To all the people telling me this will never happen, and I should stop trash talking 2FA (TOTP, SMS, etc *not* U2F). Please read this, then kindly apologise. https://twitter.com/josephfcox/status/1075391745502924801 …
I think that's misinterpreting the data. It's a question of economics, it's not currently worth supporting 2FA users because it would only increase the victim yield 1% (or whatever small number) for significant process change, if you were to roll out universally however...
-
-
Does rolling out phishable 2FA to 1% of users make them too expensive to pop for opportunistic attackers (but not targeted attackers)? Yes, supporting 2FA for 1% more victims is a bad investment. If it's rolled out universally, then suddenly it's worth it again.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
It’s like the thing about house alarms. When you’re the only house on the block without one, yeah, it matters. But once every house has them, they stop mattering at all. We have clients that are serious fraud targets, and SMS is just a speed bump.
-
I think you’re both not accounting for the differences between phishing and stuffing. The vast majority of stuffing passwords Ive seen come from DB dumps. The attacker never engages with the victim.
- 9 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.