Will 2FA, in general, be bypassed by a stolen passport?

You have a friend called Bob.

You have a copy of Bob’s passport.

Bob uses 2FA for all of his accounts.

Would you, in general, be able to bypass this 2FA and access his accounts, by doing the following:

  • Emailing support

  • Explaining to support that you lost access to your account

  • Sending support a copy of Bob’s passport, claiming that you are, indeed, Bob

Would it be fair to say that the majority of support agents would reset 2FA on Bob’s account?

Phone number stolen. What to do?

It seems a friend of mine got his phone number stolen. Someone got access to his Facebook account (where they tried to post ad campaigns) and to his WhatsApp account. The Facebook security page said his account was accessed using his password and phone validation. This combined with the WhatsApp access is what makes us think they have access to his text messages.

He does not have a smartphone, and he recently got a new phone from a little-known brand (a “Danew konnect 245 Bara”, this phone: https://danew.fr/product/bara-blue/), and he recently spent some time at airports. He says he received an SMS a while back saying asking him to confirm a new login, but he deleted the message. It was around the time of buying the new phone, but he’s not sure if it was just before or just after.

I’ve read about people transferring your number to other providers to take over access to your phone, but he can still make and receive calls using his phone number. He called his provider and they said he hasn’t requested any new sim card lately, and they couldn’t see any other suspicious activity. His phone (both the old and the new) does not support apps, so he hasn’t installed anything himself. I’ve never heard of copying sim cards through wireless means. Could it be that the new phone is somehow malicious or had a security flaw that allowed this to happen? He bought a new phone now just in case.

To me it sounds impossible that the phone number was stolen considering he can still access it, but I don’t know what else to make of these facts. Could these things have been accessed some other way? And more importantly, what can he do to secure himself now?

Where is the line drawn for ethical hackers using stolen credentials in their paid services?

The very interesting question I have is when “ethical” hackers/pen testers harvestthese repositories of stolen credentials to then use them in pen testing for paying clients what ethical boundaries are broken? What laws are broken? If a lazy hacker leaves their captured credentials out on un insecure, public facing server and then an “ethical” hacker grabs them for their own paid services, it seems to me that it’s stealing already stolen goods.

What about a penetration tester taking credentials gathered from a paid/contracted job and adding them to a database to be used in future client jobs?

Do more credit cards get stolen through public WiFi than through data breaches?

I was listening to a podcast the other day which was sponsored by a VPN provider. During the talking points for the advertisement, the host said something to the effect of the following (I’m recalling this from memory, but this is the gist)

Have you ever had your credit card hacked? Be wary of using public WiFi networks when purchasing something, the networks are full of hackers attempting to steal your information. In fact, the number one way that credit card details are stolen is through hackers downloading them via coffee shop wifi. With VPN Provider you can count on a safe experience…

And then goes on to tout the benefits of a VPN. However, this claim doesn’t sit right with me. Are more details stolen through public WiFi interception than, say, data breaches from major retailers? Or is this a case of “coverage bias” where large breaches get more news coverage (and therefore more recognition)?

Security Risk of Stolen Session ID vs Authentication Token

I was intrigued by the discussion of this SO question as well as the accompanying blog post. I’m trying to better understand the mechanics of the two systems, and one of the questions I came up with is how much worse is it to have a token stolen vs. a session ID?

Here’s what I understand so far, and please do correct me if I’m wrong:

A session ID is an opaque reference to actual session data stored on the server. It is safe insofar as it is random enough to not be guessed easily, and the data is safe because it is not directly accessible by or beholden to the front-end. The session ID is stored in a cookie to simplify authenticated requests.

An authentication token is a plaintext segment of JSON user data with a cryptographic signature that verifies the data’s integrity. It is tamper-proof because of the signature, so no one can simply come up with their own token. The data it grants access to is safe on the server, except of course what is present in the token (which even then can be encrypted if need be). The token is also often stored in a cookie to simplify authenticated requests.

So here is what I do not understand. The way I see it currently, it seems just as likely that a token be stolen as a session ID, e.g. anyone breaking past my SSL and viewing my token would be able to view a session ID as well. Either event gives the attacker complete access to my account and all associated authorization. So in terms of the event likelihood and the resulting damage, is an authentication token really any worse than a session ID, as the article claims?

The one thing I could see potentially being worse for tokens is if the signing secret were somehow found out, in which case the attacker can do anything with anyone’s account, rather than just mine. However I almost want to relegate this to the reasonable unlikelihood of someone first breaking RSA, in which case they can get past SSL, and then what good is a session ID anyway?

Can an stolen Android phone with USB debugging enabled have screen lock bypassed?

My Android (8.0) phone was pickpocketed from me yesterday, it was immediately turned off by the thief, when I tried to locate it using Find My Device it shows as offline.

As being a programmer and a security enthusiast, I started to worry about what data can be vulnerable on the phone. I had a screen lock on but it didn’t have full-disk encryption enabled (my bad, I know).

I saw on the internet that people can bypass the screen lock using fastboot and deleting some files, is this only for rooted phones? or am I vulnerable too?

I probably had USB Debugging enabled as I developed an Android app in the past and tested it on my device (although I remember that you must trust the computer before using it, does it makes the phone vulnerable?).

My phone wasn’t rooted though, so I believe that for the thief to bypass the screen lock they would need to unlock my bootloader which would definitely wipe my data.

I’m only worried about the data, if the only way to bypass the screen lock would be to wipe the data, then I’m ok.

What are your thoughts on this?

Is this an adequate outline for a basic filter to prevent testing of stolen credit card numbers on my credit card charge script?

I have a web store with Stripe integration that has been used by one or more individuals to test stolen credit card numbers. Their method of testing the cards is to direct a large number of charge attempts at my credit card charge script both in a short period of time and over many days.

I can do some PHP scripting but am not a full-time or formally-trained developer and so want to stop the fraudulent use of my Stripe account in a manner that keeps things as technically simple as possible for me.

My plan is to develop an IP-based filter for my credit card charge script. Below is my general concept for the filter.

  1. Create a MYSQL database with fields for IP, date of this IP’s last charge attempt, number of charges by this IP today, all-time total number of charges by this IP and blocked user.

  2. When someone makes a charge attempt, before sending it to Stripe, check whether their IP is already in our database of IPs that have made a charge attempt in the past.

    A. If the IP is not in our database, add it to the database and allow the charge attempt to be sent to Stripe.

    B. If the IP is in our database, check to see if the blocked user field is set to “yes”. If so, do not allow the charge attempt and present an error message to the user.

    C. Check to see if the date of this IP’s last charge attempt is today.

    i. If the IP’s date of last charge attempt is not today, store today’s date in the date of this IP’s last charge attempt database field, set the number of charges today to 1, and allow the charge attempt to be sent to Stripe.

    ii. If the date of last charge attempt by this IP is today, increment the number of charges by this IP today database field. If the number of charges hits a predetermined limit, do not allow the charge attempt and present an error message to the user. If the number of charges by this IP today is below the predetermined limit, do not block the charge attempt.

    iii. increment the all-time total number of charges by this IP field. If the number of charges hits a predetermined limit, do not allow the charge, present an error message to the user, and set the blocked user field to “yes” for this IP. If the all-time total number of charges by this IP is below the predetermined limit, allow the charge attempt.

The above filter concept assumes individuals testing stolen credit card numbers will not be able to frequently change their IP to circumvent this primitive rate limiter. Is this a safe assumption? Are there any other potential problems with the above approach or better ways to do this?

When credit card tokens are leaked / stolen, what can the attacker do with them?

I’m implementing an online payment system relying on an external payment processor handling all credit card entry. We only see and store card tokens (not the actual card numbers), which we then use to charge another month’s worth of subscription.

If an attacker got his hands on our DB of tokens, what could he do with them? Worst case scenarios welcome.

(Note – this has been answered as part of Storing credit card token, but the question was closed. I think it’s important enough to deserve a question of its own.)