I am an engineer working for an anti-phishing security company and I confess I have had some -majorly- close calls from our training simulations. Everyone gets tired, distracted, or careless, not just unsophisticated people.
-
-
I just hate every person and every email I get equally. It's on brand for me. That said, I agree with the central point: hardcore two factor auth, 100% of the time, everywhere... is the real defense here.
1 reply 1 retweet 11 likes -
Replying to @codinghorror @thenthj
Careful: you need a 2FA scheme that isn’t susceptible to phishing. Authenticator codes and SMS’s are just as easy to phish as passwords.
2 replies 0 retweets 4 likes -
they'd have to be phished in near real time to work. ~2 minute window? I'd say that moves the bar up quite a bit over "valid forever" username/password only
2 replies 0 retweets 3 likes -
Having trouble following what attack you're imagining, once attacker has logged in they get an authentication token that they use for whatever attack you wanted. Stealing money, reading email, whatever. That is not a high bar.
1 reply 0 retweets 2 likes -
Replying to @taviso @codinghorror and
You visit phishsite.php, you're already convinced it's your bank, so you enter your password. That php script submits creds (that is obviously possible in under 2 minutes), and then asks for OTP - you're already convinced it's bank, so you enter it. Where is the bar?
3 replies 0 retweets 8 likes -
oh, you're assuming there is fakebankpage.php server code that is attempting realbankpage.html passthrough login at the actual time of form submission? Possible, unless the login form is captcha'ed
3 replies 0 retweets 0 likes -
Attacker can just proxy whatever captcha necessary to you. Only real solution is U2F. This is a favourite argument of mine, I think SMS 2FA is worthless and needs to die
3 replies 1 retweet 23 likes -
I guess my argument is that it's a process, and moving the bar to auth apps raises that bar. You don't need to outrun the bear, you just need to outrun the people behind you ;) That plus Apple needs a far better nearfield / bluetooth key story
3 replies 0 retweets 2 likes -
It's certainly an economics problem for opportunistic attackers, they are rational and don't want to waste money adding support for 2FA users. That will yield 1% more victims for a lot of work...but when 90% users are 2FA users....
2 replies 0 retweets 4 likes
I don't think this argument works for targeted phishing attacks though, if you're vulnerable to phishing, 2FA isn't gonna do much for you.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.