oh, you're assuming there is fakebankpage.php server code that is attempting realbankpage.html passthrough login at the actual time of form submission? Possible, unless the login form is captcha'ed
-
-
Attacker can just proxy whatever captcha necessary to you. Only real solution is U2F. This is a favourite argument of mine, I think SMS 2FA is worthless and needs to die
3 replies 1 retweet 23 likes -
I guess my argument is that it's a process, and moving the bar to auth apps raises that bar. You don't need to outrun the bear, you just need to outrun the people behind you ;) That plus Apple needs a far better nearfield / bluetooth key story
3 replies 0 retweets 2 likes -
It's certainly an economics problem for opportunistic attackers, they are rational and don't want to waste money adding support for 2FA users. That will yield 1% more victims for a lot of work...but when 90% users are 2FA users....
2 replies 0 retweets 4 likes -
proxying 2fa fields (or captcha) plus running a real headless browser is *FAR* more complex than a simple "present fake form, save entered form data to database" .. like 2 orders of magnitude harder, it is also extremely site specific & brittle if they update login form
2 replies 0 retweets 5 likes -
Replying to @taviso @codinghorror and
Someone only has to solve it once, and then the phishing kit will be updated. If the phishing kit doesn't work, nobody will buy it, so they have no choice but to invest in a solution.
1 reply 0 retweets 0 likes -
it's only valid security if you can actually get people to do it. I am supremely unconvinced hardware 2fa on a smartphone, and *particularly* iOS -- crosses that threshold today. In five years? maybe.
2 replies 0 retweets 1 like -
True, but the solution isn't just to use snakeoil instead, right?
1 reply 0 retweets 0 likes -
I *guarantee* you that statistically you have reduced attack surface and attack success rate with authenticator apps. Will you ever prevent mossad from logging into your GMail if they reeaaaalllly want to? Nope.
1 reply 0 retweets 1 like
Imagine an 2FA competitor called BFA, "Banana Factor Authentication". With BFA, 1% of users have to type the word "banana" into a form field. I guarantee you that will reduce attack success rate too, is that an incremental improvement to security?
-
-
Replying to @taviso @codinghorror and
With proper marketing, I'm sure people would buy BFA :D
1 reply 0 retweets 1 like -
Replying to @cyberApostle @taviso and
I, for one, am excited about our future with berry-based authentication!
0 replies 0 retweets 1 like
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.