It’s based on data. Dropbox and Patreon. AFIK FB have reported the same. Pretty sure there is public data that supports this too. I’ve been out of the game since April, so I do admit my data is older.
-
-
I think that's misinterpreting the data. It's a question of economics, it's not currently worth supporting 2FA users because it would only increase the victim yield 1% (or whatever small number) for significant process change, if you were to roll out universally however...
2 replies 0 retweets 0 likes -
It’s like the thing about house alarms. When you’re the only house on the block without one, yeah, it matters. But once every house has them, they stop mattering at all. We have clients that are serious fraud targets, and SMS is just a speed bump.
1 reply 0 retweets 7 likes -
I think you’re both not accounting for the differences between phishing and stuffing. The vast majority of stuffing passwords Ive seen come from DB dumps. The attacker never engages with the victim.
2 replies 0 retweets 0 likes -
The SMS phishing I’ve seeing is done in conjunction with credential stuffing so I don’t see the distinction you’re trying to make.
1 reply 0 retweets 1 like -
Explain? Credential stuffing usually refers to attacking reused credentials from data breaches. Where does phishing enter in?
1 reply 0 retweets 0 likes -
Mandatory SMS 2FA across user base. Phase 1: credential-stuff the password. Phase 2: send automated request for SMS code to victim.
2 replies 0 retweets 0 likes -
Ah. I believe it (and I’ve seen some similar phishing), but I do think this attack is menacing fully harder than straight up credential stuffing. For example, your scenario seems to require an out of band (e.g. sms) contact for the victim, which may be missing in big dumps.
2 replies 0 retweets 0 likes -
Replying to @spongeclipper @tqbf and
Not trying to get too far into this argument because OTP is clearly suboptimal, but there are attacks where it meaningfully helps beyond just the economic point, I think. Is it worth deploying? Dunno.
1 reply 0 retweets 0 likes -
I’m not as religious as Tavis is on this and generally like TOTP, but SMS is a tire fire and needs to go away.
2 replies 0 retweets 1 like
So long as you don't argue it solves phishing, we're still cool 
-
-
Those secret questions will save us from phishing!!!
1 reply 0 retweets 1 like -
Replying to @joshbressers @taviso and
As long as there are three of them, and one is “what’s your favorite candy bar.”
0 replies 0 retweets 0 likes
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.