Forum Discussion

Paul151985's avatar
Paul151985
Copper Contributor
Aug 14, 2022

OTP

Hi   I just wanted to share this thing. I mean we all are aware that passwords are lame. It can be easily just hacked by a malicious individual. Then came the one time pin. We felt secure by this...
identity and access management
  • Harald_Wallus's avatar
    Harald_Wallus
    Aug 16, 2022

    Paul151985 

     

    I'm not the specialist for hackers. But
    Microsoft has send the code via SMS. SMS can be hacked by intersection of the communication, e.g. using "false base station" or Hacking of the ‘Personal Account’ of the subscriber on the site or application of the cellular operator and forwarding all messages to the attacker`s address.
    One of this could be happend.
     
    If you receive the Microsoft code, the attacker send a second one, asking you to verify your login. I don't know how the hacker then can lead you to a fake site (maybe proxy, what ever?). Then the attacker has your password.
    You have used the signin-page of microsoft, and you see, your account is at risk. It looks that Microsoft cloud application security has detected a second login for your account, which looks strange, because it is from another location, or it is from a non registered device.

    This shows, we all have to move to passwordless authentication, because it is phishing resistant.

     

    Harald

     

Paul151985's avatar
Paul151985
Copper Contributor
I informed them already. If this is phishing then this is real time phishing. They know how to attack at the exact time when an individual will open the account on a certain device. I received a form of phishing via email, that one was very obvious. Reading the content and checking on the details of the link from which the email came from, I immediately report it the concerned institution. With this one I was tricked perhaps coz of my busy day to day routine in my job.
thanks by the way for the reply. I will study about your suggestion for me to better understand.
Harald_Wallus's avatar
Harald_Wallus
Copper Contributor
Aug 16, 2022

Paul151985 

 

I'm not the specialist for hackers. But
Microsoft has send the code via SMS. SMS can be hacked by intersection of the communication, e.g. using "false base station" or Hacking of the ‘Personal Account’ of the subscriber on the site or application of the cellular operator and forwarding all messages to the attacker`s address.
One of this could be happend.
 
If you receive the Microsoft code, the attacker send a second one, asking you to verify your login. I don't know how the hacker then can lead you to a fake site (maybe proxy, what ever?). Then the attacker has your password.
You have used the signin-page of microsoft, and you see, your account is at risk. It looks that Microsoft cloud application security has detected a second login for your account, which looks strange, because it is from another location, or it is from a non registered device.

This shows, we all have to move to passwordless authentication, because it is phishing resistant.

 

Harald

 

  • Paul151985's avatar
    Paul151985
    Copper Contributor
    Aug 17, 2022

    Harald_Wallus  I'm not an expert either about how hackers do things in attacking individual accounts, but I know and understand some stuff and continuously learning about it as far as I can understand and do a lot of research. For sure Local IT Support team knows as to how many log in attempts, web pages opened and so on and so forth. A lot of information that their end user do can be monitored but what they can't as to a certain limitation of controlling a system like this (online/cyber threats occur at any time at any day) These confidential information can be used and sold maliciously. So what can they do about this? just thinking bout it for Im sure they wont just give one account to an individual who is naive or ignorant in using it so to speak. 

Resources