To all the people telling me this will never happen, and I should stop trash talking 2FA (TOTP, SMS, etc *not* U2F). Please read this, then kindly apologise. https://twitter.com/josephfcox/status/1075391745502924801 …
-
This Tweet is unavailable.
-
Person-in-browser bank malware has been doing this for years. That’s why we have things like U2F innit? I’m surprised this is such big news.
1 reply 0 retweets 2 likes -
Replying to @riskybusiness @munin
I don't know the term "person-in-browser", but U2F doesn't protect against malware. I think it's noteworthy because a lot of people said that phishing attacks against TOTP, HOTP, SMS 2FA, Push Verification, etc, were impractical and chastised me for saying they're bad design
3 replies 0 retweets 3 likes -
Have you heard the term man-in-browser?
1 reply 0 retweets 0 likes -
Replying to @riskybusiness @munin
No, but I guess it means malware or compromised extension, npapi plugin?
1 reply 0 retweets 0 likes -
Just refers to any class of malware that fiddles inline in the browser. Displays users what they expect while transaction destinations and other details are fiddled with in the background. And yeah, of course you’re right even U2F isn’t going to save you then.
2 replies 0 retweets 0 likes
I see, I don't really follow the taxonomy of malware after you've got arbitrary code execution, I think arbitrary code is arbitrary code to vulnerability guys 
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.