Saƙonnin SMS sune mafi shaharar hanyar tantance abubuwa biyu (2FA). Ana amfani da shi ta bankuna, lantarki da walat ɗin crypto, akwatunan wasiku da kowane nau'in sabis; .
Ina jin haushin wannan yanayin, saboda wannan hanyar ba ta da aminci. Sake sanya lamba daga katin SIM daya zuwa wani ya fara ne a farkon zamanin wayar hannu - haka ake mayar da lambar idan katin SIM ya ɓace. " Kwararrun satar kuɗi na dijital" sun fahimci cewa za a iya amfani da zaɓin "sake rubuta katin SIM" a cikin makircin yaudara. Bayan haka, wanda ke sarrafa katin SIM ɗin yana iya sarrafa banki na kan layi na wasu mutane, walat ɗin lantarki, har ma da cryptocurrency. Kuma kuna iya mallakar lambar wani ta hanyar ba wa ma'aikacin sadarwa cin hanci, ta yin amfani da yaudara ko takardun jabu.
An gano dubunnan sashe na musanyar SIM, kamar yadda ake kiran wannan makircin zamba. Girman bala'in ya nuna cewa ba da daɗewa ba duniya za ta yi watsi da 2FA ta hanyar SMS. Amma wannan baya faruwa - a sun ce ba masu amfani ba ne suka zaɓi hanyar 2FA, amma masu sabis.
Muna ba da shawarar yin amfani da amintaccen hanyar 2FA tare da isar da lambobin lokaci ɗaya ta hanyar blockchain, kuma za mu gaya muku yadda mai sabis zai iya haɗa shi.
Adadin ya shiga miliyoyin
A cikin 2019, zamba na musayar SIM ya karu da 63% a cewar 'yan sandan London, kuma "matsakaicin lissafin" na maharin ya kasance 4,000 GBP. Ban sami wani kididdiga ba a Rasha, amma ina tsammanin sun fi muni.
Ana amfani da musanyar SIM don satar shahararrun asusun Twitter, Instagram, Facebook, VK, asusun banki, da kwanan nan har ma da cryptocurrencies - a cewar dan kasuwa na Bitcoin Joby Weeks. Manyan shari'o'in sata na cryptocurrency ta amfani da musanyar SIM sun fara tashi a cikin latsa tun 2016; 2019 ya ga kololuwar gaske.
A watan Mayu, Ofishin Lauyan Amurka na Gundumar Gabashin Michigan Matasa tara masu shekaru tsakanin 19 zuwa 26: an yi imanin cewa suna cikin kungiyar masu satar bayanai da ake kira "The Community". Ana tuhumar kungiyar da kai hare-hare bakwai na musaya, a sakamakon haka masu satar bayanan sun sace kudin cryptocurrency sama da dala miliyan 2,4. Kuma a cikin Afrilu, dalibin California Joel Ortiz ya sami ɗaurin shekaru 10 a kurkuku saboda musayar SIM; abin da ya samar ya kasance dala miliyan 7.5 a cikin cryptocurrencies.
Hoton Joel Ortiz a taron manema labarai na jami'a. Bayan shekaru biyu za a tsare shi saboda zamba ta yanar gizo.
Yadda musanya SIM ke aiki
"Swaping" yana nufin musanya. A duk irin wannan makirci, masu laifi suna karɓar lambar wayar wanda aka azabtar, yawanci ta hanyar sake fitar da katin SIM, kuma suna amfani da shi don sake saita kalmar sirri. Musanya SIM na yau da kullun a ka'idar yayi kama da haka:
- Sabis na hankali. Masu zamba suna gano bayanan sirri na wanda aka azabtar: suna da lambar waya. Ana iya samun su a buɗaɗɗen maɓuɓɓuka (cibiyoyin sadarwar jama'a, abokai) ko karɓa daga abokin tarayya - ma'aikacin ma'aikacin wayar hannu.
- Toshewa. An kashe katin SIM ɗin wanda aka azabtar; Don yin wannan, kawai kiran goyan bayan fasaha na mai bada, samar da lambar kuma faɗi cewa wayar ta ɓace.
- Ɗauka, canja wurin lambar zuwa katin SIM naka. Yawancin lokaci ana yin hakan ta hanyar wani abokin tarayya a kamfanin sadarwa ko ta hanyar jabun takardu.
A zahiri abubuwa sun fi tsanani. Maharan suna zaɓar wanda aka azabtar sannan su bi inda wayar take a kullum - buƙatu ɗaya don karɓar bayanin cewa mai biyan kuɗi ya canza zuwa farashin cent 1-2. Da zarar mai katin ya tafi kasar waje, sai su tattauna da manajan da ke shagon sadarwa don fitar da sabon katin SIM. Kudinsa kusan $ 50 (Na sami bayanai - a cikin ƙasashe daban-daban kuma tare da ma'aikata daban-daban daga $ 20 zuwa $ 100), kuma a cikin mafi munin yanayi za a kori manajan - babu alhakin wannan.
Yanzu duk SMS za a samu ta hanyar maharan, kuma mai wayar ba zai iya yin wani abu game da shi ba - yana waje. Sannan miyagu suna samun damar shiga duk asusun wanda aka azabtar kuma su canza kalmomin shiga idan an so.
Damar dawo da dukiyar da aka sace
Bankunan wani lokaci suna ɗaukar waɗanda abin ya shafa rabin hanya kuma suna cire kuɗi daga asusun su. Saboda haka, yana yiwuwa a mayar da kuɗin fiat ko da ba a sami mai laifi ba. Amma tare da walat ɗin cryptocurrency komai ya fi rikitarwa - kuma a fasahance, kuma a bin doka. Ya zuwa yanzu, babu musanya/walat ɗaya da ya biya diyya ga waɗanda aka yi musu musanya.
Idan wadanda abin ya shafa suna so su kare kuɗin su a kotu, suna zargin ma'aikacin: ya halicci yanayi don satar kudi daga asusun. Abin da na yi ke nan , wanda ya yi hasarar dalar Amurka miliyan 224 saboda musanya da su.Yanzu haka ya kai karar kamfanin sadarwa na AT&T.
Ya zuwa yanzu, babu wata jiha da ke da tsarin aiki don kare masu mallakar cryptocurrency bisa doka. Ba shi yiwuwa a inshora babban birnin ku ko karɓar diyya don asararsa. Don haka, hana harin musanya ya fi sauƙi fiye da magance sakamakonsa. Mafi bayyananniyar hanya ita ce a yi amfani da ingantaccen “fasali na biyu” don 2FA.
Musanya SIM ba shine kawai matsalar 2FA ta SMS ba
Lambobin tabbatarwa a cikin SMS suma ba su da aminci daga mahangar fasaha. Ana iya katse saƙon saboda rashin lahani a cikin Tsarin Sigina 7 (SS7). 2FA akan SMS an san shi a hukumance a matsayin mara tsaro (Cibiyar Ƙididdiga da Fasaha ta Amurka ta faɗi wannan a cikin ta ).
A lokaci guda, kasancewar 2FA sau da yawa yana ba mai amfani da ma'anar tsaro na ƙarya, kuma ya zaɓi kalmar sirri mai sauƙi. Don haka, irin wannan tabbaci baya sa shi wahala, amma yana sauƙaƙa wa maharin samun damar shiga asusun.
Kuma sau da yawa SMS yana zuwa tare da dogon jinkiri ko bai isa ba kwata-kwata.
Sauran hanyoyin 2FA
Tabbas, hasken bai haɗu akan wayoyin hannu da SMS ba. Akwai wasu hanyoyin 2FA. Misali, lambobin TAN-lokaci guda ɗaya: hanya ta farko, amma tana aiki - har yanzu ana amfani da ita a wasu bankunan. Akwai tsarin da ke amfani da bayanan biometric: zanen yatsa, duban ido. Wani zaɓin da yake kama da daidaito mai ma'ana dangane da dacewa, aminci da farashi shine aikace-aikace na musamman don 2FA: RSA Token, Google Authenticator. Hakanan akwai maɓallan jiki da sauran hanyoyin.
A ka'idar, duk abin da ya dubi ma'ana kuma abin dogara. Amma a aikace, hanyoyin 2FA na zamani suna da matsaloli, kuma saboda su, gaskiyar ta bambanta da tsammanin.
A cewar , Yin amfani da 2FA rashin jin daɗi ne bisa ƙa'ida, kuma sanannen 2FA ta hanyar SMS an bayyana shi ta "ƙananan rashin jin daɗi idan aka kwatanta da sauran hanyoyin" - karɓar lambobin lokaci ɗaya yana fahimta ga mai amfani.
Masu amfani suna danganta hanyoyin 2FA da yawa tare da tsoron cewa za a rasa damar shiga. Maɓallin zahiri ko jerin kalmomin sirri na TAN na iya ɓacewa ko sace. Ni da kaina na sami mummunan gogewa tare da Google Authenticator. Waya ta farko da wannan aikace-aikacen ta lalace - godiya ga ƙoƙarin da nake yi na maido da damar shiga asusuna. Wata matsala ita ce sauyawa zuwa sabuwar na'ura. Google Authenticator bashi da zaɓin fitarwa saboda dalilai na tsaro (idan ana iya fitar da maɓalli, menene tsaro a wurin?). Da zarar na ɗauki maɓallan da hannu, sannan na yanke shawarar cewa ya fi sauƙi don barin tsohuwar wayar a cikin akwati a kan shiryayye.
Hanyar 2FA yakamata ta kasance:
- Amintacce - kai kaɗai ba maharan yakamata su sami damar shiga asusunku ba
- Amintacce - kuna samun damar shiga asusunku a duk lokacin da kuke buƙata
- Mai dacewa da samun dama - amfani da 2FA a bayyane yake kuma yana ɗaukar ɗan lokaci kaɗan
- Mai arha
Mun yi imanin cewa blockchain shine mafita mai kyau.
Yi amfani da 2FA akan blockchain
Ga mai amfani, 2FA akan blockchain yayi kama da karɓar lambobin lokaci ɗaya ta SMS. Bambancin kawai shine tashar isarwa. Hanyar samun lambar 2FA ya dogara da abin da blockchain ke bayarwa. A cikin aikinmu (bayani yana cikin bayanin martaba na) wannan aikace-aikacen Yanar Gizo ne, Tor, iOS, Android, Linux, Windows, MacOS.
Sabis ɗin yana samar da lambar lokaci ɗaya kuma aika shi zuwa ga manzo akan blockchain. Sa'an nan bi classic: mai amfani ya shigar da lambar da aka karɓa a cikin sabis ɗin sabis kuma ya shiga.
Labarin Na rubuta cewa blockchain yana tabbatar da tsaro da sirrin watsa saƙo. Game da batun aika lambobin 2FA, zan haskaka:
- Dannawa ɗaya don ƙirƙirar asusu - babu waya ko imel.
- Duk saƙonnin da ke da lambobin 2FA an rufaffen rufaffen ne na Ƙarshe-zuwa-Ƙarshe25519xsalsa20poly1305.
- An cire harin MITM - kowane saƙo mai lambar 2FA ciniki ne akan blockchain kuma Ed25519 EdDSA ya sanya hannu.
- Saƙon tare da lambar 2FA yana ƙarewa a cikin nasa toshe. Ba za a iya gyara jeri da tambarin lokaci na tubalan ba, saboda haka tsarin saƙon.
- Babu wani tsari na tsakiya wanda zai bincika "sahihancin" saƙo. Ana yin wannan ta hanyar rarraba tsarin nodes bisa yarjejeniya, kuma mallakar ta masu amfani ne.
- Ba za a iya kashe - asusun ba za a iya toshe kuma ba za a iya share saƙonni.
- Samun damar lambobin 2FA daga kowace na'ura a kowane lokaci.
- Tabbatar da isar da saƙo tare da lambar 2FA. Sabis ɗin da ke aika kalmar wucewa ta lokaci ɗaya ya san tabbas an isar da shi. Babu maɓallan "Aika sake".
Don kwatanta da wasu hanyoyin 2FA, na yi tebur:
Mai amfani yana karɓar asusu a cikin manzo blockchain don karɓar lambobin a cikin daƙiƙa - kalmar wucewa kawai ake amfani da shi don shiga. Don haka, hanyoyin aikace-aikacen na iya zama daban-daban: zaku iya amfani da asusu ɗaya don karɓar lambobi don duk sabis, ko kuna iya ƙirƙirar keɓantaccen asusu don kowane sabis.
Hakanan akwai rashin jin daɗi - dole ne asusun ya kasance yana da aƙalla ciniki ɗaya. Domin mai amfani ya karɓi saƙon da aka ɓoye tare da lamba, kuna buƙatar sanin maɓallin jama'a, kuma yana bayyana a cikin blockchain kawai tare da ma'amala ta farko. Wannan shine yadda muka yi nasarar fita daga ciki: mun ba su damar karɓar alamun kyauta a cikin walat ɗin su. Koyaya, mafi kyawun mafita shine sanya sunan asusun maɓalli na jama'a. (Don kwatanta, muna da lambar asusun U1467838112172792705 asalin maɓalli ne na jama'a cc1ca549413b942029c4742a6e6ed69767c325f8d989f7e4b71ad82a164c2ada. Ga manzo wannan ya fi dacewa kuma ana iya karantawa, amma ga tsarin aika lambobin 2FA yana iyakance). Ina tsammanin cewa a nan gaba wani zai yanke irin wannan shawarar kuma ya motsa "Daɗi da Samun damar" zuwa yankin kore.
Farashin aika lambar 2FA yana da ƙarancin gaske - 0.001 ADM, yanzu shine 0.00001 USD. Hakanan, zaku iya haɓaka blockchain ɗin ku kuma ku sanya farashin sifiri.
Yadda ake haɗa 2FA akan blockchain zuwa sabis ɗin ku
Ina fata na sami damar sha'awar ƴan masu karatu don ƙara izinin blockchain ga ayyukansu.
Zan gaya muku yadda ake yin wannan ta amfani da manzonmu a matsayin misali, kuma ta hanyar kwatance za ku iya amfani da wani blockchain. A cikin 2FA demo app muna amfani da postgresql10 don adana bayanan asusu.
Matakan haɗi:
- Ƙirƙiri asusu akan blockchain wanda daga ciki zaku aika lambobin 2FA. Za ku karɓi kalmar wucewa, wacce ake amfani da ita azaman maɓalli na sirri don ɓoye saƙonni tare da lambobin kuma don sanya hannu kan ma'amaloli.
- Ƙara rubutun zuwa uwar garken ku don samar da lambobin 2FA. Idan kuna amfani da kowace hanyar 2FA tare da isar da kalmar wucewa ta lokaci ɗaya, kun riga kun kammala wannan matakin.
- Ƙara rubutun zuwa uwar garken ku don aika lambobin zuwa mai amfani a cikin manzo blockchain.
- Ƙirƙirar ƙirar mai amfani don aikawa da shigar da lambar 2FA. Idan kuna amfani da kowace hanyar 2FA tare da isar da kalmar wucewa ta lokaci ɗaya, kun riga kun kammala wannan matakin.
1 Ƙirƙirar lissafi
Ƙirƙirar asusu a cikin blockchain yana nufin ƙirƙirar maɓalli na sirri, maɓalli na jama'a, da adireshin asusun da aka samu.
Na farko, an samar da kalmar wucewar BIP39, kuma ana ƙididdige zantan SHA-256 daga gare ta. Ana amfani da hash don samar da maɓalli na sirri ks da maɓallin jama'a kp. Daga maɓallin jama'a, ta amfani da SHA-256 iri ɗaya tare da juyawa, muna samun adireshin a cikin blockchain.
Idan kuna son aika lambobin 2FA kowane lokaci daga sabon asusu, za a buƙaci lambar ƙirƙirar asusun a sabar:
import Mnemonic from 'bitcore-mnemonic'
this.passphrase = new Mnemonic(Mnemonic.Words.ENGLISH).toString()
…
import * as bip39 from 'bip39'
import crypto from 'crypto'
adamant.createPassphraseHash = function (passphrase) {
const seedHex = bip39.mnemonicToSeedSync(passphrase).toString('hex')
return crypto.createHash('sha256').update(seedHex, 'hex').digest()
}
…
import sodium from 'sodium-browserify-tweetnacl'
adamant.makeKeypair = function (hash) {
var keypair = sodium.crypto_sign_seed_keypair(hash)
return {
publicKey: keypair.publicKey,
privateKey: keypair.secretKey
}
}
…
import crypto from 'crypto'
adamant.getAddressFromPublicKey = function (publicKey) {
const publicKeyHash = crypto.createHash('sha256').update(publicKey, 'hex').digest()
const temp = Buffer.alloc(8)
for (var i = 0; i < 8; i++) {
temp[i] = publicKeyHash[7 - i]
}
return 'U' + bignum.fromBuffer(temp).toString()
}A cikin aikace-aikacen demo, mun sauƙaƙa shi - mun ƙirƙiri asusu ɗaya a cikin aikace-aikacen gidan yanar gizon, kuma mun aika lambobin daga gare ta. A mafi yawan lokuta, wannan kuma ya fi dacewa ga mai amfani: ya san cewa sabis ɗin yana aika lambobin 2FA daga takamaiman asusu kuma yana iya suna.
2 Samar da lambobin 2FA
Dole ne a samar da lambar 2FA don kowane shiga mai amfani. Muna amfani da ɗakin karatu , amma zaka iya zaɓar kowane ɗayan.
const hotp = speakeasy.hotp({
counter,
secret: account.seSecretAscii,
});
Duba ingancin lambar 2FA da mai amfani ya shigar:
se2faVerified = speakeasy.hotp.verify({
counter: this.seCounter,
secret: this.seSecretAscii,
token: hotp,
});
3 Aika lambar 2FA
Don ƙaddamar da lambar 2FA, kuna iya amfani da API ɗin blockchain node, JS API library, ko console. A cikin wannan misalin, muna amfani da na'ura wasan bidiyo - wannan shine Ma'anar Layin Layin Umurnin, kayan aiki wanda ke sauƙaƙe hulɗa tare da blockchain. Don aika saƙo tare da lambar 2FA, kuna buƙatar amfani da umarnin send message consoles.
const util = require('util');
const exec = util.promisify(require('child_process').exec);
…
const command = `adm send message ${adamantAddress} "2FA code: ${hotp}"`;
let { error, stdout, stderr } = await exec(command);
Wata madadin hanyar aika saƙonni ita ce amfani da hanyar send a cikin ɗakin karatu na JS API.
4 Mai amfani
Ana buƙatar ba mai amfani zaɓi don shigar da lambar 2FA, ana iya yin wannan ta hanyoyi daban-daban dangane da dandalin aikace-aikacen ku. A cikin misalinmu wannan shine Vue.
Za'a iya duba lambar tushe don aikace-aikacen tabbatarwa na toshewar abubuwa biyu a . Akwai hanyar haɗi a cikin Readme zuwa demo Live don gwada shi.
source: www.habr.com