Passwords are a gain. Remembering them is an almost impossible mission, creating safe versions makes us entering several special symbols, and to top it off, we see leaks of these data from time to time. Therefore, the different technology companies seek a definitive solution to end them. One of the alternatives that is gaining more popularity is apparently simple and elegant: introducing the email or telephone and receiving a single -use code. But it is not completely safe.
Large companies adopt the ‘Magic Link’. The login without password has been adopted by different companies such as Microsoft. The promise is clear: eliminate friction and risk of reused passwords in different services. However, what seems like an ingenious solution is becoming a security nightmare, a system that, in certain scenarios, can even be worse than the denoted passwords, as the expert Daniel Huang recognizes. And it is not a theoretical threat; It is already actively exploited.
Introducing the email is the first step of deception. A priori seems like a simple and harmless system, and as users we are getting used to the fact that if we receive a code we must use it. But where? This is where a cyber -intensary finds a new reef for improperly effective phishing attacks.
It all starts receiving an email or a SMS of phishing Very convincing. It can be an irresistible offer or a security notice that attracts a lot of attention that is accompanied by access to a web page, which is a perfect clone to the original through which they are being passed in the SMS. This is where they ask that the phone or email be introduced, and it only remains to wait for the next step.
Behind the screen is where the attacker is located. Where it is not seen, the hacker introduces the email or telephone on the legitimate website, which makes the real service send a completely valid digit code to the entrance tray OA the mobile messages section. And this is where the false website asks that the verification code that has been received to be introduced, taking advantage of the previous times where doing this had happened absolutely nothing.
Here the damage is done. The code is received by the attacker who will use it on the Real website, starting session and changing all the login information such as email or telephone to seize an account. And defense systems serve as little, since a password manager cannot self -reflect anything and as the code is legitimate and sent from a real service the spam filters will not jump either.
A security problem that has already been exploited. This does not remain alone in theory, but has been put into practice. One of the most notorious examples is the Microsoft login system for Minecraft accounts, as shown in the company’s forums or in Reddit’s threads. Many players point to how they lost access to the account of the morning due to this type of fraud.
The employer was always the same: they received an email with some excuse about their Mojang account and following the steps delivered the hint access code in the silver tray.
Classic access code or passwords. This is the great decision that must now be made by large companies. And one of the solutions that would guarantee to have a safe password is a good password manager. In the event that it is of quality, access credentials are linked to a specific URL, and that is why if an illegitimate website will be accessed, the web address will not coincide and will not be self -realized.
The best defense is common sense. With both access systems, 100% security is not achieved. In the past we have seen very important password leaks, such as hackers published very extensive files with credentials, the robbery scams that have been reported or the strategies that are followed to make the theft of credentials, even in Chrome. That is why, as Security Councils, the most important thing is to review web addresses and distrust everything that can get out of the normal.
Images | Brett Jordan Towfiquiqu Barbhuiya
In WorldOfSoftware | Si fraud: what is and why it is not recommended with a “yes” when it calls you an unknown number
