If I have to pick just one, the dumbest thing Hacker News believes about security is that phishing is a simplistic attack that only unsophisticated users fall for.
-
-
Replying to @tqbf
I am an engineer working for an anti-phishing security company and I confess I have had some -majorly- close calls from our training simulations. Everyone gets tired, distracted, or careless, not just unsophisticated people.
4 replies 8 retweets 38 likes -
I just hate every person and every email I get equally. It's on brand for me. That said, I agree with the central point: hardcore two factor auth, 100% of the time, everywhere... is the real defense here.
1 reply 1 retweet 11 likes -
Replying to @codinghorror @thenthj
Careful: you need a 2FA scheme that isn’t susceptible to phishing. Authenticator codes and SMS’s are just as easy to phish as passwords.
2 replies 0 retweets 4 likes -
they'd have to be phished in near real time to work. ~2 minute window? I'd say that moves the bar up quite a bit over "valid forever" username/password only
2 replies 0 retweets 3 likes -
Having trouble following what attack you're imagining, once attacker has logged in they get an authentication token that they use for whatever attack you wanted. Stealing money, reading email, whatever. That is not a high bar.
1 reply 0 retweets 2 likes -
Replying to @taviso @codinghorror and
You visit phishsite.php, you're already convinced it's your bank, so you enter your password. That php script submits creds (that is obviously possible in under 2 minutes), and then asks for OTP - you're already convinced it's bank, so you enter it. Where is the bar?
3 replies 0 retweets 8 likes -
oh, you're assuming there is fakebankpage.php server code that is attempting realbankpage.html passthrough login at the actual time of form submission? Possible, unless the login form is captcha'ed
3 replies 0 retweets 0 likes -
Attacker can just proxy whatever captcha necessary to you. Only real solution is U2F. This is a favourite argument of mine, I think SMS 2FA is worthless and needs to die
3 replies 1 retweet 23 likes -
nobody's arguing in favor of SMS 2FA, but an intermediate step of "get people to use authenticator apps". Login pages should indeed prevent trivial scripting though, perhaps forced captcha (or opportunistic "gee where's your javascript interpreter / DOM" captcha) on all?
2 replies 0 retweets 2 likes
I don't think it's possible to build an app that isn't phishable, so it doesn't solve the problem of phishing. The only real solution is U2F, because it can't be phished (it's not perfect, but it can't be phished). I don't think captcha can help with this problem.
-
-
Apple's lack of rational support for hardware security keys is currently a dealbreaker, so they should be leaned on heavily by whatever means are available. For most humans, the smartphone is their primary computer; any security system that doesn't account for this is gonna fail
0 replies 0 retweets 5 likesThanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.