@dangoodin If the latter usage is “one-time pad”, no—by definition, one-time pads cannot be algorithmically generated, whereas the values displayed by tokens are.
@dangoodin The terminology is a mess. An OTP token could be referring to a given one-time password, or the physical token (though typically now phone app), or it could be referring to the OTP seed that's used by the app/hardware (and auth backend) to generate the codes.
"The caller claimed to be one of the members of the IT team, and deepfaked our employee’s actual voice. The voice was familiar with the floor plan of the office, coworkers, and internal processes of the company. Throughout the conversation, the employee grew more and more suspicious, but unfortunately did provide the attacker one additional multi-factor authentication (MFA) code.
The additional OTP token shared over the call was critical, because it allowed the attacker to add their own personal device to the employee’s Okta account, which allowed them to produce their own Okta MFA from that point forward. This enabled them to have an active GSuite session on that device. Google recently released the Google Authenticator synchronization feature that syncs MFA codes to the cloud. As Hacker News noted, this is highly insecure, since if your Google account is compromised, so now are your MFA codes."
@dangoodin I think it's a mis-statement. What they provided was most likely a 'backup code' - a series of HOTP codes generated for use when a TOTP, push, or other MFA option is unavailable.
Some of y'all are speculating that by "OTP token" the disclosure author meant the secret seed used to generate OTPs. If that's the case, how would anyone communicate the seed in a phone call?
@dangoodin "one additional token" just means helpdesk was convinced to hand over TWO valid OTK tokens. First got the hacker logged in and the second was needed for the hacker to add a new MFA token to that account. No need to hand over token seeds.
@dangoodin In the context of this article it seems to me they mean that the one time password was shared. This allowed the threat actor to login as the user and restore the TOTP seeds from the cloud backup in Google. This was part of the issue, as the primary purpose of those seeds is they are not shared and distributed.
@dangoodin It sounds like a standard social engineering attack of "I just need to verify your account, give me the OTP code from your authenticator" And they quickly logged in and added their device as a trusted device before the code expired.
Once it was trusted, they restored the authenticator app settings and got all the seeds with it, so they didn't need the user any longer to gain further access.
@dangoodin token, meaning the physical item, i.e. a security key? That’s at least how I would think of it. It would be used to generate the needed OTP.
Add comment