Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label OTP Issues. Show all posts

A Breach on Multi-Factor Authentication Leads to a Box Account Takeover

 



According to new research from Varonis, a vulnerability in Box's implementation of multi-factor authentication (MFA) allows attackers to take over accounts without having access to the victim's phone. Because of the flaw, which was patched in November 2021, an attacker just needed stolen credentials to get access to a company's Box account and steal sensitive information if SMS-based MFA was activated. Users without Single Sign-On (SSO) can further secure their accounts using an authenticator app or SMS for second-factor authentication, according to Box, which says that close to 100,000 firms utilize its platform.

How Does SMS Verification Work in Box?

After providing a username and password in Box's login form, the user is redirected to one of two pages:
  • If the user is enrolled with an authenticator app, a form to enter a time-based one-time password (OTP).
  • If the user has opted to receive a passcode via SMS, a form to enter an SMS code will appear. 
  • A code is delivered to the user's phone when they go to the SMS verification form. To gain access to their Box.com account, they must enter this code. 

When a user attempts to log into a Box account, the platform saves a session cookie and leads to a page where they must enter a time-based one-time password (TOTP) from an authenticator app (at /mfa/verification) or an SMS code (at /2fa/verification). When a user adds an authenticator app to their account, Box provides them a factor ID and the user must enter a one-time password issued by the app in addition to the credentials when logging in. 

Researchers from Varonis revealed that an attacker might circumvent MFA for accounts that had SMS-based MFA enabled by abandoning the SMS-based verification procedure instead of commencing TOTP-based MFA. By combining the MFA modalities, the attacker might gain access to the victim's account by giving a factor ID and code from a Box account and authenticator app that the attacker controls.

The entire talk about required MFA from firms like Salesforce and Google, as well as a White House executive order, is to emphasize that MFA implementations, like any other programming, are prone to flaws. MFA can give the impression of security. Because MFA is enabled, an attacker does not necessarily need physical access to a victim's device to compromise their account.

After OTP Issues,TRAI Suspends New SMS Rules For 7 Days

 

The Telecom Regulatory Authority of India (TRAI) has temporarily suspended its new rules for curbing spam messages, following major disruptions in SMS and OTP deliveries for banking, payment, and other transactions.

In a statement on Tuesday, TRAI noted that the move to suspend the new norms would enable the principal entities to register the template of SMS so that no inconvenience is faced by the customers. Even though telcos executed the scrubbing norms, some companies did not adopt them, leading to text messages getting dropped and transaction failures. 

Telecom operators, meanwhile, said several companies and government bodies faced glitches as they did not register their content template until 7th March despite multiple reminders.

“TSPs (telecom service providers) are following Trai regulations and have activated the due process of content scrubbing to address the issue of unsolicited commercial communication. TSPs have sent various communications to the principal entities to register their content template with TSPs before 7 March,” S.P. Kochhar, director general, Cellular Operators Association of India (COAI) stated.

Millions of mobile phone users were facing disruption in receiving OTP after telecom firms on Monday initiated the execution of Telecom Commercial Communications Customer Preference Regulations (TCCCPR), impacting a host of OTP services including banking, E-commerce, and Aadhar. The new Distributed Ledger Technology (DLT) was in place to clamp down on spam messages by making verification of every SMS mandatory with a registered template. 

However, the DLT in place disrupted the existing system in place to deliver OTPs. Services like Unified Payments Interface (UPI), Aadhar services, and mainly the banking services faced major authentication issues on Tuesday. Many customers who tried to check their bank balance, could not log in to their mobile wallets, as the servers were down. According to sources, at least 40% of one billion daily average commercial messages were not delivered to respective customers.