Roku forcing 2-factor authentication after breach of 600K accounts
- Thread starter JournalBot
- Start date
Roku, another once great brand , joins the ranks of iRobot , Vizio, and Yahoo (and probably soon Google).
Upvote
36
(60
/
-24)
Ideally this wouldn't be a problem because people will stop buying Roku TV's. The same TV's where advertisements will be plastered on your TV screen when you're not watching anything, because you're the product even after buying their hardware.
But 2FA is good to have on every website to help reduce successful attacks.
But 2FA is good to have on every website to help reduce successful attacks.
Upvote
76
(81
/
-5)
Yeah... this is why I skipped Roku and went with an apple tv. Sometimes having a major brand helps with these kind of problems. Now I have to tell my parents that the Roku my sister got them may have leaked their info.
Upvote
-7
(28
/
-35)
2FA for an ad infested POS company?
I mean. They are already trash for showing ads to people who purchased their hardware. That alone makes them a corrupt company.
And the recent scandal with the new terms. Hmm 2 for 2…
If only there was a reputable company out there that provides the same hardware .. not Apple, Android, Amazon, for obvious reasons…
Looks like there is a huge untapped market out there!
I mean. They are already trash for showing ads to people who purchased their hardware. That alone makes them a corrupt company.
And the recent scandal with the new terms. Hmm 2 for 2…
If only there was a reputable company out there that provides the same hardware .. not Apple, Android, Amazon, for obvious reasons…
Looks like there is a huge untapped market out there!
Upvote
-8
(25
/
-33)
The best part is it is e-mail 2fa which is maybe a hair above SMS 2fa when it comes to security.
I said it in a previous article, but I stopped using Roku devices and unplugged my Roku TV from the network after their ToS update that bricked your device until you agree.
With the breach and ad injections plan that decision has proven to be very very good.
I said it in a previous article, but I stopped using Roku devices and unplugged my Roku TV from the network after their ToS update that bricked your device until you agree.
With the breach and ad injections plan that decision has proven to be very very good.
Upvote
32
(43
/
-11)
... No? App based MFA is susceptible to phishing, but I'm not sure how exactly you would MITM a code generated on an app.
The issue being Roku is doing a very bare minimum approach when it comes to MFA and not a very good one. E-mail, and to an extent hardware authing for a device you're already logged in to. App and hardware tokens are far better solutions that they don't seem to want to invest any resources into supporting because it's cheaper which is a bad look when you have decided to show a) Your security was poorly setup from the start and b) you are outwardly showing you are trying to be as greedy as possible.
Upvote
37
(39
/
-2)
Upvote
34
(34
/
0)
Meh, this doesn't seem that bad. I have literally signed into my Roku account once when initially setting up the device, and then it has kept me logged in on that device forever afterwords. I suppose they could only require 2FA for people who have used a credit card, but it simplifies things to apply to everyone, and seems like a perfectly reasonable security precaution.
Unlike all the other shit things Roku has been doing recently, I see this as positive to neutral.
Unlike all the other shit things Roku has been doing recently, I see this as positive to neutral.
Upvote
33
(36
/
-3)
I mean if someone actually manages to subvert TLS certificate verification to perform a successful MITM attack of an encrypted connection, then no form of authentication will save you. But 2FA does prevent a bunch of real world attacks (like credential stuffing as mentioned in the article) that are several orders of magnitude more likely than that theoretical attack.
Upvote
44
(44
/
0)
Roku has required a credit card to be put in when creating an account with them whether you're purchasing anything or not. I hope this will get them to recons.... Nah, it won't.
Upvote
-4
(10
/
-14)
It will be interestng to see if you’re going to have to click through accepting the the recently changed mandatory arbitration ToS to reset your password should your account happen to be one of the affected ones.
Upvote
4
(5
/
-1)
While I am a huge fan of MFA and approve in general; putting MFA on customer accounts will do nothing to stop these breaches or the exposure of payment data.
Upvote
-10
(8
/
-18)
You know, Roku could just spend the appropriate amount of money and time on security instead of making it the customers problem...
Upvote
3
(13
/
-10)
RickRoyLeonPrisZhoraRacha
Ars Praetorian
Seriously? Roku, which now deploys 5 sets of advertising windows per show, with increasing increments of duration per set (2 ads, 3 ads, 4 ads, 5 ads... some 90 seconds total!), can't protect customer information? YOUR information?
Lets all have a Roku device recycling party, because I see a hammer wanting to hit something.
Lets all have a Roku device recycling party, because I see a hammer wanting to hit something.
Upvote
3
(10
/
-7)
I believe FIDO2 remains unbreeched (it's only vulnerability is during setup)
TOTP (authenticator) is also vulnerable during setup. After that, a MitM attack would only work if the bad actor performed a login in realtime. The pin provided is only valid for <60 seconds and does not give any insight into the underlying shared secret.
Push authentication is actually more problematic.
My major beef with email as MFA, is that email is also generally how passwords happen. This means that, if I've compromised your email, I don't need your password. I can just ask for a PW reset. MFA requires multi factors. If its (say) a Yubikey, then your factors are a username-password pair and key. If you ask for a reset, it's email and key.
If the "other factor" is email, then during a rest your factors are email and email.
Upvote
35
(35
/
0)
You all laughed when I purchased physical media... but those don't have commercials (any more / yet).
Upvote
-19
(8
/
-27)
What? Every DVD/Bluray that I've purchased or borrowed has ads on the disc that play before the menu screen.
Yes, they are generally ads for movies/shows that came out a long time ago; and yes, they are generally skippable. But they are commercials.
Upvote
32
(34
/
-2)
You never bought a BluRay or DVD that had forced trailers and other sorts of crap that could not easily be skipped?
Upvote
35
(38
/
-3)
The need for new revenue will easily see any screensavers and paused media as ad real estate. Topically, Roku themselves are looking into it.
Upvote
6
(6
/
0)
What a great way to encourage folks to give up their cell phone numbers. Ooops, breach. Sorry folks, you need to 2FA your TV now. Nope, trust us, we won't now lose or abuse your phone, but tee hee OMG the things we can now do with that!
Upvote
-1
(10
/
-11)
If you rip your DVDs properly you can bypass all of that and just get the good stuff. Handbrake is a wonderful little program.
Upvote
21
(24
/
-3)
I have. Disney used to do that all the time.
The last batches I was buying and running didn't seem to... at least not unskippable ones. (and I don't really care about/count "on load and ends with first button press" ads).
Upvote
-2
(7
/
-9)
I'm so glad I registered the pre-installed Roku app on my parent's TCL 4K TV to to a burner email that is connected to nothing else.
I hope Roku gets their act together, because in general, their software is good enough that my non tech savvy parents can use it with little trouble.
I hope Roku gets their act together, because in general, their software is good enough that my non tech savvy parents can use it with little trouble.
Upvote
13
(13
/
0)
Agree. Roku has generally done a great job of software, and my GOD why doesn't Apple yet provide such a brain-dead simple "find the remote" function that Roku has had for so long.
That, and putting a headphone jack on the remote. Brilliant.
I am interested in their wall-flat-mount TV offerings (have two Samsung TheFrame units, but their software continues to be atrocious) but their recent oops and their forays into injecting ads, I'm now not so sure.
Upvote
16
(16
/
0)
They technically have a find my remote function, but not as simple. It's also limited to specific remotes, much like Roku's offering.
Upvote
9
(9
/
0)
Just spit-balling here: What if the new TOS was created after they became aware of the breach. Not that I'm saying that's what happened. Nope. I'm definitely not saying that.
Upvote
16
(16
/
0)
It's a lot more expensive, but sometimes it's worth it. It also acts as a homekit hub, so if you're into Apple hardware and services, it serves that purpose, too.
Just deleted my late-father's Roku account, which was the one that had credit card info tied to it. I only got my Roku stick and account to give him remote tech support, so I never added a credit card. It was a good streamer, better than Apple TV in some ways, but with this BS and the pre-cover-up TOS update, Apple TV is my streaming device and my old PS4 is my DVD/blu-ray player.
Upvote
11
(12
/
-1)
You know "you" as opposed to "they," at least that's what "some" are saying. At least that's what I've heard.
Upvote
8
(8
/
0)
Thanks for reminding me! I thought I didn't give them a card, so I went back and checked after changing my password. I did have one on file, but it was expired. I removed it anyway.
Upvote
5
(5
/
0)
I didn't see any new TOS agreement when I logged on a few moments ago. Neither mine nor my dad's Roku sticks were connected to the internet since maybe December 2023, so maybe they stopped forcing that agreement?
Upvote
1
(1
/
0)
If the Apple TV has better security than a Roku box (I think it does), it's not so much that the Apple TV is better designed as that the Apple TV uses an Apple ID for billing. Apple has been sitting on millions (billions?) of credit card numbers for several decades by now, so they've had several decades to lock down everything against breaches.
Upvote
6
(8
/
-2)
And now we know why they forced the new TOS for forced arbitration. This is why my Stream bar went right into the garbage (e recycling) after the last date with the GF where I really needed the bar for that so I ground my teeth and accepted the damn thing but the min she was gone the thing was unplugged and I was done with that GD company.
Upvote
5
(7
/
-2)
Trust me. You got it, and clicked through. Or you have a software update that is waiting. My Stream bar had been off since Nov of last year. I turned it on 2 weeks ago knowing full well what was going to appear and.....lo and behold there it was. My guess is you are missing an update where it was forced down. Lucky you.
Upvote
1
(4
/
-3)
There are developer settings that allow you to turn that off.........for now. I treat that option as the same types of work around in Windows to get around not needing a MS account. It works, its a pain and who knows how long it will continue to work.
Upvote
3
(3
/
0)
Arbitration or not doesn't really matter. We only got a pittance for the Experian leak.
Upvote
6
(6
/
0)