While looking at large enterprises we are using everyday such as Google, Facebook, Twitter, LinkedIN and so on, we give trust to those companies to store and process our sensitive data.

However, while all the eyes are pointed to such large enterprises, no-one is even thinking about background players who sell Two-Factor authentication security to big players.

Now imagine this.

• Company X is specialized in delivering PIN codes via Phone Calls or SMS.
• That Company X eventually grows enough through mergers and acquisitions so it starts providing services to both Google, Facebook, LinkedIN, Twitter…you name it.
• Every time you decide to reset your password via your phone by SMS or Call, or even login to your ebanking platform, your supplier initiate API call towards company X asking them to send you the code.

Now What?

Well, a person in company X can virtually get access to any part of your digital life, including social profiles, chat’s, contacts, messages, places you visit, as well as your bank account.

How?

• Let’s say person X from the company X intentionally initiate password reset with the target victim.
• Person X intercepts the message and performs Login.

This opens a whole new chapter in Internet security as IT is getting more and more centralized. You are not getting safety, but getting open and venerable as never before. Imagine a black market of industrial espionage utilizing these techniques?

The first scenario shows how it should be.



But the second one, show's how it is when someone needs your data.

Stefan Ćertić