Microsoft’s Azure MFA Down Twice in Two Weeks - Monthly Mobile Identity Roundup for November

December 5, 2018
4 minutes read
Category: Mobile Identity
Author: IPification Team

We are back with roundups - but we are changing it up a bit. Instead of going at it weekly, we will now be publishing monthly installments - to bring you content more closely related to mobile authentication and mobile identity space.

We will start you off with the two-time authentication failure Microsoft experienced, move on to some bad SIM swapping & 2FA news for both mobile operators and users, then not one, but two Amazon security scandals, gaming industry security innovations and finally end the roundup with an analysis of security measures of the Top 10 e-commerce websites.

Microsoft’s Azure MFA down twice in two weeks

On November 19, users couldn’t access their Microsoft Azure and Office 365 accounts for most of the day because of a global issue with multi-factor authentication. Users didn’t receive prompts on their mobile devices and couldn’t access the services.

After deploying a hotfix, Microsoft posted an update saying that a recent update to improve connections to caching services for the MFA service brought on the issue.

However, six days later the MFA service went down again further proving that while MFA is significantly more secure than the username and password login & 2FA, sometimes it is too effective!

SIM Hijacking Leads to Lawsuits

With SIM hijacking on the rise, it was only a matter of time before telecom providers would get sued.

Leading American cryptocurrency investor law firm, Silver Miller, announced that it has filed lawsuits against AT&T and T-Mobile on behalf of their clients who were robbed of their crypto assets via SIM swapping attacks.

They are being sued for security inefficiencies and failing to train and monitor their employees which all assisted the criminals in SIM hijacking that ultimately led to the theft of their digital assets.

One of the clients lost $621,000 in cryptocurrency in the theft even after AT&T had allegedly boosted security on their account after an earlier theft attempt.

It is clear that mobile operators should look into better authentication solutions to be able to provide better security for their users, but also protect themselves.

To learn more about SIM hijacking - read this piece by our founder Harry Cheung.

Massive Leak of 2FA Codes

A server hosting a database containing tens of millions of text messages, among which are password reset links, 2FA codes, shipping notifications, and more, has been exposed due to a security lapse.

The exposed server belongs to Voxox, a California communications company who failed to protect it with a password, meaning that anyone who knew where to look had plenty to see in near-real time.

An everyday user might not think twice about what happens in the background of 2FA solutions, but it is companies like Voxox that act as middlemen between the app that is trying to authorize a user and telecom companies that verify the user’s phone number or send the code.

The database is now offline, but it is important to note that when it was taken down, it contained over 26 million text messages, including 2FA codes and password reset links!

Amazon Email Breach & Biometric Data Sales

Amazon had a tough month. In addition to their insistence on selling facial recognition technology to the police and other government bodies, it seems that a security breach that has exposed user emails has also happened.

They do not show any intention of stopping their marketing and sales of biometric data, or facial recognition technology to be more specific, to different law enforcement agencies and other government bodies.

A transcript of an internal meeting reports that employees were against this practice, but that Amazon CEO Jeff Bezos and Web Service Head Andy Jessy insist that it would continue because they believe in the value they provide to these agencies and bodies.

Amazon keeps referring to a case study from Marinus Analytics that highlighted the use of its facial recognition in tracking victims of human trafficking and sexual exploitation.

However, biometric data sales just show how this type of authentication can hurt the privacy of the users!

As for the security breach, users received an odd email notifying them about the occurrence a few days before Black Friday. The message itself had barely any details besides the notification.

It said, “We're contacting you to let you know that our website inadvertently disclosed your name and email address due to a technical error. The issue has been fixed. This is not a result of anything you have done, and there is no need for you to change your password or take any other action."

Adding to the mystery of the email is the signature saying “Customer Service” with an HTTP (instead of HTTPS) Amazon URL.

The users are advised to turn on 2FA if they haven’t yet. While we can’t argue that it’s more secure to have it on than off if you load any security news webpage, you will see that it is not a good enough solution in 2018.  

Rainbow Six Siege and Fortnite Turn to 2FA

If you want to play ranked matches in Rainbow Six Siege on PC, you will now have to enable two-factor authentication for your account, while other modes of play will remain the same.

It’s a big question whether the company’s move to cut down on cheaters, third parties that raise other players’ ranks for money and high-level players who make new accounts to play against less experienced players will be effective since an unlimited amount of Uplay accounts can be added to the same authentication device. But, that’s not all as far as gaming goes.

The immensely popular game, Fortnite released a major update with a new feature that will enable the player to send gifts to their friends, except on iOS devices due to Apple’s policies.

In the item shop, the player will now have the option to ‘buy a gift’ that Fortnite will even wrap in a bow and allow them to add custom messages if they wish. Perfect for the holiday season!

To be able to buy a gift, you first need to have 2FA enabled on your account. After logging in through 2FA, the feature will be available.

Going into 2FA direction is certainly a good move to secure gaming aficionados. However, with all the recent cyber breaches and SIM swapping incidents, the question of whether this is safe enough has to be posed.

How Top Retailers are Rated When it Comes to Security

Holiday season having started, LastPass tested the top 10 e-commerce websites based on sales to see who would end up on the Nice and who would end up on the Naughty list security-wise.

The nicest, i.e. the safest websites for online shopping were Apple, Best Buy, The Home Depot, Amazon and Qurate Retail Group.

In contrast, Costco, Macy’s, eBay, Walmart, and Wayfair ended up on the naughty list.

It’s important to note, though, that only two of the top ten, Apple and Amazon, use 2FA. While definitely not the safest technology, it is still better to have it than rely on simple email and password login, or even worse, logging in through social media.

In the age when SIM swapping occurs regularly, and when Facebook is facing various data exposing scandals, e-commerce websites should explore other options