Skip to content
  • Home Home Home, current page.
  • Moments Moments Moments, current page.

Saved searches

  • Remove
  • In this conversation
    Verified accountProtected Tweets @
Suggested users
  • Verified accountProtected Tweets @
  • Verified accountProtected Tweets @
  • Language: English
    • Bahasa Indonesia
    • Bahasa Melayu
    • Català
    • Čeština
    • Dansk
    • Deutsch
    • English UK
    • Español
    • Filipino
    • Français
    • Hrvatski
    • Italiano
    • Magyar
    • Nederlands
    • Norsk
    • Polski
    • Português
    • Română
    • Slovenčina
    • Suomi
    • Svenska
    • Tiếng Việt
    • Türkçe
    • Ελληνικά
    • Български език
    • Русский
    • Српски
    • Українська мова
    • עִבְרִית
    • العربية
    • فارسی
    • मराठी
    • हिन्दी
    • বাংলা
    • ગુજરાતી
    • தமிழ்
    • ಕನ್ನಡ
    • ภาษาไทย
    • 한국어
    • 日本語
    • 简体中文
    • 繁體中文
  • Have an account? Log in
    Have an account?
    · Forgot password?

    New to Twitter?
    Sign up
mrisher's profile
mark risher
mark risher
mark risher
Verified account
@mrisher

Tweets

mark risherVerified account

@mrisher

Security, Spam, Phishing, and all things Google Accounts. Biracial, father, husband, he/him.

San Francisco, CA
google.com
Joined April 2007

Tweets

  • © 2020 Twitter
  • About
  • Help Center
  • Terms
  • Privacy policy
  • Cookies
  • Ads info
Dismiss
Previous
Next

Go to a person's profile

Saved searches

  • Remove
  • In this conversation
    Verified accountProtected Tweets @
Suggested users
  • Verified accountProtected Tweets @
  • Verified accountProtected Tweets @

Promote this Tweet

Block

  • Tweet with a location

    You can add location information to your Tweets, such as your city or precise location, from the web and via third-party applications. You always have the option to delete your Tweet location history. Learn more

    Your lists

    Create a new list


    Under 100 characters, optional

    Privacy

    Copy link to Tweet

    Embed this Tweet

    Embed this Video

    Add this Tweet to your website by copying the code below. Learn more

    Add this video to your website by copying the code below. Learn more

    Hmm, there was a problem reaching the server.

    By embedding Twitter content in your website or app, you are agreeing to the Twitter Developer Agreement and Developer Policy.

    Preview

    Why you're seeing this ad

    Log in to Twitter

    · Forgot password?
    Don't have an account? Sign up »

    Sign up for Twitter

    Not on Twitter? Sign up, tune into the things you care about, and get updates as they happen.

    Sign up
    Have an account? Log in »

    Two-way (sending and receiving) short codes:

    Country Code For customers of
    United States 40404 (any)
    Canada 21212 (any)
    United Kingdom 86444 Vodafone, Orange, 3, O2
    Brazil 40404 Nextel, TIM
    Haiti 40404 Digicel, Voila
    Ireland 51210 Vodafone, O2
    India 53000 Bharti Airtel, Videocon, Reliance
    Indonesia 89887 AXIS, 3, Telkomsel, Indosat, XL Axiata
    Italy 4880804 Wind
    3424486444 Vodafone
    » See SMS short codes for other countries

    Confirmation

     

    Welcome home!

    This timeline is where you’ll spend most of your time, getting instant updates about what matters to you.

    Tweets not working for you?

    Hover over the profile pic and click the Following button to unfollow any account.

    Say a lot with a little

    When you see a Tweet you love, tap the heart — it lets the person who wrote it know you shared the love.

    Spread the word

    The fastest way to share someone else’s Tweet with your followers is with a Retweet. Tap the icon to send it instantly.

    Join the conversation

    Add your thoughts about any Tweet with a Reply. Find a topic you’re passionate about, and jump right in.

    Learn the latest

    Get instant insight into what people are talking about now.

    Get more of what you love

    Follow more accounts to get instant updates about topics you care about.

    Find what's happening

    See the latest conversations about any topic instantly.

    Never miss a Moment

    Catch up instantly on the best stories happening as they unfold.

    mark risher‏Verified account @mrisher 29 Mar 2019

    Okay, here’s the deal with Security Keys and #phishing, because even some experts don’t really get it. HT @boblord and @runasand for the idea 1/

    8:27 AM - 29 Mar 2019
    • 559 Retweets
    • 991 Likes
    • Santiago Velez Tyrell Daniel Philippe Oechslin Jay Jenkins David Kleidermacher Germán Poo-Caamaño Thomas Laporte Arto Manninen
    78 replies 559 retweets 991 likes
      1. New conversation
      2. mark risher‏Verified account @mrisher 29 Mar 2019

        IN THE BEGINNING, God created passwords. If you knew your password, you could sign in; if you didn’t, the door remained locked. Simple! 2/pic.twitter.com/XYvvpRWXkk

        3 replies 25 retweets 68 likes
        Show this thread
      3. mark risher‏Verified account @mrisher 29 Mar 2019

        Unfortunately, phishers realized that if *they* knew your password, they too could sign in. Relying on a single “knowledge factor” meant if they could make you enter your pwd on their fake login page, they were home scot free. 3/

        2 replies 8 retweets 43 likes
        Show this thread
      4. mark risher‏Verified account @mrisher 29 Mar 2019

        So system administrators started requiring a *second* factor -- something you *have* -- so phishing couldn’t succeed with just your password, they'd need the other factor as well. Phishers were sad (for a moment) 🎣😔 4/

        1 reply 7 retweets 44 likes
        Show this thread
      5. mark risher‏Verified account @mrisher 29 Mar 2019

        The most common 2nd factor was (and is!) a 6-digit code that somehow is sent to a specific device. In the early days, it was often on a keychain dongle thingie; later we started sending those same codes to users’ cell phones. 5/pic.twitter.com/QYQMQgoNBv

        4 replies 10 retweets 52 likes
        Show this thread
      6. mark risher‏Verified account @mrisher 29 Mar 2019

        The problem is, phishers realized they didn’t actually need the user’s cell phone or keychain dongle thingie, they just needed the code. And how do you get the code? Create a fake login page that asks not only for the password, but also for the code! Ruh roh! 6/pic.twitter.com/MLZy2zuipw

        3 replies 16 retweets 63 likes
        Show this thread
      7. mark risher‏Verified account @mrisher 29 Mar 2019

        Because most codes only last a few minutes, initially this meant the phisher had to sit by their keyboard, waiting for users to type in their code. But it wasn’t long before this got automated (as demonstrated with Evilginx https://github.com/kgretzky/evilginx2 … from @mrgretzky) 7/

        2 replies 17 retweets 63 likes
        Show this thread
      8. mark risher‏Verified account @mrisher 29 Mar 2019

        The problem is, for a few seconds, the site is relying on the user knowing the code, so what we thought was a physical “something you have” factor is actually just a kind of second knowledge factor. 8/pic.twitter.com/pEp7srGqpV

        1 reply 9 retweets 49 likes
        Show this thread
      9. mark risher‏Verified account @mrisher 29 Mar 2019

        mark risher Retweeted Troy Hunt

        Making matters worse, cell phones and SMS messages were never really built to be security tokens, so phishers have also found other ways to get those codes delivered to phones they control. (e.g. https://twitter.com/troyhunt/status/1063535984564822016 … @troyhunt) 9/

        mark risher added,

        Troy HuntVerified account @troyhunt
        Major SMS security lapse is a reminder to use authenticator apps instead https://www.theverge.com/2018/11/16/18098286/vovox-security-breach-two-factor-authentication-2fa-codes-exposed …
        1 reply 16 retweets 69 likes
        Show this thread
      10. mark risher‏Verified account @mrisher 29 Mar 2019

        Anyway, back to Security Keys. Phishing scams are based on the fact that login pages require the user to manually verify that they’re on the right site. Slip up one time -- mistaking a ‘1’ for an ‘l’ in the URL for example -- and the user is hosed. 10/

        2 replies 18 retweets 57 likes
        Show this thread
      11. mark risher‏Verified account @mrisher 29 Mar 2019

        Security Keys flip this on its head, trading something humans are bad at (noticing subtle differences) for something computers are good at (identifying exact matches). With Security Keys, instead of the user verifying the site, the site has to prove itself to the key. 💻🔐💪11/

        2 replies 30 retweets 102 likes
        Show this thread
      12. mark risher‏Verified account @mrisher 29 Mar 2019

        I'll say it again for the people in the back: With Security Keys, instead of the *user* needing to verify the site, the *site* has to prove itself to the key. Security is as much about human factors as cryptography; we have to take the onus off of the user as much as we can. 12/pic.twitter.com/LK9d3c22ka

        7 replies 48 retweets 196 likes
        Show this thread
      13. mark risher‏Verified account @mrisher 29 Mar 2019

        Furthermore, this “proof” from the site to the key is only permitted over close physical proximity (like USB, NFC, or Bluetooth). Unless the phisher is in the same room as the victim, they can’t gain access to the second factor. 13/

        1 reply 13 retweets 54 likes
        Show this thread
      14. mark risher‏Verified account @mrisher 29 Mar 2019

        This is why I keep using words like “transformative,” “revolutionary,” and “lit” (not so much anymore): SKs basically shrink your threat model from “anyone anywhere in the world who knows your password” to “people in the room with you right now.” Huge! 14/pic.twitter.com/HFAPMpNXvN

        4 replies 16 retweets 108 likes
        Show this thread
      15. mark risher‏Verified account @mrisher 29 Mar 2019

        Yes, no solution is perfect, and yes, security always relies on layers, but this particular layer is so strong it’s hard to exaggerate. That’s why we made Security Keys a required part of the Advanced Protection Program, and mandate SKs for all Google employees. 15/

        1 reply 12 retweets 93 likes
        Show this thread
      16. mark risher‏Verified account @mrisher 29 Mar 2019

        Earlier this month, @fidoalliance took things even further with a new standard called #WebAuthN, which allows this same game-changing technology to work across the web with fingerprints and biometrics. http://fortune.com/2019/03/04/internet-change-reset-password-standard/ … @AlyssaNewcomb 16/

        3 replies 21 retweets 92 likes
        Show this thread
      17. mark risher‏Verified account @mrisher 29 Mar 2019

        mark risher Retweeted

        It'll take time to get rid of all the world’s passwords, but these technologies -- along with OIDC products like Sign-in w/ Google & FB Connect -- are making it so users don’t need to rely on them and hackers can’t take advantage of them. https://twitter.com/alexstamos/status/1046810519829544961 … @alexstamos 17/

        mark risher added,

        This Tweet is unavailable.
        3 replies 10 retweets 45 likes
        Show this thread
      18. mark risher‏Verified account @mrisher 29 Mar 2019

        The media like to cover scary 0day vulnz, but phishing is the silent killer. If you’re an at-risk user -- like a political figure, celebrity, activist, or journalist -- please consider FIDO Security Keys for all your sensitive accounts. Anything less would be uncivilized. 🔐 /end

        17 replies 63 retweets 234 likes
        Show this thread
      19. End of conversation

    Loading seems to be taking a while.

    Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.

      Promoted Tweet

      false

      • © 2020 Twitter
      • About
      • Help Center
      • Terms
      • Privacy policy
      • Cookies
      • Ads info