It’s now well known that usernames and passwords aren’t enough to securely access online services. A recent study highlighted more than 80% of all hacking-related breaches happen due to compromised and weak credentials, with three billion username/password combinations stolen in 2016 alone. As such, the implementation of two-factor authentication (2FA) has become a necessity. Generally, 2FA aims to provide an additional layer of security to the relatively vulnerable username/password system. It’s now well known that usernames and passwords aren’t enough to securely access online services. A recent study highlighted more than 80% of all hacking-related breaches happen due to compromised and weak credentials, with three billion username/password combinations stolen in 2016 alone. As such, the implementation of two-factor authentication (2FA) has become a necessity. Generally, 2FA aims to provide an additional layer of security to the relatively vulnerable username/password system. It works too. Figures suggest users who enabled 2FA ended up blocking about 99.9% of automated attacks. But as with any good cybersecurity solution, attackers can quickly come up with ways to circumvent it. They can bypass 2FA through the one-time codes sent as an SMS to a user’s smartphone. Yet many critical online services in Australia still use SMS-based one-time codes, including myGov and the Big 4 banks: ANZ, Commonwealth Bank, NAB, and Westpac. Major vendors such as Microsoft have urged users to abandon 2FA solutions that leverage SMS and voice calls. This is because SMS is renowned for having infamously poor security, leaving it open to a host of different attacks. For example, SIM swapping has been demonstrated as a way to circumvent 2FA. SIM swapping involves an attacker convincing a victims’ mobile service provider they themselves are the victim and then requesting the victim’s phone number be switched to a device of their choice. SMS-based one-time codes are also shown to be compromised through readily available tools such as Modlishka by leveraging a technique called a reverse proxy. This facilitates communication between the victim and the service being impersonated. So in the case of Modlishka, it will intercept communication between a genuine service and a victim and will track and record the victims’ interactions with the service, including any login credentials they may use). In addition to these existing vulnerabilities, our team has found additional vulnerabilities in SMS-based 2FA. One particular attack exploits a feature provided on the Google Play Store to automatically install apps from the web to your android device. If an attacker has access to your credentials and manages to log into your Google Play account on a laptop (although you will receive a prompt), they can then install any app they’d like automatically onto your smartphone. Experiments revealed a malicious actor can remotely access a user’s SMS-based 2FA with little effort, through the use of a popular app (name and type withheld for security reasons) designed to synchronize user’s notifications across different devices. Specifically, attackers can leverage a compromised email/password combination connected to a Google account (such as This email address is being protected from spambots. You need JavaScript enabled to view it.) to nefariously install a readily available message mirroring app on a victim’s smartphone via Google Play. This is a realistic scenario since it’s common for users to use the same credentials across a variety of services. Using a password manager is an effective way to make your first line of authentication — your username/password login — more secure. Once the app is installed, the attacker can apply simple social engineering techniques to convince the user to enable the permissions required for the app to function properly. For example, they may pretend to be calling from a legitimate service provider to persuade the user to enable the permissions. After this, they can remotely receive all communications sent to the victim’s phone, including one-time codes used for 2FA. Although multiple conditions must be fulfilled for the aforementioned attack to work, it still demonstrates the fragile nature of SMS-based 2FA methods. There is more of this post on OUR FORUM.

Time crystals sound like majestic objects from science fiction movies that unlock passageways to alternative universes. In the Marvel universe, the “time stone” gives wielders control over the past, present, and future. While that remains a fantasy, scientists have successfully created micro-scale time crystals for years — not for powering intergalactic spaceships but for energizing ultrapowerful computers. “Time crystals are like a rest stop on the road to building a quantum computer,” said Norman Yao, a molecular physicist at the University of California at Berkeley. It’s an area of interest for Google, which, along with physicists at Stanford and Princeton universities, claim to have developed a “scalable approach” to time crystal creation using the company’s Sycamore quantum computer. In a paper published last month on the research-sharing platform Arxiv.org, a team of over 100 scientists describes how they set up an array of 20 quantum particles, or qubits, to serve as a time crystal. During experiments, they applied algorithms that spun the qubits upward and downward, generating a controllable reaction that could be sustained “for infinitely long times,” according to the paper. Time crystals are scientific oddities made of atoms arranged in a repeating pattern in space. This design enables them to shift shape over time without losing energy or overheating. Since time crystals continuously evolve and don’t seem to require much energy input, they may be useful for quantum computers, which rely on extremely fragile qubits that are prone to decay. Quantum computing is weighed down by hard-to-control qubits, which are error-prone and often die. Time crystals might introduce a better method for sustaining quantum computing, according to Yao, who published a blueprint for making time crystals in 2017. “Time crystals are a weighted benchmark, showing that your system has the requisite level of control,” Yao said. The scientists involved in Google’s research say they can’t discuss their findings as they undergo peer review. However, the work tackles an area where physicists have long hoped for a breakthrough. “The consequence is amazing: You evade the second law of thermodynamics,” Roderich Moessner, a co-author of the Google paper, told Quanta Magazine. The time crystal concept was first proposed in 2012 by Nobel Prize-winning physicist Frank Wilczek, who wondered whether atoms could be arranged in time similar to their arrangement in ordinary crystals. Essentially, he wondered whether a closed system could spin, oscillate or move in a repetitious manner. What followed was a healthy dose of scrutiny from the broader physics community, years of university experiments with and without Wilczek, and testing to see whether his vision was possible. The definition expanded to include objects that would be activated by an external influence such as a shake, stir, or laser strike. “The definition is somewhat fluid. But if you want to call it a new state of matter, you want it to be autonomous and not have stirred,” Wilczek said. Early experiments pumped ions with lasers so they would artificially pulsate. It was useful but difficult to scale, Wilczek added. By 2017, scientists from Harvard University and the University of Maryland revealed they created micro-scale time crystals at frigid temperatures in a lab. Both passed peer review. More recently, a team from the Delft University of Technology in the Netherlands published findings in July on its approach to building a time crystal inside a diamond. (Those findings haven’t undergone peer review.) Time crystals are a tough concept to grasp, but scientists say you can think of them as a perpetual motion machine, adding a caveat to the second law of thermodynamics, which states that any isolated system will degenerate into a more disordered state or entropy. Their existence also undermines Newton’s first law of motion, detailing how an object must react to motion. To learn more visit OUR FORUM.