Mameseji eSMS ndiyo inonyanya kufarirwa nzira mbiri-factor authentication (2FA). Inoshandiswa nemabhangi, zvemagetsi uye crypto wallets, mailboxes uye marudzi ose emabasa; .
Ini ndakatsamwira chiitiko ichi, nekuti nzira iyi haina kuchengetedzeka. Kugoverazve nhamba kubva kune imwe SIM kadhi kuenda kune imwe kwakatanga pakutanga kweiyo mobile nguva - iyi ndiyo nzira iyo nhamba inodzoreredzwa nayo kana SIM kadhi yarasika. "Nyanzvi dzekubiwa kwemari yedhijitari" dzakaona kuti "nyorazve SIM kadhi" sarudzo inogona kushandiswa muzvirongwa zvekubiridzira. Mushure mezvose, uyo anodzora SIM kadhi anogona kudzora mabhengi epamhepo evamwe vanhu, zvikwama zvemagetsi, uye kunyange cryptocurrency. Uye iwe unogona kutora nhamba yemumwe munhu kuburikidza nekupa chiokomuhomwe kumushandi wenhare, uchishandisa hunyengeri kana magwaro emanyepo.
Zviuru zvezvikamu zveSIM swapping zvakafumurwa, sekudaidzwa kunoitwa chirongwa ichi chekubiridzira. Huyero hwenjodzi hunoratidza kuti nyika ichakurumidza kusiya 2FA kuburikidza neSMS. Asi izvi hazviitike - mukati vanoti havasi vashandisi vanosarudza nzira ye2FA, asi varidzi vebasa.
Isu tinokurudzira kushandisa yakachengeteka 2FA nzira nekuendesa kweimwe-nguva macode kuburikidza ne blockchain, uye isu tichakuudza iwe kuti muridzi webasa anogona kuibatanidza sei.
Nhamba yacho inosvika mamiriyoni
Muna 2019, hutsotsi hwekuchinjisa SIM hwakawedzera ne63% maererano nemapurisa eLondon, uye "avhareji bhiri" yeanorwisa yaive zviuru zvina nemazana matatu GBP. Ini handina kuwana chero nhamba muRussia, asi ndinofungidzira kuti dzakatoipa.
SIM swapping inoshandiswa kuba yakakurumbira Twitter, Instagram, Facebook, VK accounts, maakaundi ebhangi, uye nguva pfupi yadarika kunyange cryptocurrencies - maererano neBitcoin entrepreneur Joby Weeks. Mhosva dzepamusoro-soro dzekubiwa kwekristptocurrency uchishandisa SIM swapping dzave dzichibuda mumapepanhau kubvira 2016; 2019 yakaona peak chaiyo.
Muna Chivabvu, Hofisi Yegweta reU.S. yeRuwa rwekuMabvazuva kweMichigan vechidiki vapfumbamwe vane makore ari pakati pe19 ne26: vanotendwa sechikamu chechikwata chehacker chinonzi "Nharaunda". Chikwata ichi chinopomerwa mhosva nomwe dzekuchinjanisa, semhedzisiro iyo matsotsi akaba cryptocurrency inokosha kupfuura $2,4 miriyoni. Uye munaEpril, mudzidzi weCalifornia Joel Ortiz akagamuchira makore gumi mujeri nekuda kweSIM swapping; kugadzirwa kwake yaiva $10 mamiriyoni cryptocurrencies.
Mufananidzo waJoel Ortiz pamusangano wevatori venhau weyunivhesiti. Makore maviri gare gare achavharirwa nekuda kwehutsotsi hwepa cyber.
Kuchinja kweSIM kunoshanda sei
"Spaping" zvinoreva kuchinjana. Muzvirongwa zvose zvakadaro, matsotsi anotora nhamba dzorunhare dzomunhu anenge abirwa, kazhinji kazhinji kupfurikidza nokubudisazve SIM card, uye anoishandisa kuseta patsva password. Iyo yakajairwa SIM shanduko mune dzidziso inoita seizvi:
- Intelligence service. Vanobiridzira vanowana ruzivo rwemunhu anenge abirwa: zita uye nhamba yefoni. Ivo vanogona kuwanikwa munzvimbo dzakavhurika (social network, shamwari) kana kugamuchirwa kubva kune anofambidzana - mushandi wefoni opareta.
- Kuvhara. SIM card yemunhu anenge abatwa inovharwa; Kuti uite izvi, ingofonera rubatsiro rwehunyanzvi hweanopa, ipa iyo nhamba uye utaure kuti foni yakarasika.
- Bata, endesa iyo nhamba kune yako SIM kadhi. Kazhinji izvi zvinoitwa zvakare kuburikidza neanopindirana mukambani yenharembozha kana kuburikidza nekunyepedzera kwemagwaro.
Muhupenyu zvinhu zvakatonyanya kuoma. Vapambi vanosarudza munhu akabatwa vobva vateedzera nzvimbo yerunhare zuva nezuva - chikumbiro chimwe chekugamuchira ruzivo rwekuti munyoreri akachinjira kuroaming inodhura 1-2 masendi. Kana muridzi weSIM card angoenda kunze kwenyika, vanotaurirana namaneja pachitoro chekutaurirana kuti vabudise SIM card idzva. Inodhura inenge madhora makumi mashanu (ndakawana ruzivo - munyika dzakasiyana-siyana uye nevashandi vakasiyana kubva ku $ 50 kusvika ku $ 20), uye mumatambudziko akaipisisa maneja achadzingwa - hapana mutoro weizvi.
Iye zvino maSMS ose achagamuchirwa nevanorwisa, uye muridzi wefoni haazogoni kuita chero chinhu pamusoro payo - ari kunze kwenyika. Uye ipapo villains vanowana mukana kune ese akabatwa maakaundi uye shandura mapassword kana zvichidikanwa.
Mikana yekudzorera zvinhu zvakabiwa
Mabhangi dzimwe nguva anotora vanobatwa pakati uye vanobvisa mari kubva kumaakaundi avo. Nokudaro, zvinokwanisika kudzorera fiat mari kunyange kana mutadzi asina kuwanikwa. Asi ne cryptocurrency wallets zvese zvakanyanya kuoma - uye technically, uye nemutemo. Parizvino, hapana kana imwe shanduko/chikwama yakabhadhara muripo kune vakabatwa nekuchinjana.
Kana vakakuvadzwa vachida kudzivirira mari yavo mudare, vanopomera mushandisi: akasika mamiriro ekubiwa kwemari kubva kuaccount. Ndizvo chaizvo zvandakaita , akarasikirwa nemamiriyoni mazana maviri nemakumi maviri nemana emadhora nekuda kwekuchinjanisa.
Parizvino, hapana hurumende ine zvirongwa zvekushanda zvekudzivirira zviri pamutemo varidzi vekriptoakti. Hazvibviri kuisa inshuwarisi yemari yako kana kugamuchira muripo wekurasikirwa kwayo. Naizvozvo, kudzivirira kurwisa kwekuchinja kuri nyore pane kubata nemhedzisiro yayo. Nzira iri pachena ndeye kushandisa yakavimbika "second factor" ye2FA.
SIM swap haisiriyo chete dambudziko ne2FA kuburikidza neSMS
Makodhi ekusimbisa muSMS zvakare haana kuchengetedzeka kubva kune tekinoroji yekuona. Mameseji anogona kubvumwa nekuda kwekusagadziriswa kusagadziriswa muSitimu Yekunongedza 7 (SS7). 2FA pamusoro peSMS inozivikanwa zviri pamutemo seisina kuchengeteka (iyo US National Institute of Standards uye Technology inotaura izvi mune yayo ).
Panguva imwecheteyo, kuvapo kwe2FA kunowanzopa mushandisi pfungwa yekuchengeteka kwenhema, uye anosarudza password iri nyore. Naizvozvo, huchokwadi hwakadaro hahuite kuti zviome, asi zvinoita kuti zvive nyore kune anorwisa kuti awane mukana kuaccount.
Uye kazhinji SMS inosvika nekunonoka kwenguva refu kana kusasvika zvachose.
Dzimwe nzira dze2FA
Ehe, mwenje hauna kuchinjika pane smartphones uye SMS. Kune dzimwe nzira dze2FA. Semuenzaniso, imwe-nguva TAN makodhi: nzira yekare, asi inoshanda - ichiri kushandiswa mune mamwe mabhangi. Kune masisitimu anoshandisa biometric data: mafingerprints, retinal scans. Imwe sarudzo inoita senge chibvumirano chine musoro maererano nekureruka, kuvimbika uye mutengo kunyorera kwakakosha kwe2FA: RSA Chiratidzo, Google Authenticator. Kune zvakare makiyi emuviri uye dzimwe nzira.
Muchirevo, zvinhu zvose zvinotarisa zvine musoro uye zvakavimbika. Asi mukuita, mhinduro dzemazuva ano dze2FA dzine matambudziko, uye nekuda kwavo, chokwadi chinosiyana kubva pane zvinotarisirwa.
Maererano ne , kushandiswa kwe2FA kusinganzwisisiki mumusimboti, uye kufarirwa kwe2FA kuburikidza neSMS kunotsanangurwa ne "kusagadzikana kuduku kuenzaniswa nedzimwe nzira" - kugamuchira makodhi enguva imwe chete kunonzwisisika kune mushandisi.
Vashandisi vanosanganisa nzira dzakawanda dze2FA nekutya kuti kuwana kucharasika. Kiyi yemuviri kana runyorwa rweTAN passwords inogona kurasika kana kubiwa. Ini pachangu ndakava nezviitiko zvakashata neGoogle Authenticator. Yangu yekutanga smartphone ine iyi application yakaputsika - tenda kuedza kwangu kudzoreredza kuwana kumaakaundi angu. Rimwe dambudziko nderekuchinja kune mudziyo mutsva. Google Authenticator haina sarudzo yekuburitsa kunze nekuda kwezvikonzero zvekuchengetedza (kana makiyi achigona kutumirwa kunze kwenyika, chengetedzo iripo?). Pane imwe nguva ndakatakura makiyi nemaoko, uye ipapo ndakafunga kuti zvaive nyore kusiya yekare smartphone mubhokisi pasherufu.
Iyo 2FA nzira inofanira kuva:
- Chengetedza - iwe chete uye kwete vanokurwisa ndivo vanofanirwa kuwana mukana kuaccount yako
- Yakavimbika - iwe unowana mukana kuaccount yako pese paunoda
- Yakanaka uye inowanikwa - kushandisa 2FA kwakajeka uye kunotora nguva shoma
- Cheap
Isu tinotenda kuti blockchain ndiyo mhinduro chaiyo.
Shandisa 2FA pane blockchain
Kune mushandisi, 2FA pa blockchain inotaridzika zvakafanana nekugamuchira imwe-nguva macode kuburikidza neSMS. Musiyano chete ndiyo nzira yekuendesa. Iyo nzira yekuwana iyo 2FA kodhi inotsamira pane izvo blockchain inopa. Muchirongwa chedu (ruzivo rwuri muprofile yangu) iyi iWebhu application, Tor, iOS, Android, Linux, Windows, MacOS.
Iyo sevhisi inogadzira kodhi-yenguva imwe uye inotumira kune mutumwa pane blockchain. Wobva watevera makirasi: mushandisi anopinda kodhi yakagamuchirwa mune sevhisi interface uye anopinda mukati.
Chinyorwa Ndakanyora kuti blockchain inovimbisa kuchengetedzwa uye kuvanzika kwekufambiswa kwemashoko. Panyaya yekutumira 2FA makodhi, ini ndicharatidza:
- Kudzvanya kamwe chete kugadzira account - hapana mafoni kana maemail.
- Ese mameseji ane 2FA makodhi akavharidzirwa Kupera-kusvika-Kupera curve25519xsalsa20poly1305.
- MITM kurwisa haina kubatanidzwa - meseji yega yega ine 2FA kodhi ndeyekutengesa pane blockchain uye inosainwa naEd25519 EdDSA.
- Iyo meseji ine 2FA kodhi inoguma mune yayo yega block. Kutevedzana uye timestamp yezvivharo haigone kugadziriswa, uye saka kurongeka kwemameseji.
- Iko hakuna chepakati chimiro chinotarisa pa "uchokwadi" hweshoko. Izvi zvinoitwa nehurongwa hwekugoverwa kwemanodhi zvichibva pakubvumirana, uye ndedzevashandisi.
- Haikwanise kudzimwa - maakaundi haagone kuvharwa uye mameseji haagone kudzimwa.
- Svika 2FA makodhi kubva chero mudziyo chero nguva.
- Simbiso yekutumira meseji ne2FA kodhi. Iyo sevhisi inotumira iyo-yenguva-password inonyatsoziva kuti yaunzwa. Kwete "Send again" mabhatani.
Kuenzanisa nedzimwe nzira dze2FA, ndakagadzira tafura:
Mushandisi anogashira account mu blockchain messenger kuti agamuchire macode musekondi - chete passphrase ndiyo inoshandiswa kupinda. Naizvozvo, nzira dzekushandisa dzinogona kunge dzakasiyana: unogona kushandisa account imwe chete kugamuchira makodhi eese masevhisi, kana iwe unogona kugadzira yakaparadzana account yesevhisi yega yega.
Pane zvakare kusagadzikana - iyo account inofanirwa kunge iine kanenge kamwechete transaction. Kuti mushandisi agamuchire meseji yakavharidzirwa nekodhi, iwe unofanirwa kuziva kiyi yake yeruzhinji, uye inoonekwa mu blockchain chete neyekutanga kutengeserana. Iyi ndiyo nzira yatakakwanisa kubuda nayo: takavapa mukana wekugamuchira zviratidzo zvepachena muhomwe yavo. Nekudaro, mhinduro iri nani ndeye kutumidza iyo account kiyi yeruzhinji. (Kuenzanisa, isu tine nhamba yeakaundi U1467838112172792705 rinobva pakiyi yeruzhinji cc1ca549413b942029c4742a6e6ed69767c325f8d989f7e4b71ad82a164c2ada. Kune mutumwa izvi zviri nyore uye zvinoverengeka, asi kune iyo sisitimu yekutumira 2FA makodhi iganhuriro). Ndinofunga kuti mune ramangwana mumwe munhu achaita sarudzo yakadaro uye kufambisa "Kunakirwa uye Kuwanika" kunzvimbo yakasvibirira.
Mutengo wekutumira kodhi ye2FA wakaderera chaizvo - 0.001 ADM, ikozvino yava 0.00001 USD. Zvekare, iwe unogona kusimudza yako blockchain uye kuita mutengo zero.
Maitiro ekubatanidza 2FA pane blockchain kune yako sevhisi
Ndinovimba ndakakwanisa kufarira vaverengi vashoma kuti vawedzere mvumo ye blockchain kumasevhisi avo.
Ini ndichakuudza maitiro ekuita izvi uchishandisa mutumwa wedu semuenzaniso, uye nekuenzanisa iwe unogona kushandisa imwe blockchain. Mune 2FA demo app tinoshandisa postgresql10 kuchengetedza ruzivo rweakaundi.
Matanho ekubatanidza:
- Gadzira account pane blockchain kubva kwaunotumira 2FA makodhi. Iwe unogashira passphrase, iyo inoshandiswa sekiyi yakavanzika yekuvharira mameseji nemakodhi uye kusaina kutengeserana.
- Wedzera script kune server yako kugadzira 2FA makodhi. Kana iwe uchitoshandisa chero imwe nzira ye2FA ine-nguva imwe chete password kutumira, iwe wakatopedza danho iri.
- Wedzera script kune server yako kutumira makodhi kumushandisi mu blockchain messenger.
- Gadzira mushandisi interface yekutumira uye kuisa iyo 2FA kodhi. Kana iwe uchitoshandisa chero imwe nzira ye2FA ine-nguva imwe chete password kutumira, iwe wakatopedza danho iri.
1 Kugadzira account
Kugadzira account mu blockchain kunoreva kugadzira kiyi yakavanzika, kiyi yeruzhinji, uye kero yakatorwa account.
Kutanga, iyo BIP39 passphrase inogadzirwa, uye iyo SHA-256 hashi inoverengerwa kubva mairi. Iyo hashi inoshandiswa kugadzira yakavanzika kiyi ks uye yeruzhinji kiyi kp. Kubva pakiyi yeruzhinji, tichishandisa imwecheteyo SHA-256 ine inversion, tinowana kero mu blockchain.
Kana iwe uchida kutumira 2FA makodhi nguva yega kubva kuaccount nyowani, iyo account yekugadzira kodhi inoda kuwedzerwa kune server:
import Mnemonic from 'bitcore-mnemonic'
this.passphrase = new Mnemonic(Mnemonic.Words.ENGLISH).toString()
β¦
import * as bip39 from 'bip39'
import crypto from 'crypto'
adamant.createPassphraseHash = function (passphrase) {
const seedHex = bip39.mnemonicToSeedSync(passphrase).toString('hex')
return crypto.createHash('sha256').update(seedHex, 'hex').digest()
}
β¦
import sodium from 'sodium-browserify-tweetnacl'
adamant.makeKeypair = function (hash) {
var keypair = sodium.crypto_sign_seed_keypair(hash)
return {
publicKey: keypair.publicKey,
privateKey: keypair.secretKey
}
}
β¦
import crypto from 'crypto'
adamant.getAddressFromPublicKey = function (publicKey) {
const publicKeyHash = crypto.createHash('sha256').update(publicKey, 'hex').digest()
const temp = Buffer.alloc(8)
for (var i = 0; i < 8; i++) {
temp[i] = publicKeyHash[7 - i]
}
return 'U' + bignum.fromBuffer(temp).toString()
}Mune iyo demo application, isu takaita nyore - isu takagadzira imwe account muwebhu application, uye tinotumira macode kubva mairi. Muzviitiko zvakawanda, izvi zvakare zvakanyanya nyore kumushandisi: anoziva kuti sevhisi inotumira 2FA makodhi kubva kune chaiyo account uye anogona kuitumidza.
2 Kugadzira 2FA makodhi
Iyo 2FA kodhi inofanirwa kugadzirwa kune yega yega mushandisi kupinda. Isu tinoshandisa raibhurari , asi unogona kusarudza chero imwe.
const hotp = speakeasy.hotp({
counter,
secret: account.seSecretAscii,
});
Kutarisa huchokwadi hweiyo 2FA kodhi yakaiswa nemushandisi:
se2faVerified = speakeasy.hotp.verify({
counter: this.seCounter,
secret: this.seSecretAscii,
token: hotp,
});
3 Kutumira 2FA kodhi
Kuendesa kodhi ye2FA, unogona kushandisa blockchain node API, JS API raibhurari, kana koni. Mumuenzaniso uyu, isu tinoshandisa koni - iyi ndiyo Command Line Interface, chishandiso chinorerutsa kudyidzana ne blockchain. Kuti utumire meseji ine 2FA kodhi, unofanirwa kushandisa murairo send message consoles.
const util = require('util');
const exec = util.promisify(require('child_process').exec);
β¦
const command = `adm send message ${adamantAddress} "2FA code: ${hotp}"`;
let { error, stdout, stderr } = await exec(command);
Imwe nzira yekutumira mameseji ndeye kushandisa nzira send muJS API raibhurari.
4 Mushandisi interface
Mushandisi anoda kupihwa sarudzo yekuisa kodhi ye2FA, izvi zvinogona kuitwa nenzira dzakasiyana zvichienderana nepuratifomu yako yekushandisa. Mumuenzaniso wedu iyi Vue.
Iyo kodhi kodhi ye blockchain mbiri-factor yekusimbisa demo application inogona kutariswa pa . Pane chinongedzo muReadme kune Live demo kuti uedze.
Source: www.habr.com