Database Reference
In-Depth Information
However, the whole idea with two-factor authentication is that we require a user to have two
different and separate identifying traits. Yes, e-mail and our Oracle application are different pieces of
code, but they may be running on the same computer, so they may not be separate.
If a hacker breaks into my computer and my e-mail is running, or she also breaks into my e-mail on
my computer, and then if I send two-factor codes to e-mail, she can also run the Oracle application as
me; even though the Oracle application is supposed to be protected by two-factor authentication.
Security Issues with Two-Factor Delivery to Pagers
I cannot speak regarding all pagers because some may operate differently, more like cell phones;
however, the pagers I'm familiar with are quite simple devices, like AM radios. Two-way pagers generally
use paging broadcast signals to deliver pages, but responses are returned through cellular telephone
signals. Do not assume that page messages are individually delivered to your specific pager. That is not
how the system works.
Page messages are delivered to a radio tower and broadcast, sometimes in data blocks of many
messages. Each message is prefixed with a code. Your pager and all pagers in your system, listen to
everything being broadcast from the radio antenna. The pager is programmed with a code or a list of
codes to listen for. If the pager “sees” a code that it recognizes, it displays the associated message on the
screen. If your pager is turned off, or the physics of the radio waves are not quite right (for instance,
you're in a basement full of pipes), then you miss the broadcast and there's no way for your pager to
retrieve the message later.
Now, picture the eaves-dropper sitting in a nearby hotel room with a scanner and a printer. He is
listening to the radio frequency that the pager antenna is emitting, and he is printing out messages that
are going to target codes, or he is printing out (or saving to a file) all messages. Also picture the hacker
with his own radio and antenna, around the corner, sending his own devious page messages to target
pager codes.
Now that you know the security issues, I will hasten to say that pagers are a great way to send
immediate, simple, non-sensitive messages to people who may be traveling or away from a computer
and phone. Paging is also a great way to broadcast messages to a number of people (via a paging group)
simultaneously. Just don't send anything you don't want the world to see. And if you have doubts about
the authenticity of a message, check with the sender. Also if you are a sender, don't assume the recipient
got the page.
Pagers are probably a technology that will quickly disappear now that cell phone texting has
become so popular. Pagers have the advantage of being inexpensive to buy and have inexpensive service
plans. They are also allowed into some secure facilities where cell phones are not permitted, so pagers
may be required in order to contact people in those facilities who are not at a landline phone or
computer.
Security Issues with Two-Factor Delivery to Cell Phones
Unlike pagers, cell phones messages are delivered from a specific antenna to a specific cell phone. As
you pass from the area covered by one antenna (cell tower) to another, your communication is handed
off to the other cell.
Generally, this communication is fairly secure, with what passes as encryption. The key to reading
and sending data is contained in the subscriber identity module (SIM) card in your phone. We have all
seen television shows and movies depicting how a SIM card can be cloned, and an imposter cell phone
can eaves drop on a call to the original phone. I don't think that happens much in real life, but be aware
of the possibility.
 
Search WWH ::




Custom Search