Imiyalezo yeSMS yeyona ndlela idumileyo yokuqinisekiswa kwezinto ezimbini (2FA). Isetyenziswe ngamabhanki, i-elektroniki kunye ne-crypto wallets, iibhokisi zeposi kunye nazo zonke iintlobo zeenkonzo; .
Iyandicaphukisa le meko, kuba le ndlela ayikhuselekanga. Ukwabela kwakhona inombolo ukusuka kwi-SIM khadi ukuya kwenye kwaqala ekuqaleni kwexesha leselula - le yindlela inombolo ebuyiselwa ngayo xa i-SIM khadi ilahlekile. “Iingcali zobusela bemali yedijithali” zaqonda ukuba ukhetho “lokubhala kwakhona iSIM khadi” lunokusetyenziswa kwiinkqubo zobuqhophololo. Emva kwayo yonke loo nto, lowo ulawula i-SIM khadi unokulawula iibhanki zabanye abantu kwi-intanethi, iiwallet ze-elektroniki, kunye ne-cryptocurrency. Kwaye unokuthatha inombolo yomnye umntu ngokunyoba umqeshwa we-telecom, usebenzisa inkohliso okanye amaxwebhu omgunyathi.
Amawakawaka eziqendu zokutshintshwa kwe-SIM ziye zafunyaniswa, njengoko esi sikimu sobuqhetseba sibizwa. Ubungakanani bentlekele bucebisa ukuba umhlaba kungekudala uza kuyishiya i-2FA ngeSMS. Kodwa oku akwenzeki - ngaphakathi bathi ayingobasebenzisi abakhetha indlela ye-2FA, kodwa abanini benkonzo.
Siphakamisa ukusebenzisa indlela ekhuselekileyo ye-2FA kunye nokuhanjiswa kweekhowudi zexesha elilodwa nge-blockchain, kwaye siya kukuxelela indlela umnini wenkonzo angayidibanisa ngayo.
Ubalo luya kwizigidi
Ngo-2019, ubuqhetseba bokutshintsha kweSIM bonyuke nge-63% ngokutsho kwamapolisa aseLondon, kwaye "i-avareji yebhili" yomhlaseli yayiyi-4,000 GBP. Andifumananga naziphi na izibalo eRashiya, kodwa ndicinga ukuba zimbi ngakumbi.
Ukutshintshwa kweSIM kusetyenziselwa ukubiwa kwi-Twitter edumileyo, i-Instagram, i-Facebook, i-akhawunti ye-VK, ii-akhawunti zebhanki, kwaye kutshanje kunye ne-cryptocurrencies - ngokutsho Bitcoin usomashishini Joby Weeks. Iimeko eziphezulu zobusela be-cryptocurrency usebenzisa i-SIM swapping ziye zavela kumaphephandaba ukususela ngo-2016; U-2019 wabona incopho yokwenyani.
NgoMeyi, iOfisi yeGqwetha laseMelika kwiSithili esiseMpuma saseMichigan abantu abatsha abalithoba abaphakathi kweminyaka eli-19 nama-26: bakholelwa ukuba bayinxalenye yeqela leenjubaqa elibizwa ngokuba “luLuntu”. Iqela lemigulukudu lityholwa ngohlaselo olusixhenxe lokutshintshiselana, ngenxa yoko abaqweqwedisi beba i-cryptocurrency exabisa ngaphezulu kwe-2,4 yezigidi zeedola. Kwaye ngo-Apreli, umfundi waseCalifornia uJoel Ortiz wafumana iminyaka eyi-10 entolongweni ngenxa yokutshintshwa kweSIM; imveliso yakhe $ 7.5 million cryptocurrencies.
Ifoto kaJoel Ortiz kwinkomfa yabezindaba yaseyunivesithi. Kwiminyaka emibini emva koko uya kuvalelwa ubuqhophololo kwi-cyber.
Ukutshintsha kweSIM kusebenza njani
"Ukutshintshana" kuthetha ukutshintshiselana. Kuwo onke amaqhinga anjalo, izaphuli-mthetho zithatha inombolo yefowuni yexhoba, ngokuqhelekileyo ngokukhupha kwakhona iSIM khadi, zize ziyisebenzise ukuseta ngokutsha igama eliyimfihlo. Ukutshintshwa kweSIM eqhelekileyo kwithiyori kujongeka ngolu hlobo:
- Inkonzo yobuntlola. Abarhwebi bafumanisa ulwazi lomntu wexhoba: igama kunye nenombolo yefowuni. Zinokufumaneka kwimithombo evulekileyo (iinethiwekhi zentlalo, abahlobo) okanye zifunyenwe kwi-accomplice - umqeshwa womqhubi weselula.
- Ukuthintela. I-SIM khadi yexhoba ivaliwe; Ukwenza oku, vele ufowunele inkxaso yobugcisa bomboneleli, unikeze inombolo kwaye uthi ifowuni ilahlekile.
- Thatha, uthumele inombolo kwiSIM khadi yakho. Ngokwesiqhelo oku kwenziwa ngokusebenzisana nomntu osebenza naye kwinkampani yetelecom okanye ngokwenza amaxwebhu omgunyathi.
Ebomini izinto ziqatha ngakumbi. Abahlaseli bakhetha ixhoba baze balandele indawo yefowuni imihla ngemihla - isicelo esinye sokufumana ulwazi ukuba umrhumi utshintshe iindleko zokuzulazula 1-2 cent. Nje ukuba umnini weSIM khadi eye phesheya, bathethathethana nomphathi kwivenkile yonxibelelwano ukuba bakhuphe iSIM khadi entsha. Ixabisa malunga ne-$ 50 (ndifumene ulwazi - kumazwe ahlukeneyo kunye nabaqhubi abahlukeneyo ukusuka kwi-$ 20 ukuya kwi-$ 100), kwaye kwimeko embi kakhulu umphathi uya kuxoshwa - akukho xanduva lwale nto.
Ngoku yonke i-SMS iya kufunyanwa ngabahlaseli, kwaye umnini wefowuni akayi kukwazi ukwenza nantoni na malunga nayo - ungaphandle. Kwaye ke abangendawo bafumana ukufikelela kuzo zonke iiakhawunti zexhoba kwaye batshintshe amagama ayimfihlo ukuba bayafuna.
Amathuba okubuyisela impahla ebiweyo
Iibhanki ngamanye amaxesha zihlalisa amaxhoba phakathi kwaye zirhoxise imali kwiiakhawunti zabo. Ngoko ke, kunokwenzeka ukubuyisela imali ye-fiat nangona isigebengu singafumaneki. Kodwa nge-cryptocurrency wallet yonke into inzima kakhulu - kwaye ngokobugcisa, kwaye ngokomthetho. Ukuza kuthi ga ngoku, akukho tshintshiselwano / isipaji esinye esihlawule imbuyekezo kumaxhoba okutshintshana.
Ukuba amaxhoba afuna ukukhusela imali yawo enkundleni, atyhola umqhubi: wadala iimeko zokubiwa kwemali kwi-akhawunti. Yiloo nto kanye endayenzayo , ophulukene ne-224 yezigidi zeerandi ngenxa yokutshintshiselana.Ngoku umangalela inkampani yezonxibelelwano i-AT&T.
Ukuza kuthi ga ngoku, akukho rhulumente unezicwangciso zokusebenza zokukhusela ngokusemthethweni abanini be-cryptocurrency. Akunakwenzeka ukuba uqinisekise inkunzi yakho okanye ufumane imbuyekezo ngelahleko yayo. Ke ngoko, ukuthintela uhlaselo lokutshintshana kulula kunokujongana neziphumo zalo. Eyona ndlela icacileyo kukusebenzisa "into yesibini" ethembekileyo ye-2FA.
Ukutshintsha kweSIM akukuphela kwengxaki nge-2FA ngeSMS
Iikhowudi zokuqinisekisa kwiSMS nazo azikhuselekanga kumbono wobugcisa. Imiyalezo inokubanjwa ngenxa yobuthathaka obungabhalwanga kwiNkqubo yokuSayina 7 (SS7). I-2FA ngaphezulu kweSMS yamkelwa ngokusemthethweni njengokungakhuselekanga (iZiko leMigangatho yeSizwe yase-US kunye neTekhnoloji ithi oku kuyo ).
Ngelo xesha, ubukho be-2FA buhlala bunika umsebenzisi ukhuseleko lobuxoki, kwaye ukhetha igama eliyimfihlo elilula. Ngoko ke, ukuqinisekiswa okunjalo akwenzi kube nzima, kodwa kwenza kube lula ukuba umhlaseli afumane ukufikelela kwi-akhawunti.
Kwaye rhoqo kufika iSMS ngokulibaziseka ixesha elide okanye ayifiki kwaphela.
Ezinye iindlela ze-2FA
Ewe kunjalo, ukukhanya akuzange kuguquke kwii-smartphones kunye neSMS. Kukho ezinye iindlela ze-2FA. Ngokomzekelo, iikhowudi ze-TAN zexesha elinye: indlela yamandulo, kodwa iyasebenza - isasetyenziswa kwezinye iibhanki. Kukho iisistim ezisebenzisa idatha yebhayometriki: iminwe yeminwe, iskena seretina. Olunye ukhetho olubonakala ngathi lulungelelaniso olufanelekileyo malunga nokulula, ukuthembeka kunye nexabiso lizicelo ezikhethekileyo ze-2FA: i-RSA Token, i-Google Authenticator. Kukho nezitshixo zomzimba kunye nezinye iindlela.
Kwithiyori, yonke into ibonakala isengqiqweni kwaye inokwethenjelwa. Kodwa ekusebenzeni, izisombululo ze-2FA zanamhlanje zineengxaki, kwaye ngenxa yazo, inyaniso iyahluka kwizinto ezilindelweyo.
Ngokutsho , ukusetyenziswa kwe-2FA kukuphazamiseka ngokomgaqo, kwaye ukuthandwa kwe-2FA ngeSMS kuchazwa "ngokuphazamiseka okuncinci xa kuthelekiswa nezinye iindlela" - ukufumana iikhowudi zexesha elilodwa kuyaqondakala kumsebenzisi.
Abasebenzisi badibanisa iindlela ezininzi ze-2FA kunye noloyiko lokuba ukufikelela kuya kulahleka. Isitshixo esibonakalayo okanye uluhlu lwamagama ayimfihlo e-TAN anokulahleka okanye abiwe. Mna ngokwam ndibe namava amabi ngeGoogle Authenticator. I-smartphone yam yokuqala enesi sicelo yaphuka- ndiyayixabisa imizamo yam yokubuyisela ukufikelela kwiiakhawunti zam. Enye ingxaki kukutshintshela kwisixhobo esitsha. I-Google Authenticator ayinayo inketho yokuthumela ngaphandle ngenxa yezizathu zokhuseleko (ukuba izitshixo zinokuthunyelwa ngaphandle, yintoni ukhuseleko olukhoyo?). Nje ukuba ndiphathe izitshixo ngesandla, emva koko ndagqiba ekubeni kulula ukushiya i-smartphone endala kwibhokisi ekwishelufu.
Indlela ye-2FA kufuneka ibe:
- Khusela - nguwe kuphela hayi abahlaseli ekufuneka bafikelele kwiakhawunti yakho
- Ithembekile-ufumana ukufikelela kwiakhawunti yakho nanini na uyifuna
- Kulula kwaye kuyafikeleleka - ukusebenzisa i-2FA kucacile kwaye kuthatha ixesha elincinci
- Ngexabiso eliphantsi
Sikholelwa ukuba i-blockchain sisisombululo esifanelekileyo.
Sebenzisa i-2FA kwi-blockchain
Kumsebenzisi, i-2FA kwi-blockchain ibonakala ifana nokufumana iikhowudi zexesha elinye ngeSMS. Umahluko kuphela ngumjelo wokuhanjiswa. Indlela yokufumana ikhowudi ye-2FA ixhomekeke kwinto enikezelwa yi-blockchain. Kwiprojekthi yethu (ulwazi lukwiprofayile yam) esi sisicelo seWebhu, iTor, iOS, Android, Linux, Windows, MacOS.
Inkonzo ivelisa ikhowudi yexesha elilodwa kwaye iyithumele kumthunywa kwi-blockchain. Emva koko landela iiklasikhi: umsebenzisi ufaka ikhowudi efunyenweyo kwi-interface yenkonzo kwaye ungene.
Inqaku Ndabhala ukuba i-blockchain iqinisekisa ukhuseleko kunye nobumfihlo bokuhanjiswa komyalezo. Kumba wokuthumela iikhowudi ze-2FA, ndiya kuqaqambisa:
- Unqakrazo olunye ukwenza i-akhawunti - akukho fowuni okanye ii-imeyile.
- Yonke imiyalezo enekhowudi ze-2FA iguqulelwe ngokuntsonkothileyo End-to-End curve25519xsalsa20poly1305.
- Ukuhlaselwa kwe-MITM akubandakanywanga - wonke umyalezo kunye nekhowudi ye-2FA yintengiselwano kwi-blockchain kwaye isayinwe ngu-Ed25519 EdDSA.
- Umyalezo onekhowudi ye-2FA uphela kwibhloko yawo. Ulandelelwano kunye nesitampu sexesha seebhloko azinakulungiswa, kwaye ke ngoko ulandelelwano lwemiyalezo.
- Akukho sakhiwo sisembindini esijonga "ubunyani" bomyalezo. Oku kwenziwa ngenkqubo esasazwayo yeenodi ezisekelwe kwimvumelwano, kwaye iphethwe ngabasebenzisi.
- Ayinakucinywa - ii-akhawunti azinakuvinjwa kwaye nemiyalezo ayinakucinywa.
- Ukufikelela kwiikhowudi ze-2FA kuso nasiphi na isixhobo nangaliphi na ixesha.
- Ukuqinisekiswa kokuhanjiswa komyalezo ngekhowudi ye-2FA. Inkonzo ethumela igama eliyimfihlo lexesha elinye iyazi ngokuqinisekileyo ukuba ihanjisiwe. Akukho "Thumela kwakhona" amaqhosha.
Ukuthelekisa nezinye iindlela ze-2FA, ndenze itafile:
Umsebenzisi ufumana i-akhawunti kumthunywa we-blockchain ukufumana iikhowudi kwisibini - kuphela i-passphrase esetyenziselwa ukungena. Ngoko ke, iindlela zokusetyenziswa zingahluka: ungasebenzisa i-akhawunti enye ukufumana iikhowudi kuzo zonke iinkonzo, okanye unokwenza i-akhawunti eyahlukileyo kwinkonzo nganye.
Kwakhona kukho inkxamleko - i-akhawunti kufuneka ibe nobuncinci bentengiselwano enye. Ukuze umsebenzisi afumane umyalezo ofihliweyo ngekhowudi, kufuneka wazi isitshixo sakhe sikawonke-wonke, kwaye sibonakala kwi-blockchain kuphela ngentengiselwano yokuqala. Yile ndlela esakwazi ngayo ukuphuma kuyo: sabanika ithuba lokufumana amathokheni asimahla kwi-wallet yabo. Nangona kunjalo, isisombululo esingcono kukubiza iakhawunti isitshixo sikawonke-wonke. (Xa uthelekisa, sinenombolo yeakhawunti U1467838112172792705 iphuma kwisitshixo sikawonke-wonke cc1ca549413b942029c4742a6e6ed69767c325f8d989f7e4b71ad82a164c2ada. Kumthunywa oku kukulungele ngakumbi kwaye kuyafundeka, kodwa kwinkqubo yokuthumela iikhowudi ze-2FA kukunciphisa). Ndicinga ukuba kwixesha elizayo umntu uya kwenza isigqibo esinjalo kwaye ahambe "UkuLula kunye nokuFikelela" kwindawo eluhlaza.
Ixabiso lokuthumela ikhowudi ye-2FA iphantsi ngokwenene - i-0.001 ADM, ngoku i-0.00001 USD. Kwakhona, ungaphakamisa i-blockchain yakho kwaye wenze ixabiso libe ngu-zero.
Indlela yokudibanisa i-2FA kwi-blockchain kwinkonzo yakho
Ndiyathemba ukuba ndikwazile umdla kubafundi abambalwa ukongeza isigunyaziso se-blockchain kwiinkonzo zabo.
Ndiza kukuxelela indlela yokwenza oku usebenzisa umthunywa wethu njengomzekelo, kwaye ngokufanisa ungasebenzisa enye i-blockchain. Kwidemo ye-2FA app sisebenzisa i-postgresql10 ukugcina ulwazi lweakhawunti.
Amanyathelo oqhagamshelwano:
- Yenza i-akhawunti kwi-blockchain apho uya kuthumela iikhowudi ze-2FA. Uya kufumana ibinzana lokugqithisa, elisetyenziswa njengesitshixo sabucala ukufihla imiyalezo ngeekhowudi kunye nokusayina iintengiselwano.
- Yongeza iscript kwiseva yakho ukwenza iikhowudi ze-2FA. Ukuba sele usebenzisa nayiphi na enye indlela ye-2FA ngonikezelo lwegama lokugqitha lexesha elinye, sele uligqibile eli nyathelo.
- Yongeza iskripthi kwiseva yakho ukuthumela iikhowudi kumsebenzisi kumthunywa we-blockchain.
- Yenza ujongano lomsebenzisi ukuthumela kunye nokufaka ikhowudi ye-2FA. Ukuba sele usebenzisa nayiphi na enye indlela ye-2FA ngonikezelo lwegama lokugqitha lexesha elinye, sele uligqibile eli nyathelo.
1 Yenza iakhawunti
Ukudala i-akhawunti kwi-blockchain kuthetha ukuvelisa isitshixo sangasese, isitshixo sikawonke-wonke, kunye nedilesi ye-akhawunti ephumayo.
Okokuqala, i-passphrase ye-BIP39 yenziwe, kwaye i-SHA-256 hash ibalwa kuyo. I-hash isetyenziselwa ukwenza isitshixo sabucala ks kunye nesitshixo sikawonke-wonke kp. Ukusuka kwisitshixo sikawonke-wonke, usebenzisa i-SHA-256 efanayo kunye ne-inversion, sifumana idilesi kwi-blockchain.
Ukuba ufuna ukuthumela iikhowudi ze-2FA rhoqo usuka kwiakhawunti entsha, ikhowudi yokudala iakhawunti iya kufuneka yongezwe kwiseva:
import Mnemonic from 'bitcore-mnemonic'
this.passphrase = new Mnemonic(Mnemonic.Words.ENGLISH).toString()
…
import * as bip39 from 'bip39'
import crypto from 'crypto'
adamant.createPassphraseHash = function (passphrase) {
const seedHex = bip39.mnemonicToSeedSync(passphrase).toString('hex')
return crypto.createHash('sha256').update(seedHex, 'hex').digest()
}
…
import sodium from 'sodium-browserify-tweetnacl'
adamant.makeKeypair = function (hash) {
var keypair = sodium.crypto_sign_seed_keypair(hash)
return {
publicKey: keypair.publicKey,
privateKey: keypair.secretKey
}
}
…
import crypto from 'crypto'
adamant.getAddressFromPublicKey = function (publicKey) {
const publicKeyHash = crypto.createHash('sha256').update(publicKey, 'hex').digest()
const temp = Buffer.alloc(8)
for (var i = 0; i < 8; i++) {
temp[i] = publicKeyHash[7 - i]
}
return 'U' + bignum.fromBuffer(temp).toString()
}Kwisicelo sedemo, siyenze lula - senze iakhawunti enye kwisicelo sewebhu, kwaye sithumela iikhowudi kuyo. Kwiimeko ezininzi, oku kukulungele ngakumbi kumsebenzisi: uyazi ukuba inkonzo ithumela iikhowudi ze-2FA kwi-akhawunti ethile kwaye ingayibiza.
2 Ukuvelisa iikhowudi ze-2FA
Ikhowudi ye-2FA kufuneka yenziwe ngokungena komsebenzisi ngamnye. Sisebenzisa ithala leencwadi , kodwa ungakhetha nayiphi na enye.
const hotp = speakeasy.hotp({
counter,
secret: account.seSecretAscii,
});
Ukujonga ukunyaniseka kwekhowudi ye-2FA efakwe ngumsebenzisi:
se2faVerified = speakeasy.hotp.verify({
counter: this.seCounter,
secret: this.seSecretAscii,
token: hotp,
});
3 Ukuthumela ikhowudi ye-2FA
Ukuhambisa ikhowudi ye-2FA, ungasebenzisa i-blockchain node API, ilayibrari ye-JS API, okanye i-console. Kulo mzekelo, sisebenzisa i-console - le yi-Command Line Interface, into eluncedo eyenza intsebenziswano kunye ne-blockchain. Ukuthumela umyalezo ngekhowudi ye-2FA, kufuneka usebenzise umyalelo send message intuthuzelo.
const util = require('util');
const exec = util.promisify(require('child_process').exec);
…
const command = `adm send message ${adamantAddress} "2FA code: ${hotp}"`;
let { error, stdout, stderr } = await exec(command);
Enye indlela yokuthumela imiyalezo kukusebenzisa indlela send kwithala leencwadi le-JS API.
4 Ujongano lomsebenzisi
Umsebenzisi kufuneka anikwe inketho yokufaka ikhowudi ye-2FA, oku kunokwenziwa ngeendlela ezahlukeneyo kuxhomekeke kwiqonga lakho lesicelo. Kumzekelo wethu le Vue.
Ikhowudi yomthombo ye-blockchain ye-demo ye-demo yokuqinisekiswa kwezinto ezimbini inokujongwa kuyo . Kukho ikhonkco kwi-Readme kwidemo ebukhoma ukuyizama.
umthombo: www.habr.com