proxying 2fa fields (or captcha) plus running a real headless browser is *FAR* more complex than a simple "present fake form, save entered form data to database" .. like 2 orders of magnitude harder, it is also extremely site specific & brittle if they update login form
-
-
Replying to @taviso @codinghorror and
Someone only has to solve it once, and then the phishing kit will be updated. If the phishing kit doesn't work, nobody will buy it, so they have no choice but to invest in a solution.
1 reply 0 retweets 0 likes -
it's only valid security if you can actually get people to do it. I am supremely unconvinced hardware 2fa on a smartphone, and *particularly* iOS -- crosses that threshold today. In five years? maybe.
2 replies 0 retweets 1 like -
Replying to @codinghorror @taviso and
"hassle people about u2f" plus "give up on literally everything else in security that offers incremental improvements" is not a winning combo in my book. Cue "why not both gif girl"
1 reply 0 retweets 1 like -
Whoa, nobody is saying that. I think a reasonable definition of an "incremental improvement" is requiring attacks to demonstrate a capability they didn't previously have. We already know they can steal passwords, so adding a second shorter password is not an inc improvement.
1 reply 0 retweets 0 likes -
we know they can "steal and write to local file" but not "steal and proxy to target site in real time". So that in fact demonstrates a capability they did not previously have.
1 reply 0 retweets 2 likes -
Those are both an example of basic programming ability, not a "capability". A capability would be access to a physical object, knowledge of a secret, etc, etc.
1 reply 0 retweets 1 like -
I strongly disagree that successful real time proxying is a "basic programming ability". And since a proxy would be highly site specific, that also raises the bar. It is absolutely fair to note that a prebuilt kit could be released per targeted site though.
2 replies 0 retweets 1 like -
It doesn't matter, you can put a price on it if you like, let's say $200 development time. It's just economics, I'm not going to spend $200 to be able to phish 1% more users, I won't make my money back. When 90% of users need proxying, I'll pay the $200 and recoup, etc, etc.
2 replies 0 retweets 1 like
If it's a targeted attack, and I think access to your private blueprints will yield about $50k on the black market then $200 is a pretty sweet deal for that, but opportunistic phishing victims don't yield very much.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.