Hello, welcome to the Wednesday, July 31st, 2019 edition of the Sandinert Storm Center's Stormcast. My name is Johannes Ulrich,

and I'm recording from Boston, Massachusetts. Came across an interesting fish today that I quickly wrote up in a diary.

What was sort of interesting about this fish was

that it did capture two-factor credentials, but also the user's email address and password.

What wasn't quite clear was why all this information was collected. Often the username and

password for an email account is collected

in order to reset the password for the account being fished here. But what apparently was

happening here was that the target website, luno.com cryptocurrency exchange, is actually using, well, a fairly common but not

really very well thought out two-factor authentication scheme. And it isn't really two-factor.

What's happening is that when you're logging into this site, the site will send a one-time password to your email address.

So that's why the attacker needs your email account details in order to retrieve that second

password. But really, the email account is definitely nothing that you have. It's really just

something else. You know a second password,

so it doesn't really qualify as two-factor. Now, Luno allows you to set up SMS as second factor,

and without really talking about the drawbacks of SMS and why it shouldn't really be used for a high value website

like a financial website as a second factor. In this case, it's actually just an additional

destination for this one-time password code. So in addition to email, it will also be sent as an

SMS.

Luno is not alone here.

A lot of regular banks, so not just crypto coin exchanges and such, are making the exactly

same mistakes if they even offer sort of a second factor at all.

And Google today released Google Chrome 76, which fixes 43 different security vulnerabilities.

...