EmailDiscussions.com  

Go Back   EmailDiscussions.com > Email Service Provider-specific Forums > FastMail Forum
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read
Stay in touch wirelessly

FastMail Forum All posts relating to FastMail.FM should go here: suggestions, comments, requests for help, complaints, technical issues etc.

Reply
 
Thread Tools
Old 31 Dec 2018, 08:31 AM   #16
gardenweed
Cornerstone of the Community
 
Join Date: Jun 2008
Location: Perth
Posts: 664
Consider if you only ever use your FIDO U2F key, but for emergency recovery purposes have your phone or a TOTP registered.

If you never lose your key and only use that key, and you never use the TOTP or phone method, then are you safe from MITM attacks?
gardenweed is offline   Reply With Quote
Old 31 Dec 2018, 10:44 AM   #17
ChinaLamb
The "e" in e-mail
 
Join Date: Dec 2004
Location: a virtually impossible but finitely improbable position
Posts: 2,320
Quote:
Originally Posted by gardenweed View Post
Consider if you only ever use your FIDO U2F key, but for emergency recovery purposes have your phone or a TOTP registered.

If you never lose your key and only use that key, and you never use the TOTP or phone method, then are you safe from MITM attacks?
That is my understanding.

The issue would be whether your backup phone option could be hacked; Reddit was hacked with an SMS intercept. You want to think about social engineering of someone taking over your phone account. For some, this may be overkill, but for others of us, these are real issues to consider.
ChinaLamb is offline   Reply With Quote
Old 31 Dec 2018, 01:13 PM   #18
BritTim
The "e" in e-mail
 
Join Date: May 2003
Location: mostly in Thailand
Posts: 3,084
Quote:
Originally Posted by gardenweed View Post
Consider if you only ever use your FIDO U2F key, but for emergency recovery purposes have your phone or a TOTP registered.

If you never lose your key and only use that key, and you never use the TOTP or phone method, then are you safe from MITM attacks?
Security purists would tell you that your security is equal to the weakest authentication method you allow. It is true that a simple MitM attack may not be possible if the TOTP is not used. However, a targeted attack against you personally may well include taking over your phone number, and using that to gain access to online accounts "protected" by SMS based one time codes or password reset procedures.

For many of us, the risk of a targeted attack is sufficiently low that we do not worry about it. Our main concern is automated attacks that aim to infiltrate accounts with weak security. What you suggest is likely good enough against such attackers.
BritTim is offline   Reply With Quote
Old 4 Jan 2019, 10:59 PM   #19
ioneja
Cornerstone of the Community
 
Join Date: Jul 2011
Posts: 713
Excellent thread, ChinaLamb, thank you!
ioneja is offline   Reply With Quote
Old 5 Jan 2019, 09:25 AM   #20
downthemall
Member
 
Join Date: Oct 2010
Posts: 65
Certificate pinning

What if FastMail app (Android and iOS) did certificate pinning?
downthemall is offline   Reply With Quote
Old 6 Jan 2019, 07:07 AM   #21
ChinaLamb
The "e" in e-mail
 
Join Date: Dec 2004
Location: a virtually impossible but finitely improbable position
Posts: 2,320
Quote:
Originally Posted by downthemall View Post
What if FastMail app (Android and iOS) did certificate pinning?
I'm not sure, but I don't think that has anything to do with ending phishing attempts.
ChinaLamb is offline   Reply With Quote
Old 6 Jan 2019, 08:06 AM   #22
gardenweed
Cornerstone of the Community
 
Join Date: Jun 2008
Location: Perth
Posts: 664
Quote:
Originally Posted by BritTim View Post
...However, a targeted attack against you personally may well include taking over your phone number, and using that to gain access to online accounts "protected" by SMS based one time codes or password reset procedures.
Presumably that would mean that for that MitM attack to succeed (when they take over my phone number), they are relying on me using the TOTP or SMS method of logging into my account, which they will then intercept - is that right?

But if I only use my FIDO U2F key, then this targeted attack will fail?
gardenweed is offline   Reply With Quote
Old 6 Jan 2019, 12:12 PM   #23
ChinaLamb
The "e" in e-mail
 
Join Date: Dec 2004
Location: a virtually impossible but finitely improbable position
Posts: 2,320
Check this out... Hackers targeting journalists, including those using 2FA (which is simple 2 factor authentication -- ie. authenticator codes)...

https://mashable.com/article/hackers.../#K6LfewCAGOql

The group also investigated how the hackers were creating their phishing schemes and noticed that the mysterious group accidentally made public an online directory they were using to host their attacks. The information revealed the hackers were using web application testing tools to automate the phishing process.

"Essentially, they built an 'auto-pilot' system that would launch Chrome and use it [to] automatically submit the login details phished from the user to the targeted service, including two-step verification codes sent for example via SMS," said Claudio Guarnieri, a technologist at Amnesty, in a tweet.

The hackers' automated process is important because it lets them input the special one-time passcode into the real Google or Yahoo login page, before the time limit on the passcode runs out.

Typically those concerned about getting 2FA codes via SMS can also do so via an authenticator app, which serves up codes that change every few seconds. Amnesty did not immediately respond to PCMag's request for comment about whether this affects such apps, but a technologist there told Motherboard that "the same approach could potentially be used to phish codes from a 2FA app such as Google Authenticator."

If you have extra money to spend, you can also invest in a security key to protect your online accounts. They work by substituting the two-factor authentication process with a hardware-based device, which needs to be inserted into your PC to log into the protected account. The big plus of a security key is that it's pretty hard for a hacker to steal; to do so, the attacker has to personally come and physically take it from you.

You can learn more about how they work here. Unfortunately, one key can cost between $25 to $50. Not every online service supports them either. But you can use them to protect your accounts on Google, Facebook, Dropbox, and Twitter.
Yes, U2F, FIDO was designed to thwart this kind of attack...
ChinaLamb is offline   Reply With Quote
Old 6 Jan 2019, 12:40 PM   #24
gardenweed
Cornerstone of the Community
 
Join Date: Jun 2008
Location: Perth
Posts: 664
Quote:
Originally Posted by ChinaLamb View Post
Check this out... Hackers targeting journalists, including those using 2FA (which is simple 2 factor authentication -- ie. authenticator codes)...
It appears that in that example, the phishing method is for the hacker to cause a message or prompt to appear on a users device which is intended to make the user change their password for a particular application - specifically by clicking a link provided by the hacker..

Quote:
Amnesty International said the group of hackers they've been tracking pulls this off by sending out fake but convincing security alerts that look like they came from Google or Yahoo. The alerts will claim the victim's account may have been breached and provide a link to an official-looking login page to initiate a password reset.
Presumably, if you don't click this link, but instead navigate to the original web site to check the security status and any messages , eg on your Google account, then you won't be feeding the hacker with your 2FA code when you log in.

It seems that if you avoid clicking such notification links, and instead type in the URL into a web page for the site in question, you can avoid the phishing attempt - is this assumption correct?
gardenweed is offline   Reply With Quote
Old 6 Jan 2019, 09:55 PM   #25
ChinaLamb
The "e" in e-mail
 
Join Date: Dec 2004
Location: a virtually impossible but finitely improbable position
Posts: 2,320
The problem is that even the best security researchers have found themselves phished. Yes, if you never try to log into a fake login you should be safe. But even some of the best out there after getting fooled. All it takes is one groggy morning or one instance where you are not fully paying attention.

The other issue is with dns intercept, or if someone takes over your dns and sends you to a malicious website that has a certificate and looks exactly like Google.

Or maybe your favorite VPN gets hacked and bad actors reroute you to fake login page for Google. Again all with legitimate certificates (but not necessarily Google's). How often do you inspect the certificates before you login?
ChinaLamb is offline   Reply With Quote
Old 6 Jan 2019, 10:21 PM   #26
gardenweed
Cornerstone of the Community
 
Join Date: Jun 2008
Location: Perth
Posts: 664
That's all kinda depressing
gardenweed is offline   Reply With Quote
Old 7 Jan 2019, 03:09 AM   #27
ChinaLamb
The "e" in e-mail
 
Join Date: Dec 2004
Location: a virtually impossible but finitely improbable position
Posts: 2,320
Quote:
Originally Posted by gardenweed View Post
That's all kinda depressing
Doesn't need to be. You just have to be smart about online security, and realize that just like people want to break into your home, they want to break into your email and accounts too. The internet has matured a lot in the last 20 years, and so has online crime.

We've moved from crunching credit cards, to swyping credit cards, and now we've got chip and pin credit cards. Technology evolves as crime evolves. I'd love to complain about it, but complaining doesn't make it any better.

Put this in perspective. How much thought do you put into securing your home? Average lock for your home costs $100 at the big box stores - my home has 5 of those. Average key replacement for your car costs $250 from the dealer. Alarm systems? Etc?

We haven't thought much about online security, aside from passwords. I don't want to get into it, but systems like Life-Lock have been shown to pretty much be a scam by the FCC. We all need to be aware of what gives the "illusion" of security, and what genuinely *does* give security. Unfortunately, Authenticator codes are looking more and more like the illusion of security, although they are better than nothing.

With all this in perspective, for those that want protection from growing phishing attempts, something like the Google Titan key is quite affordable, $50 for 2 keys. Hopefully prices will go down, and with the rapid expansion of FIDO acceptance, I bet we're going to see it deployed much more broadly in the very near future.
ChinaLamb is offline   Reply With Quote
Old 7 Jan 2019, 03:25 AM   #28
emoore
Essential Contributor
 
Join Date: Apr 2002
Posts: 280
Unfortunately, Fastmail doesn't support FIDO U2F when using a email client. Thunderbird version 60.0 added FIDO U2F support. So I submitted a support request in August asking if they supported its use by a email client because I wanted to use a Yubikey with my Fastmail IMAP account in Thunderbird.

The reply was "We currently do not support this. We hope to support this in the future, but don't have any timeline on this now, sorry."
emoore is offline   Reply With Quote
Old 7 Jan 2019, 08:05 AM   #29
ChinaLamb
The "e" in e-mail
 
Join Date: Dec 2004
Location: a virtually impossible but finitely improbable position
Posts: 2,320
Quote:
Originally Posted by emoore View Post
Unfortunately, Fastmail doesn't support FIDO U2F when using a email client. Thunderbird version 60.0 added FIDO U2F support. So I submitted a support request in August asking if they supported its use by a email client because I wanted to use a Yubikey with my Fastmail IMAP account in Thunderbird.

The reply was "We currently do not support this. We hope to support this in the future, but don't have any timeline on this now, sorry."
Email clients arent as big of an issue. Besides, most clients don't support this yet. For now create really long app passwords and never enter that password into a web page. Never use it again. Not ideal, but the world has to catch up to the capability.

/cl
ChinaLamb is offline   Reply With Quote
Old 12 Jan 2019, 07:33 AM   #30
pjwalsh
Essential Contributor
 
Join Date: Dec 2008
Location: Canada
Posts: 312
Quote:
Originally Posted by ChinaLamb View Post
FIDO Devices
IF you use a mobile device, you'll need SOMETHING more than a simple USB device. Your phone needs to be authenticated to use Fastmail. That leaves you with either a Bluetooth or a NFC Based FIDO U2F compliant device. You should NOT authenticate your phone with Authenticator codes or SMS codes due to the issues above.
...
Yubikey also provides multiple FIDO compliant keys, unfortunately, as stated, you need a NFC device, and Yubikey's cheapest NFC capable device is $45 (Series 5 keys, EXCEPT the Nano).
...
Unfortunately, I do not know of any other NFC or Bluetooth Capable FIDO devices currently on the market. his means your minimum cost to get rolling with FIDO is about $45.
Announced by Yubico this week, their NFC FIDO2 U2F security key is now available.

Security Key NFC - $27 direct from Yubico, free shipping in the States.

Their standard FIDO2 U2F key is $20, readily available on Amazon. Have one as a backup.

--
For unphishable/unhackable online security you don't need the bells & whistles of the more expensive Series 5 keys.
An NFC security key is preferrable to Google's Titan Bluetooth key (requires charging from time to time, not FIDO2, manufactured in China by Feitian).

about FIDO2

Last edited by pjwalsh : 14 Jan 2019 at 07:28 AM.
pjwalsh is offline   Reply With Quote
Reply


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Forum Jump


All times are GMT +9. The time now is 05:47 PM.

 

Copyright EmailDiscussions.com 1998-2022. All Rights Reserved. Privacy Policy