Attacker can just proxy whatever captcha necessary to you. Only real solution is U2F. This is a favourite argument of mine, I think SMS 2FA is worthless and needs to die 
-
-
I guess my argument is that it's a process, and moving the bar to auth apps raises that bar. You don't need to outrun the bear, you just need to outrun the people behind you ;) That plus Apple needs a far better nearfield / bluetooth key story
3 replies 0 retweets 2 likes -
It's certainly an economics problem for opportunistic attackers, they are rational and don't want to waste money adding support for 2FA users. That will yield 1% more victims for a lot of work...but when 90% users are 2FA users....
2 replies 0 retweets 4 likes -
proxying 2fa fields (or captcha) plus running a real headless browser is *FAR* more complex than a simple "present fake form, save entered form data to database" .. like 2 orders of magnitude harder, it is also extremely site specific & brittle if they update login form
2 replies 0 retweets 5 likes -
Replying to @taviso @codinghorror and
Someone only has to solve it once, and then the phishing kit will be updated. If the phishing kit doesn't work, nobody will buy it, so they have no choice but to invest in a solution.
1 reply 0 retweets 0 likes -
it's only valid security if you can actually get people to do it. I am supremely unconvinced hardware 2fa on a smartphone, and *particularly* iOS -- crosses that threshold today. In five years? maybe.
2 replies 0 retweets 1 like -
Replying to @codinghorror @taviso and
"hassle people about u2f" plus "give up on literally everything else in security that offers incremental improvements" is not a winning combo in my book. Cue "why not both gif girl"
1 reply 0 retweets 1 like -
Whoa, nobody is saying that. I think a reasonable definition of an "incremental improvement" is requiring attacks to demonstrate a capability they didn't previously have. We already know they can steal passwords, so adding a second shorter password is not an inc improvement.
1 reply 0 retweets 0 likes -
we know they can "steal and write to local file" but not "steal and proxy to target site in real time". So that in fact demonstrates a capability they did not previously have.
1 reply 0 retweets 2 likes
Those are both an example of basic programming ability, not a "capability". A capability would be access to a physical object, knowledge of a secret, etc, etc.
-
-
I strongly disagree that successful real time proxying is a "basic programming ability". And since a proxy would be highly site specific, that also raises the bar. It is absolutely fair to note that a prebuilt kit could be released per targeted site though.
2 replies 0 retweets 1 like -
It doesn't matter, you can put a price on it if you like, let's say $200 development time. It's just economics, I'm not going to spend $200 to be able to phish 1% more users, I won't make my money back. When 90% of users need proxying, I'll pay the $200 and recoup, etc, etc.
2 replies 0 retweets 1 like - 1 more reply
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.