Security News

GitHub will require all users who contribute code on the platform to enable two-factor authentication as an additional protection measure on their accounts by the end of 2023. Imposing 2FA as a mandatory measure for all GitHub accounts will make the platform a safer space where users can feel more confident about the quality of the code they download from repositories.

As you'll know if ever you've lost a phone, or damaged a SIM card, mobile phone numbers aren't burned into the phone itself, but are programmed into the subscriber identity module chip that you insert into your phone. A crook who can sweet-talk, or bribe, or convince using fake ID, or otherwise browbeat your mobile phone provider into issuing "You" a new SIM card.

The attackers try out the entered credentials on the legitimate website, triggering the sending of a 2FA code to the victim, who then enters a valid 2FA on the phishing site. The threat actors then attempt to use the entered 2FA code to log in to the victim's account as long as they act before the timer runs out.

At which point the crooks immediately try to use the combination of username + password + one-time code they just got hold of, in the hope of logging in quickly enough to get into your account before you realise there's anything phishy going on. As a result, social media users are understandably concerned about protecting their accounts in general, whether they're specifically concerned about Twitter or not: Lure you to a real page with a facebook.com URL. The account is fake, set up entirely for this particular scam campaign, but the link that shows up in the email you receive does indeed lead to facebook.com, making it less likely to attract suspicion, either from you or from your spam filter.

MFA protects a system, location, or sensitive data from being accessed by an unauthorized user. MFA systems also consider a one-time password/code received by the user via SMS or authenticator app as a possession factor.

In the past few months, we've seen an unprecedented number of identity theft attacks targeting accounts protected by two-factor authentication, challenging the perception that existing 2FA solutions provide adequate protection against identity theft attacks. For over a decade now, implementing 2FA/MFA has been considered the best-practice solution organizations must implement against account hijacking attacks, whether those were based on phishing, brute force, password theft, or any other fraudulent way of obtaining login credentials.

That configuration is 2FA sent over SMS. The accounts using 2FA via a password app like Authy or Google's Authenticator have never had any problems. 2FA via an authenticator app isn't nearly as simple to crack.

DUCK. Yes, Uber has come out with a follow up report, and it seems that they're suggesting that a hacking group like LAPSUS$ was responsible. Just because you have those that's a security gate, but it's not the end-all and be-all to keeping someone out.

Phones, of course, can be made inaccessible with the use of passwords and face or fingerprint unlocking. Once they have the phone and the card, they register the card on the relevant bank's app on their own phone or computer.

Twilio's investigation into the attack on August 4 reveals that hackers gained access to some Authy user accounts and registered unauthorized devices. Authy is a two-factor authentication service from Twilio that allows users to secure their online accounts where the feature is supported by identifying a second time via a dedicated app after typing in the login credentials.