protection that involves your phone. You simply receive a text with a code, type it in and you then mind your business as usual. It happens with Google, it happens with PayPal and usually when you try to log in from a different location other than your home.

You may think that it’s impossible to get pass it and since phone numbers cannot be stolen and you always have the phone with you you’re always safe. Well think again.

                  PayPal patches flaw that allowed 2FA bypass… again

PayPal released a patch for a vulnerability that a security researcher said allowed him to bypass the payments company’s two-factor authentication in less than five minutes.

Henry Hoggart, a mobile security consultant at MWR InfoSecurity, wrote e in a blog post that he recently needed to make a payment from a hotel, but was unable to receive the 2FA code on his mobile phone because had no service. So he simply used a proxy then replaced “securityQuestion0” with “securityQuestion1” in the post data sent by his browser….Read more…

I have good news and good news. The good news is that it’s fixed. The other good news is that we have smart people just like Henry Hoggart working in our favor. They bring awareness and help us avoid unpleasant situations. Alan Pearson was kind enough to name a few of them. You can even follow them on Twitter.

              87 Security Experts You Need to Be Following on Twitter

As computers become exponentially more involved in our everyday working lives, security is an increasing concern.

It’s therefore essential for security conscious individuals to keep up to date with the latest news and trends. Twitter has emerged as an excellent way of doing this. By following a subsection of the biggest influencers in security, you can stay on top of the industry and any pressing developments — which is why we’ve compiled this list. Next to each recommended account, we’ve given a brief bio and explained what it is they Tweet about.

detective-1299558_1280     You should check out their profiles, they have some interesting things to tell. I know for a fact that some companies hire them as consultants in the sens that “Hey, we will pay you X amount of money if you can breach our website” like some kind of “Wanted” post offer. Which is nice. Become a security expert and go out Reward hunting.

They are well pay’d professionals hired by big companies, some of them have their own business around that area and some of them are even ex cyber crooks that vowed to use their skills for the better good.

Regardless of what they where or weren’t, now you can see them as Internet Detectives that are making the Internet a better place.