How storing passwords let hackers bypass two factor authentication

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

a month ago my computer got compromised by me clicking on what I thought was a document but was actually executable basically a social engineering attack and I realized my mistake within minutes and started changing all my passwords but not before the hackers were able to hijack my YouTube account now with Google's help I was able to get it back 6 hours later but the experience wasn't fun so with that computer compromised I had to reinstall Windows and I also started using two-factor authentication to prevent that sort of problem in the future but even with two Factor authentication turned on with my phone my main YouTube channel got hacked again 4 weeks later I don't know how it got in this time I suspect my old PC which I hadn't reinstalled cuz it was off at the time of the last incident but that one hadn't been reinstalled in 5 years so who knows but this time I already knew how to contact Google for a hijacked account so I started that process right away but it being a Saturday night there was fewer people at work at Google so it took my much longer for them to respond so it was actually 8 hours before I got the channel back and that was at 3:00 a.m. in the morning Sunday morning so what do I do now and how did the hackers get around my two-factor authentication well the type of attack that's typically used for this sort of thing is called a session highjacking attack where the hacker uses malicious code that it can somehow run on your computer to copy all of your browser session data and cookies and such so that if you're logged in they can basically just copy that and then they're logged in on their computer and have control over whatever you have control over but then how were they able to bypass two Factor authentication to lock me out well that turns out to be quite easy they just turn off two Factor authentication like this my password is already filled in by my browser so it just turn it off which makes two Factor authentication really pointless now it seems pretty stupid I should be able to turn it off without my phone but well what what if I lost my phone I still need to be able to get rid of it right so I guess it does make some sense but you do need the password to turn off two Factor authentication so how did the hackers get that well that was my mistake because I had Firefox store the passwords for me so when they copied everything that was in Firefox they got that too so they had the password but there's also a lot that Google could have done to prevent this I mean if somebody suddenly shows up from a different IP address with the same session then turns off two- Factor authentication Chang es the password adds all kinds of other security stuff and then rebrands the channel it's like uh that might be a few red flags to notice something is a Miss if you're looking for that and at that point all they'd have to do is just suspend the channel for a day to see if the original owner contacts them and something as simple as that would just make this whole hack unprofitable because they would never be able to exploit what they just did but what can I do on my end to make this sort of thing less likely to succeed well not storing the passwords in Firefox is an obvious one and using some kind of thirdparty password manager like last pass or one password or bit Warden would have probably helped a lot but I'm not so sure about like passing all my passwords to some thirdparty company that'll manage it for me because my trust in that is not so high so I decided that I was just going to keep the passwords in an encrypted file on my computer like I've always been but uh in addition to that I actually shouldn't be opening that file very often so I made this little card that's got my passwords on it that I keep by the computer so I can type them in and I changed the passwords so that they're easier to type so I don't mind having to type them in from time to time and this card with my passwords on it that's actually not my actual passwords and the one that I do keep which I may take with me when I travel it doesn't say what the passwords are for and it's actually not the actual password but a slight permutation on the password so if somebody finds this card it's not going to be of much use to them now I'll still let my browser remember the login session because I don't want to have to login all the time so a hijacker could still steal the session but without the password they won't be able to change the password or change the authentication methods and once I spot something is happening I'll be able to boot them out by just changing the password at least that's the theory but I do wonder about these password managers I'm sure the people who make them make sure they're as hard to hack as possible but if a hacker can run malicious code on your computer computer they can do pretty much anything that you can do on your computer which means they could potentially hijack your password manager and at that point they have the passwords in your password manager and you don't and that's a scary thought but if a hacker is able to run malicious code on your computer and you don't know it they could potentially keylog and watch what you do to get into various sites which means they could still get in because they could just watch you do it so then well what if I use one of those USB encryption keys that plug into my computer they wouldn't have that piece but if they can control your computer they could just log in on your computer and basically use the security key to take care of things like getting rid of the security key so you're still screwed if they can control your computer in the meantime I have a credit card with just a 16-digit code on there and at most 12 of those digits are unique to me plus a three-digit code on the back and the expiration date I mean and that's used for financial transaction I mean that's security wise completely unworkable right okay fraud is a problem but somehow the banks manage to keep it to a manageable level and they do that by carefully examining all the transactions and looking for suspicious patterns but that approach I think requires real eyeballs looking at things so that you don't have false alarms disabling things all the time and of course that costs money and for social media companies that's just too much right now but I think in Tech we get lulled into a false sense of security by having long unguessable passwords and 256-bit encryption that is infeasible to crack but what's the use of having a super secure front door lock if the thief can just get into your house in a different way and that's what's happening okay now if you're still watching this on my second Channel chances are you're subscribed to my main Channel as well so do check if you're still subscribed on that one because if by any chance on January 29th or February 24th you unsubscribed for some crypto scam Channel well that would have been my channel while it was hijacked and I lost about 10,000 subscribers that way which compared to the 1.7 million subscribers I have doesn't seem like much but the thing is most of those 1.7 million subscribers never look at any of my videos I typically only get about 100,000 views from subscribers on a new video and those 10,000 people that unsubscribed those are actually people that watch your subscription feed otherwise they wouldn't have unsubscribed when they saw the scam video so having lost 10,000 Subs is more substantial hit than it seems that way so do go check if you're subscribed to the main Channel because if you're an active subscriber like that you may be subscribed to this channel as well and maybe watch this video to the end which means there's a good chance that you're one of those people that unsubscribed for my main Channel not knowing that it was my channel rebranded by some crypto scammer so I hope this I'll get some of the subscribers back but of course most people don't watch videos to the end but oh well so this is the old 2012 PC that I was using casually while the second attack happened so this one is suspect and I've just reinstalled Windows on it which is kind of tricky because being so old it can't boot off of USB and the install media no longer fits on a DVD so I actually had to put the installer on a separate hard drive and then install it off of one hard drive onto another but at the same time I also bought this furbished PC which is 2017 vintage cost $300 Canadian that's 1/5th the cost of my fancy new pc I bought in 2020 and it's about 3/4 the speed of that one so not a bad deal so that makes me question the whole idea of buying a new pc because this one was so much better of a deal

Info

Channel: Matthias random stuff

Views: 73,647

Rating: undefined out of 5

Keywords:

Id: bfLGfIzp9SE

Channel Id: undefined

Length: 8min 28sec (508 seconds)

Published: Sat Mar 02 2024