Secure your phone against 2FA skimming

By -
Google recently introduced a new faster method of 2 step verification.  Instead of using Google Authenticator or SMS as a mechanism to enter a verification code, they simply send a push notification to your mobile device.

It is simple and if you don't use it, you should turn it on!

But today, for some reason, the push notification didn't arrive.  So I asked Google to try a different method. I chose SMS and a moment later I was sent a text method with a code (partially blanked out below)
MFA code is visible when locked

Now you can see that my phone is locked, but the whole code is visible.  This got me very paranoid, imagine being away from your phone for 5 minutes and someone guessing your password and then using this to bypass two factor authentication?  Or thinking about it, my bank uses one time passcodes (OTP) before transferring large amounts of cash....scary!

No thanks

Thankfully, Android has a mechanism to make this more secure.  If you go to Sound & Notifications > App Notifications > Messaging

From here you can turn on the setting to Hide Sensitive Content

Enable "Hide Sensitive Content"
I tested the two factor authentication again after turning this setting on and results are below.  A lovely hidden SMS!
MFA code is hidden until unlock
You can achieve a similar result in iOS

Sam

Comments

Post a Comment

Popular posts from this blog

Assigning Windows 10/11 Enterprise Subscription Activation Licences to Hybrid Azure AD Joined Devices

By -
Image
Introduction Starting with Windows 10, version 1703, Windows 10 Pro supports the Subscription Activation feature, enabling users to “step-up” from Windows 10 Pro to Windows 10 Enterprise automatically if they are subscribed to Windows 10 Enterprise E3 or E5. The Subscription Activation feature eliminates the need to manually deploy Windows 10 Enterprise or Education images on each target device, then later standing up on-prem key management services such as KMS or MAK based activation, entering GVLKs, and subsequently rebooting client devices. It’s important to note that the Windows 10 Enterprise subscription activation is designed to “step-up” a device from Windows 10 Pro to Windows 10 Enterprise. Therefore, your device is required to have a Windows 10 Pro license activated as a baseline. For Windows 10 Enterprise Subscription Activation to function, there a several prerequisites which need to be in place. This blog is aimed for organisations which have Active Directory on premises an
Read more

Exchange Hybrid Mailbox Move - Corruption Due To Missing Security Principals (ACL issues) - TooManyBadItemsPermanentException

By -
Image
UPDATE 14 Jan 2020 --------------------- Microsoft have introduced DCS ( Data Consistency Scoring ) which is planned to supersede the Bad Item Limit count you declare on a migration. There are four grades of DCS; Perfect , Good , Investigate and Poor .  You can complete the migration for all grades, except Poor . Importantly, this now means they can now properly differentiate between a corruption in mailbox data and missing permissions or security principal which couldn't be set on the target mailbox. Previously you had to raise the Bad Item Limit to compensate for security principals and genuine corruption combined; this should no longer be the case. For now, DCS will be used by default where you don't set a Bad Item Count. If you do specify a Bad Item Count, DCS will not be used See the below links for more details: https://techcommunity.microsoft.com/t5/exchange-team-blog/improving-migrations-using-data-consistency-scoring/ba-p/1105920 https://docs.microsoft.c
Read more

Autopilot Hybrid Azure AD Join with Customised First Login Status

By -
Image
Introduction This is my flavour of deploying a customised HAADJ progress status, building on work by Joymalya Basu Roy's detailed article - https://joymalya.com/autopilot-hybrid-azure-ad-join-reworked-with-joy/ . The differences in my version are: Not using Active Setup to run the HAADJ retry process or Splash Screen as I found this didn't work as expected and I didn't want to add a registry item to affect all future logins with a reboot from the HAADJ process. Running the processes under the context of the SYSTEM account, but displaying status to the interactive user. Avoid the HAADJ process running again after the initial success. This provides a customised first login status which prevents the user from using the devices until Hybrid Azure AD Join from the Autopilot process. It's use is primarily for when the User ESP is configured to be skipped. Files This is my version of customised HAADJ which is built on work and guidance in blogs/articles from Michael Niehaus, S
Read more