Good afternoon. Today, we are covering how hackers bypass two-factor authentication. We are also offering practical tips on how to prevent two-factor authentication bypasses. As usual, we will also bring you the latest news and jobs in the cybersecurity field. We end today’s newsletter with a wisdom quote. First time reading? Sign up here

Main Meal

How Hackers Bypass Two-Factor Authentication

1. 🔓Open Authorization Loopholes: Open Authorization (OAuth), a framework for secure, delegated access, becomes a backdoor when attackers set up fake OAuth phishing campaigns, tricking users into granting them access.

2. 📱SIM-Swapping: In SIM swapping scams, hackers convince your mobile carrier they're you. They then move your number to their SIM card and receive all texts – including those precious 2FA codes.

3. 🏴‍☠️Pre-made Tokens: Attackers can bypass 2FA by accessing pre-generated tokens or backup codes that users store for emergency access.

4. 🗣️ Subtle Persuasion: Attackers use social engineering to coax victims into revealing their 2FA codes, often through compelling narratives or by impersonating the user to customer service.

5. 🍪Cookie Theft and Middle-Man Schemes: Session hijacking, involving stealing a user’s session cookie, allows attackers to maintain access without needing a password.

6. 💪Forceful Guesswork with Brute Force: Hackers sometimes use brute force on older 2FA devices with shorter codes, exploiting the limited lifespan of OTPs (one-time passwords) before they refresh.

How To Prevent Two-Factor Authentication Bypasses

🔐 Never share personal details or one-time passwords with anyone - not even with trusted contacts. You wouldn't give out the keys to your house easily; so, treat these codes the same way.

📲 Avoid using SMS-based 2FA when possible, because of its susceptibility to SIM swapping attacks. Opt for app-based solutions like Google Authenticator – they're more resistant against hacker tricks.

🎣 Beware of Phishing Attacks: Hackers often use phishing emails pretending to be trustworthy entities asking you for sensitive information. Always double-check email senders' addresses before clicking on any links or sharing any info.

🔑 Frequent Password Changes: Mix it up by changing passwords regularly and making them strong - think complex combinations that aren’t easy guesses. Websites like Random Password Generator help create solid passwords in seconds.

🔄 Patch and Update Regularly: To keep those pesky hackers at bay, make sure all software is updated regularly as updates often fix security vulnerabilities found in previous versions.

News

Samsung's Data Breach Exposes UK Customers' Personal Information

Samsung has confirmed a data breach that exposed personal information of its UK customers [more]

Bahrain Government Websites Crash in Cyberattack

Bahrain government websites were temporarily inaccessible after a cyberattack supposedly due to the country's stance on the Israel-Hamas war. The hackers claimed retaliation for the "abnormal statements" made by the ruling family, although no further details were provided [more]

Data Breach at Moving Companies Exposes Canadian Military and Police Personnel

The Canadian government has announced that a data breach at moving and relocation services firms has exposed the personal information of government employees, military personnel, and police. The breach impacts anyone who has used relocation services since 1999 [more]

US Nuclear Energy Testing Lab Reports Data Breach

The Idaho National Laboratory, known for its energy research, experienced a major breach of employee data. The hacktivist group claimed responsibility and obtained sensitive information such as Social Security numbers and employment information [more]

Massive Data Breach Reveals Nearly 9 Million Patients' Records

A cyberattack on a medical transcription company compromised the highly sensitive health data of nearly 9 million patients, making it one of the worst medical data breaches in recent years. The breach affected patients at Northwell Health in New York and Cook County Health in Illinois, as well as millions of patients from undisclosed locations. The breach began in March but was not disclosed until September, and there is no evidence of subsequent misuse of the stolen data [more]

Pensions Ombudsman Uncovers Massive Cyberbreach

The Pensions Ombudsman has contacted 17,500 individuals in relation to a potential cybersecurity breach. The investigation has now been concluded [more]

Cyberattacks on Canadian Health Information Systems

Canadian health information systems are increasingly vulnerable to cyberattacks, which can compromise patient safety, privacy, and the functioning of the healthcare system [more]

Paris Wastewater Organization Falls Victim to Cyberattack

The wastewater management organization in Paris was targeted in a cyberattack, raising concerns about the security of the city's water supply [more]

Kansas Court System Falls Victim to Cyberattack

In a recent cyberattack on the Kansas court system, criminals stole residents' sensitive information and threatened to publish it online. The courts are still investigating the extent of the data breach [more]

Citrix Software Flaw Exposed: How It Led to the Recent Cyberattack on Boeing

A flaw in Citrix software allowed the recent cyberattack on Boeing, according to a report. The ransomware group LockBit 3.0 exploited vulnerabilities in the software even after they were fixed, leading to successful attacks on Boeing and other organizations [more]

Indian Android Users Under Threat: The Rise of Mobile Banking Trojan Campaigns

Microsoft warns that hackers are using WhatsApp and Telegram to spread malicious apps that can steal banking and personal information from Indian smartphone users. One of the fraudulent apps pretends to be a "know your customer" app that asks users to submit their bank account details and credentials. The app can also intercept and send SMS messages, including one-time passwords. Another fraudulent app asks users to give SMS-based permissions and then collects their credit card details and other personal information, such as their Aadhaar number [more]

Jobs

Position: Senior Cybersecurity Analyst

Company: UltraViolet Cyber

Location: Remote

Submit your application: https://tinyurl.com/fj7psmd6

Position: Cloud Security Architect - Currencycloud

Company: Visa

Location: London, United Kingdom

Submit your application: https://tinyurl.com/2s35jwt5

Position: Cybersecurity Analyst

Company: Devoteam

Location: Lisbon, Portugal

Submit your application: https://tinyurl.com/5du26en8

Position: Vulnerability Detection Engineer

Company: Amazon

Location: New York City, USA

Submit your application: https://tinyurl.com/2r7pnjy3

Position: Senior Cybersecurity Purple Team Specialist

Company: Scalable GmbH

Location: Berlin, Germany

Submit your application: https://tinyurl.com/49s6s8c7

Position: Senior Cybersecurity Engineer

Company: Techland S.A.

Location: Warszawa, Poland

Submit your application: https://tinyurl.com/4shwxf65

Position: Head of Cyber Security Operations

Company: Tyro

Location: Sydney, NSW, Australia

Submit your application: https://tinyurl.com/39783yym

Position: Cloud Security Engineer

Company: Visa

Location: London, United Kingdom

Submit your application: https://tinyurl.com/47rwj8y7

Position: Director, Information Security

Company: Motive

Location: United States - Remote

Submit your application: https://tinyurl.com/2s3sh9p5

Position: Senior Cybersecurity Architect

Company: Privia Health

Location: United States - Remote

Submit your application: https://tinyurl.com/5n7p23r3

Wisdom Quote

“Whenever you find yourself on the side of the majority, it is time to reform (or pause and reflect).”

― Mark Twain