How long will existing encryption last?

[chaoscoinz]

Nobody really knows for sure, but there is one thing you can be sure of, there are quantum computers out there right now as we speak. The ones that we definitely know of are D-wave systems quantum computers, which are commercially available and has several big name clients who have purchased a computer from them. There's really nothing to worry about as far as quantum computers go because they are an infant technology and are limited to specific functions on;y, but the real trouble starts when they gain more general function, that's when you arrive at the realization that the existing encryption is on it's way out the door, old news, good bye.

[1714000297]

1714000297

[1714000297]

1714000297

[1714000297]

1714000297

[Voland.V]

Nobody really knows for sure, but there is one thing you can be sure of, there are quantum computers out there right now as we speak. The ones that we definitely know of are D-wave systems quantum computers, which are commercially available and has several big name clients who have purchased a computer from them. There's really nothing to worry about as far as quantum computers go because they are an infant technology and are limited to specific functions on;y, but the real trouble starts when they gain more general function, that's when you arrive at the realization that the existing encryption is on it's way out the door, old news, good bye.

-------------------
This theme, whether there's a quantum hazard or not, is wiped down to the holes.

That's the picture I'm looking at:
- most people in the scientific community understand and explain that the danger is more than real;
- most ordinary people who don't want to get into it, project managers, advertisers, "air salesmen" who aren't used to dealing with complex issues, don't see it as a threat.

We know that there are a lot of encryption systems, totally new systems that can withstand quantum computers even from another galaxy. And in 2022, we will know the winner.

All modern systems except AES will go to the junkyard of history and the debate will stop, just like the threat of quantum computers.

And what will remain?
There will remain the eternal threat of cryptanalysis, theft of keys and passwords, phishing, and other nasty things that no cryptographic system fights against.

These threats, as well as quantum threats, can be counteracted by a new technology of keyless encryption and passwordless authentication based on logic and geometry rather than mathematics.   

[CarnagexD]

Nobody really knows for sure, but there is one thing you can be sure of, there are quantum computers out there right now as we speak. The ones that we definitely know of are D-wave systems quantum computers, which are commercially available and has several big name clients who have purchased a computer from them. There's really nothing to worry about as far as quantum computers go because they are an infant technology and are limited to specific functions on;y, but the real trouble starts when they gain more general function, that's when you arrive at the realization that the existing encryption is on it's way out the door, old news, good bye.

There had been no real claims about the existence of quantum computers to date. If there is, we shouldn't even be stuck in this planet, most of the global problems we have right now would've been solved if there is a quantum computer out there. But even if there is, I don't see it big of a threat really, nobody would be able to gain access from a quantum computer unless you're a very important person.

[Voland.V]

Nobody really knows for sure, but there is one thing you can be sure of, there are quantum computers out there right now as we speak. The ones that we definitely know of are D-wave systems quantum computers, which are commercially available and has several big name clients who have purchased a computer from them. There's really nothing to worry about as far as quantum computers go because they are an infant technology and are limited to specific functions on;y, but the real trouble starts when they gain more general function, that's when you arrive at the realization that the existing encryption is on it's way out the door, old news, good bye.

There had been no real claims about the existence of quantum computers to date. If there is, we shouldn't even be stuck in this planet, most of the global problems we have right now would've been solved if there is a quantum computer out there. But even if there is, I don't see it big of a threat really, nobody would be able to gain access from a quantum computer unless you're a very important person.

---------------
Access to you or your data happens regardless of your desire or your importance.
This is fully automatic data collection. It is a program that collects everything and everyone.
It's done by both the government and the crooks.
But the government doesn't want scammers to know more than the government. That's the reason why news like this happens:
On January 14th, the FBI seized the domain WeLeakInfo.com for providing users with paid access to data leaked to the network by hacking. The operation was conducted jointly with the National Crime Agency (NCA), the Netherlands National Police Corps, the German Federal Criminal Police Office (Bundeskriminalamt) and the Police Service of Northern Ireland.

"The Web site gave users access to a search engine to view confidential information illegally obtained from more than 10,000 data leaks, including more than 12 billion indexed records, including names, email addresses, logins, phone numbers and passwords," the U.S. Department of Justice reported.

The subscription price ranged from $2 to $75, giving users unlimited access to search engines and data for a limited period of time.

Here's the price of your logins and passwords and more today: from $2 to $75. And this is not the highest price, there is cheaper.

This is reality, open your eyes, 12 billion records, this is all humanity!

[Voland.V]

But the practical proof of the fact that some devices (in this case all, regardless of the model), some manufacturers, can never be used, under any circumstances, or for any purpose.

The main thing is not to forget, buying another fashionable smartphone, that with its help you can not use your passwords and keys, to access the service associated with your cryptographic assets. This is a spy.

Here is the recent news.
Celebrities in South Korea were subjected to a large-scale extortion campaign, during which criminals hacked into Samsung smartphones belonging to popular film artists, musicians, artists, etc. and demanded a ransom of $43,000 to $860,000, threatening to make their personal data public.

Only recently, in my post of January 15, this company was mentioned, and confirmation of this danger did not wait.

Really, who's responsible for this?
People who have trusted products that are not suitable for anything, in terms of security, or a manufacturer that adheres to its own, not for the purposes it has declared?

In my opinion, we will always be deceived if we trust anyone.  And the most dangerous thing is exactly the delusion that most people have.
Who's listening to the minority?

I don't know who will support me, but practice shows that apart from cheaters, other players are also playing against us, made up as our allies.

So then talking about cryptography...

[Voland.V]

Let's continue the topic of vulnerability.
We're probably hiding the fact that any modern device is vulnerable, total and inevitable, it's a competition in which we users are inventory.

I argue that there is no point in having modern cryptography if you always have a 100% vulnerability through keys, passwords and other technological rudiments.

Once you have entered a password into such a device, you have lost it, and no matter what, you will never know.

What's more, exploited at a new level, software vulnerabilities that allow you to compromise your system without the user being involved (for example, without the victim clicking on a malicious link) are of great interest to scammers.

The experts from Google Project Zero, who have devoted several recent months to studying this issue, are no exception.
We are watching.
On Thursday, January 9, security researcher Samuel Gross from Google Project Zero demonstrated how Apple ID alone can remotely hack an iPhone, access passwords, messages, emails and activate a camera with a microphone in a matter of minutes.

The researcher described his attack method in three separate articles on the Google Project Zero blog. The first one provides technical details on the vulnerability, the second one on the ASLR hacking method, and the third one explains how to remotely execute code on the device under attack bypassing the sandbox.
"The research was mainly motivated by the following question: is it possible to remotely execute code on an iPhone using the remote memory corruption vulnerability alone without using other vulnerabilities and without any interaction with the user? A series of publications on this blog proves that it is indeed possible," Gross said.

What do you think of the traditional security concept after reading this news?

[Dabs]

This is a reply to an earlier post in this thread, but still relevant:

I think the problem is that it has not been proven that no efficient algorithm exists to do prime factorization of large numbers, which is what RSA is all about. ECC might be similar or something else entirely since they use smaller numbers.

Many areas of mathematics and computer science have been brought to bear on the problem, including elliptic curves, algebraic number theory, and quantum computing.

An algorithm that efficiently factors an arbitrary integer would render RSA-based public-key cryptography insecure.

That is probably one reason organizations or governments wouldn't use such a system. It may be cracked with a mathematical break through at some future time.

The problem with vernam class ciphers is distribution of the pad or the keys. If one were to use 256 bit AES and distribute a bunch of keys way in advance to all parties that need it, that would be very close to the effect of a one time pad.

Still, the largest semiprime yet factored is only a 795 bit number, factored in November 2019.

The largest known prime as of January 2020 is more than 24 million digits long.

Before the mid-1970s, all cipher systems were symmetric. Keys were distributed by a secure channel. There are no perfectly secure channels in the real world. There are, at best, only ways to make insecure channels (e.g., couriers, homing pigeons, diplomatic bags, etc.) less insecure: padlocks (between courier wrists and a briefcase), loyalty tests, security investigations, and guns for courier personnel, diplomatic immunity for diplomatic bags, and so forth.

Today, Kerberos exists, and that could be quantum resistant for a long time until a better one has been tried and tested.

What the governments are worried about are any cryptographic breaks that can crack asymmetric encryption faster than brute force. Rubber hose methods work, are cheaper, and that's why it is done.

As for RSA, use 4096 bits. We will know in the news worldwide if and when 1024 and 2048 bits are regularly broken; then we will have plenty of time to migrate to a different system if needed. Much of the internet will get broken otherwise.


As for traditional security, I think it's better than having something completely open. How the new concepts will work are left to be seen if they are any better in practice.

[keeee]

Nobody really knows for sure, but there is one thing you can be sure of, there are quantum computers out there right now as we speak. The ones that we definitely know of are D-wave systems quantum computers, which are commercially available and has several big name clients who have purchased a computer from them. There's really nothing to worry about as far as quantum computers go because they are an infant technology and are limited to specific functions on;y, but the real trouble starts when they gain more general function, that's when you arrive at the realization that the existing encryption is on it's way out the door, old news, good bye.

Really,  i only knew that one from you.  If that was reslly then it would be amazing somehow because we dont need to worry more.  Base on my research most people really dont know if encryotion will last or not because no one controls it.

[Voland.V]

Nobody really knows for sure, but there is one thing you can be sure of, there are quantum computers out there right now as we speak. The ones that we definitely know of are D-wave systems quantum computers, which are commercially available and has several big name clients who have purchased a computer from them. There's really nothing to worry about as far as quantum computers go because they are an infant technology and are limited to specific functions on;y, but the real trouble starts when they gain more general function, that's when you arrive at the realization that the existing encryption is on it's way out the door, old news, good bye.

Really,  i only knew that one from you.  If that was reslly then it would be amazing somehow because we dont need to worry more.  Base on my research most people really dont know if encryotion will last or not because no one controls it.

-----------------
Information about the existence and use of working quantum computers - can not be publicly available, because in the world there is a global information confrontation, cyberwar.   
And like any war, there are secrets, secret developments.
Why do we always expect to be told everything, informed?
No, of course not.
Here's an example that confirms my speculation:
"Speculation on the subject intensified when NASA published a document on the site, but soon deleted (a copy available to ForkLog) a document with insider information about Google's success in the direction of the existence of a working model of a quantum computer and the company's achievement of "quantum superiority". In the media, the information was replicated by the authoritative British publication The Financial Times.

And it's still unclear why cryptography was separated:
- one cryptography for all of us;
- a second cryptography that we don't have access to.


Commercial cryptography must be based on the same standards around the world.
But state standards for cryptography are much better, they cannot be distributed anywhere, they will only be used within state structures.

And despite the high level of protection of state cryptography, they must be updated every five years (at the algorithmic level).

Then it is even more interesting.

Commercial structures should not have access to this algorithm itself. Thus, it will be possible to apply simultaneously public "commercial" algorithms - for us, simple and naive, and completely different algorithms for the chosen ones.

Of course, skeptics will immediately argue that state secrets are very serious, so the cryptography is different.

My answer to this is this: why, then, at the NIST open competition, which is held on the post quantum encryption systems, starting from 2015, are not accepted systems based on the same principles as modern RSA and ECC?

1. There was no direct threat from quantum computers back then.
2. Even then (2015) leading experts in cryptography warned that no key length would save modern commercial systems if at least one was cracked. This is a hidden explanation of the fact that these systems are afraid not of Shore algorithms, which only simplify the complete search for the key, but the achievements of cryptanalysis.
3. Why all ECC patents from Koblitz and Menezes, previously purchased by the NSA, were forgotten without explanation when the results of research by UK mathematicians became known in 2016. This study was ordered by the NSA itself.

Koblitz and Menezes have every reason to consider themselves competent in the field of cryptography on elliptic curves, but they did not hear absolutely anything about new hacking methods that compromised "their" crypto scheme. So everything that happens around ECC amazed mathematicians extremely.
People who have close contacts with this industry know that large corporations that provide cryptographic tasks and equipment for the US government always get some kind of advance warning about changing plans. But in this case there was nothing of the kind.

Even more unexpected was the fact that no one from the NSA addressed the people from NIST (USA), who are responsible for the open cryptographic standards of the state.

The ETSI/IQC International Symposium on Quantum Secure Cryptography (in 2016), from which this story began, has several notable features.
Firstly, it was very solidly represented by the heads of important structures, special services of Great Britain, Canada, Germany. All these national special services are analogues of the American NSA. However, absolutely no one was mentioned explicitly from the NSA. And this, of course, is not an accident.

This event is interesting for the reason that there was a highly unusual report on behalf of the secret British secret service GCHQ (P. Campbell, M. Groves, D. Shepherd, "Soliloquy: A Cautionary Tale"). This is a report from the CESG information security division, which was personally made by Michael Groves, who leads cryptographic research at this intelligence agency.

It must be emphasized here that it is completely uncharacteristic for people from the British special services to talk about their secret developments at open conferences. However, this case was truly exceptional.

The story of the great cryptographer CESG speaking at the public symposium was extremely sparsely covered in the media, and the slides of articles and presentations about Soliloquide can only be found on the Web for those who know very clearly what they are looking for (on the ETSI website, where these files are exclusively found, there are no direct links to them).   

Details can be found here, second post dated December 04:
https://bitcointalk.org/index.php?topic=5204368.40.

For these reasons, we conclude that there may be both unknown quantum devices and a secret mathematical apparatus that unambiguously compromises all modern commercial asymmetric cryptography.

[Voland.V]

From all the above, we can conclude that humanity lives by faith.
Modern cryptography is not an exception, but a confirmation of this rule.
The concept of encryption will live exactly as long as the absolute majority will trust this assumption.
It should be noted that the absolute majority of people do not understand anything about the problematic issues of modern cryptography and will never understand.
That's the way a person works. If he does not understand something, he does not try to understand it, but looks at people around him, who do not understand it as well as he does. And the herd feeling, the instincts, conquers everything else.
If someone separates himself from the herd and starts doing things differently from the majority, has his own opinion, he will be branded as he wants, no one will go into unpopular discussions about generally accepted things.

Long live modern cryptography, human delusions and herd mentality. In this religious atmosphere of trust, there is no place for reason.   

[Voland.V]

This is a reply to an earlier post in this thread, but still relevant:

The problem with vernam class ciphers is distribution of the pad or the keys. If one were to use 256 bit AES and distribute a bunch of keys way in advance to all parties that need it, that would be very close to the effect of a one time pad.

-----------
The reliability of a cryptographic system is determined by the reliability of its keys.
It makes no sense to use AES-256 (or a longer key length) to transfer keys - disposable notebooks, because the key length is equal to the length of the message, and Vernam's encryption reliability will drop to AES reliability.

The problem of generating disposable notebooks is solved by the technologies mentioned in my previous posts. It makes no sense to transfer a disposable notebook using any, even a post (double post) cryptography. If you want to make the most secure of all possible ciphers - the Vernam cipher - then your keys should never and never be transmitted, not even through the channels of quantum cryptography (solving the problem of common key coordination for a symmetric encryption system). It is connected with that fact, quantum communication is communication with the big errors, on small distances, and the quantum channel is easily muffled by hindrances. besides, it supposes up to 11 % of information leakage. It's a huge drop in reliability relative to Vernam's cipher.

How to create identical disposable notebooks symmetrically, without necessity of their transfer on communication channels, to create Vernam's cipher, it is solved in technology of keyless ciphering and password-free authentication, in a variant of vector-geometrical model which author I am. We can talk about this topic in detail.

[jameshugo17]

Quantum computers will be integrated into the blockchain system. In this case, the existing encryption may change. Because enormous processing powers or super-superchargers may require the system to change. The most important thing for Bitcoin is encryption and speed.

[Voland.V]

Quantum computers will be integrated into the blockchain system. In this case, the existing encryption may change. Because enormous processing powers or super-superchargers may require the system to change. The most important thing for Bitcoin is encryption and speed.

What does it mean to introduce quantum computers into a locking system?
As for encryption, I agree, encryption will change. But the existing encryption can only change to some post quantum public key cryptographic system.
The fact is, all post quantum systems require more computing resources than the existing elliptic encryption.
That's why I don't understand how I can increase the speed. After all, today if you buy a cup of coffee for bitcoin, it will become cold while the calculation is done.
How can I increase the speed in the future?

[Voland.V]

This is a reply to an earlier post in this thread, but still relevant:

Still, the largest semiprime yet factored is only a 795 bit number, factored in November 2019.

The largest known prime as of January 2020 is more than 24 million digits long.

You've noticed correctly that this is the most famous example. What I don't like here, or rather a security concern:
1. And what examples do we not know?  What have mathematicians found, whose names do not appear in public publications?
2. it's a crude attack on 795 bit number, it's a crude force, it's not as effective as cryptanalysis as mathematical solutions, because in the schemes with public and private keys of the whole set of numbers, only prime numbers are involved in the encryption scheme.

If I concealed information that there are mathematical solutions to the problem of factoring and discrete logarithmization, I would contribute in every possible way to the spread of such information.

[Voland.V]

Here's another, another example, confirming the failure of modern security systems based on key and password cryptographic protocols.
Obviously, for modern cryptography, including post quantum cryptography, the fact of having a key will level out any cryptography. Fraudsters always scream the keys, not crack the encryption.
We study the news carefully:
-
Officers of the Cyber Police Department of the National Police of Ukraine identified a 25-year-old local resident who had broken into and emptied crypt currency wallets.
Crypt wallets, not any others!
According to the press service of the Cyberpolice, the man was a participant in closed forums where he bought logins and passwords from crypt wallets. In addition, he purchased and modified malware to gain unauthorized access to protected logical systems of protection of Internet resources. With its help, the attacker gained access to accounts on crypt-currency exchanges and withdrew funds.

This is the price for key protection systems - a paradise for scammers, and a fiction for users.

Here's a confirmation:

- During the search of the residence of the case, a laptop, a mobile phone and a computer were seized. A preliminary inspection of the equipment revealed that it contained malware and confidential data related to electronic payment systems, e-mail passwords and keys to cryptocurrency wallets.

Clearly, keyless encryption systems and passwordless authentication, if created, would be more secure than today's.

[Voland.V]

I read earlier today that it would take approximately 2,500 qubits of quantum processing power to successfully break the encryption of an SHA-256 private key.

Since Google only has a 72 qubit Q-computer, and it has taken a decade to reach this point, then a 2,500 qubit quantum processor appears to be approximately 7 years away.

With that said, this will still likely be a super specific system, so I doubt it would actually be used to identify the links between public and private keys.

If that is the case, I highly doubt it would be possible, because algorithms run by quantum computers are totally different, if they tend to break the encryption of bitcoin, they need to use the same algorithm that classical computers use, but with a bigger processing power, but who knows about it, I highly believe that even before a 2,500 qubits of quantum computing power would be invented, quantum computers do already generate a whole new set of encryption that will make it harder for quantum computers itself to break.

---
Quantum computers cannot generate new encryption.
It is just a tool in human hands, not smart machines that can encrypt better than classic, ordinary, modern computers.
But they can decrypt, crack and do cryptoanalysis. Well, at the very least, they can do the whole thing, the brute force attack.
A new encryption, which should be absolutely stable against quantum computers, is now being generated by the best minds of mankind. And new encryption technologies will only work on ordinary computers, on our consumer digital devices.
But the problems of stealing encryption keys, the vulnerabilities that are exploited today, will also be relevant for all new postquantum encryption technologies without exception.
The only global method that eliminates these flaws is the keyless encryption technology that may emerge in the near future.

[Voland.V]

Nobody really knows for sure, but there is one thing you can be sure of, there are quantum computers out there right now as we speak. The ones that we definitely know of are D-wave systems quantum computers, which are commercially available and has several big name clients who have purchased a computer from them. There's really nothing to worry about as far as quantum computers go because they are an infant technology and are limited to specific functions on;y, but the real trouble starts when they gain more general function, that's when you arrive at the realization that the existing encryption is on it's way out the door, old news, good bye.

Really,  i only knew that one from you.  If that was reslly then it would be amazing somehow because we dont need to worry more.  Base on my research most people really dont know if encryotion will last or not because no one controls it.

--------------------------
The existing encryption is not under anyone's control.
There is a general consensus, there is certification, there is advertising, it is enough for everyone to be vigilant.
This is used by large companies using their authority to produce products based on publicly available encryption libraries.
Small companies mistakenly think that what big companies have done is 100% correct and they do the same.
And so the whole world is connected by a chain of authoritative opinions, a pyramid from one "guru" to all ordinary pipels.
This is a system of general trust, on which the security for ordinary users is built.
Very few brave people who understand themselves, make their own conclusions, come to the essence, but make mistakes themselves.

It's good to be able to dig that deep.
And if you're not, if you don't even have time for it, what do you do?
I'm trying to find the answer to that question.

In my opinion, the only thing left to us who have not studied cryptography is to draw conclusions by getting indirect information, namely:
- why is there domestic cryptography and government cryptography?
- why in household cryptography the system of encryption at the level of algorithms is not updated, and in government cryptography it is obligatory?
- why are they so stubbornly searching for replacements for existing systems rather than just increasing the length of the key?

And here's another thing that can happen to those who believe in this general trust system:
- the Swiss government has filed a complaint in a criminal case against the CIA for using a Swiss supplier of encryption equipment to intercept communications from 120 governments over 50 years. The encryption products supplied by Crypto AG contained backdoors allowing the US and German intelligence agencies to easily read encrypted correspondence.

The security system, built on trust, which now exists in the world, seems to have collapsed completely.

Key-based encryption systems will never provide security for the average client, the average user, because it is the keys that will be stolen, this is the easiest way, because encryption algorithms are known and established as a constant.

[Voland.V]

The modern protection system is a modern protocol, a set of instructions on the technologies underlying these protocols.
The main technology underlying the security systems is cryptography.
Cryptography, any system, is built on the methods of using the key, which is used as the instruction needed to configure individual (for this key) encryption algorithms.
Therefore, any protocol based on modern cryptography will always ask you for the key, password, biometric identifiers, which are essentially the same password, password-constant, it cannot be changed.

As soon as you build a system that has a weak link in its foundation - a password or key, so prepare yourself immediately for the fact that scammers will not break you in the forehead, they will look for access to keys and passwords.

Modern cyber crime research, their statistics, reports from companies dealing with this issue, even a Microsoft report - all this clearly shows that keys and passwords are almost always stolen.

Any security system, the most sophisticated and modern, even postquantum ones, if based on passwords or keys, will have a vulnerability in this very weakest link - the key (password).

Only keyless encryption systems will allow to build more reliable security systems.

In password authentication systems - there are passwords, there are digital identifiers. 2FA is a way to combine your permanent digital identifier (e.g. password) and a variable (e.g. code in the SMS that is not repeated anymore). The essence has not changed, the response time of the cheater has changed and the complexity of the attack.

Today, the most reliable system 2FA - is no longer reliable.

Any 2FA - easy to break, especially if the second factor is your smartphone! SMS - much easier to intercept than to find out your master password.

You need the next step, 3FA, 4FA ... - playing cat mouse, not solving the authentication problem.
Only passwordless authentication, real authentification without a password, not a temporary password like 2FA is the solution.

For those who trust 2FA, this is the material:

1. scammers have learned to intercept SMS with security codes sent by banks and withdraw all the money that is on the card. Not so long ago this way in Germany cybercriminals pulled off a major operation to steal money from credit cards of hapless users.
It should be noted that 2FA via SMS has already been officially recognized as an insecure authentication method due to unrecoverable vulnerabilities in Signaling System 7 (SS7), which is used by mobile networks to communicate with each other.
A few years ago Positive Technologies specialists showed how SMS is intercepted.

2. In fact, the assumption of inconvenience (and insecurity) was confirmed by Grzegorz Milka, the same speaker from Google. The Register journalists asked him why Google will not enable two-factor authentication by default for all accounts? The answer was usability. "It's about how many users will leave if we force them to use additional security."
That's a good, honest answer.

3. Even before I started studying IT security science, I thought 2FA authentication was a guaranteed way to secure my account and no "these hackers of yours" could, say, steal my internal currency to buy... on your account. But over time, it has been proven by experience that a two factor authentication system can have many vulnerabilities. The code authentication system is very common, used everywhere on various sites and can connect for both primary and secondary login.

4. - bypass rate-limit by changing the IP address...
Many blockages are based on the restriction of receiving requests from IP, which has reached the threshold of a certain number of attempts to make a request. If you change the IP address, you can bypass this restriction. To test this method, simply change your IP using Proxy Server/VPN and you will see if the blocking depends on the IP.

5. - Bypass 2ph by spoofing part of the request from a session of another account...
If a parameter with a specific value is sent to verify the code in the request, try sending the value from another account's request. For example, when sending an OTP code, it verifies the form ID, user ID or cookie that is associated with sending the code. If we apply the data from the account settings where we need to bypass the code-verification (Account 1) to a session of a completely different account (Account 2), get the code and enter it on the second account, we can bypass protection on the first account. After rebooting the 2FA page should disappear. This is like another example.

6. - bypassing 2FA with the "memorization function"...
Many sites that support 2FA authorization have "remember me" functionality. This is useful if the user does not want to enter the 2FA code when logging into the account later. It is important to identify the way that 2FA is "remembered". This can be a cookie, a session/local storage value, or simply attaching 2FA to an IP address.

7. - insufficient censorship of personal data on page 2FA...
When sending an OTP code on a page, censorship is used to protect personal data such as email, phone number, nickname, etc. But this data can be fully disclosed in endpoint APIs and other requests for which we have sufficient rights during the 2FA phase. If this data was not originally known, for example we entered only the login without knowing the phone number, this is considered an "Information Disclosure" vulnerability. Knowing the phone number/email number can be used for subsequent phishing and brute force attacks.

8. - Impact of one of the reports:
Linking to other vulnerabilities, such as the previously sent OAuth misconfiguration #577468, to fully capture the account, overcoming 2FA.
If an attacker has hijacked a user's email, they can try to regain access to the social network account and log on to the account without further verification.
If the attacker once hacked into the victim's account, the attacker can link the social network to the account and log into the account in the future, completely ignoring 2FA and login/password entry.

9. - Everybody is so confident in the reliability of 2FA that they use it for the most demanding operations - from Google authorization (which is instant access to mail, disk, contacts and all the history stored in the cloud) to client-bank systems.

The ability to bypass such a system has already been demonstrated by the Australian researcher Shubham Shah.

In early 2019, Polish researcher Piotr Duszyński made Modlishka reverse proxy available to the public. According to him, this tool can bypass two-factor authentication...

10. - A security breach was discovered by the leading hacker at KnowBe4, Kevin Mitnick. The new exploit allows you to bypass protection with two-factor authentication (2FA). An attacker can direct a user to a fake authentication page, thus gaining access to the login, password, and cookie session.

11. - The "ethical hacker" Kuba Gretzky developed the evilginx tool to bypass two-factor authentication. The system uses social engineering principles, and can be directed against any site.

12. - Two-factor authentication mechanisms are not reliable enough. Shortcomings in the implementation of such mechanisms are found in 77% of online banks.

13. Nothing new, the issue of hacking into the 2FA mechanism was commented by Pavel Durov himself.  The mechanism is simple, here it is:

1. Interception of SMS by various means.

2. Login to your account on a new device or web version of Telegram.

3. Resets two-factor authentication via tied mail.

4. Mail is "opened" by receiving the same sms through the "Forgot Password" button (you will be lucky if the numbers do not match).

5. We enter the mail and enter the code in Telegram.

6. We open all chats, groups and not remote correspondence, except for secret chat rooms (green chat rooms with a lock).


So what are we doing?
We're waiting for 3FA, 4FA... PFA or looking for technology, options for new password-free authentication methods?

[Voland.V]

In addition, we can say that the interfaces of programs that attack two-factor authentication are very much simplified. They are getting bigger and bigger and more accessible.
Be vigilant, especially if you are using this obsolete mechanism.

[Voland.V]

Cloud vaults break like nuts.
Who needs this protection if the cryptography on the keys is only opened with the key, no matter who brought the key?
Here are the consequences, according to court documents published by the NSO Group, Facebook intended to purchase Pegasus, a spyware product capable of extracting user data from Apple, Google, Facebook, Amazon and Microsoft cloud storage. The data is being exported, giving software operators access to confidential user data. The data collected includes... that's where three dots are best, because there's not much to steal, there's enough keys and passwords. The rest is that you've already put everything in the box that's already got the key.

The danger of modern cryptography on keys is that it gives an imaginary security, you feel free, and then the vase is cracked, all your secrets and private data.

Key cryptography as well as password authentication are the rudiments of the 20th century, temporarily living in the 21st century.