To all the people telling me this will never happen, and I should stop trash talking 2FA (TOTP, SMS, etc *not* U2F). Please read this, then kindly apologise. https://twitter.com/josephfcox/status/1075391745502924801 …
-
This Tweet is unavailable.
-
You’re right. No one I seen disagrees that this was always possible...but widespread adoption of U2F is a ways off. And SMS, TOTP, etc protect everyone *TODAY* against password stuffing which is an order of magnitude more common than phishing.
2 replies 1 retweet 7 likes -
Where did that factoid come from? I see automated SMS phishing at clients right now.
1 reply 0 retweets 2 likes -
It’s based on data. Dropbox and Patreon. AFIK FB have reported the same. Pretty sure there is public data that supports this too. I’ve been out of the game since April, so I do admit my data is older.
1 reply 0 retweets 0 likes -
I think that's misinterpreting the data. It's a question of economics, it's not currently worth supporting 2FA users because it would only increase the victim yield 1% (or whatever small number) for significant process change, if you were to roll out universally however...
2 replies 0 retweets 0 likes
Does rolling out phishable 2FA to 1% of users make them too expensive to pop for opportunistic attackers (but not targeted attackers)? Yes, supporting 2FA for 1% more victims is a bad investment. If it's rolled out universally, then suddenly it's worth it again. 
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.