To all the people telling me this will never happen, and I should stop trash talking 2FA (TOTP, SMS, etc *not* U2F). Please read this, then kindly apologise. https://twitter.com/josephfcox/status/1075391745502924801 …
-
This Tweet is unavailable.
-
Replying to @taviso
To be fair, phishing a 2FA code would be exceptionally difficult.
2 replies 0 retweets 0 likes -
-
Replying to @taviso
Now if they could mimic 2FA prompts remotely on the parties device, in real time, and intercept a code... that is powerful (a la Blizzard’s authenticator)
1 reply 0 retweets 0 likes -
-
Replying to @taviso
No, it’s not. They phish for credentials (including 2FA code) from a single page. This attack vector relies on getting the user to a phishing page.
1 reply 0 retweets 0 likes -
-
Replying to @taviso
“They do this ... with a phishing page not only asking a victim for their password, but triggering a 2FA code that is sent to the target’s phone. That code is also phished, and then entered into the legitimate site so the hacker can login and steal the account.”
2 replies 0 retweets 0 likes -
Replying to @ryanisnan @taviso
There are authenticators om the market that allow remote authentication. If this could be compromised, it would allow a user’s 2FA to be approved without relying on a phishing implementation.
1 reply 0 retweets 0 likes
Unless you're talking about U2F or the similar FIDO standards (which I already said in the tweet, I agree is a good solution), then TOTP, HOTP, SMS 2FA, Push Requests, and all similar tokens are phishable using very similar techniques. AFAIK, Blizzard use TOTP.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.