Broad statement KLAXXON
https://twitter.com/taviso/status/1082015009348104192 …
-
-
Replying to @DSonBlue
Sorry, I believe in calling out trash when I see it. Solving phishing with phishable schemes is trash, and we've burned a lot of goodwill asking vendors to roll out trash when we could have been asking for real solutions (like U2F).
1 reply 0 retweets 0 likes -
Replying to @taviso
Phishing is tough (I get that). Notwithstanding the correct way to tackle it, re: your “OTP/PUSH” statement - below describes Authy’s PUSH implementation. Maybe the context only refers to securing the PUSH itself (opposed to the end to end session)? I will need to check.pic.twitter.com/fYszizxpox
1 reply 0 retweets 0 likes -
Replying to @DSonBlue
Yes, I'm aware they (falsely) claim they solve phishing. That is not accurate. Phishing works using real authorized devices, so verifying it was signed makes no sense; it's pretty scary they don't realize this.
1 reply 0 retweets 0 likes -
1. User visits fakesite, fakesite proxies realsite 2. User logs in, fakesite forwards login to realsite 3. realsite initiates push request to users device 4. User confirms they are trying to login 5. realsite cryptographically verifies confirmation 6. Phisher is authenticated.
2 replies 0 retweets 2 likes
See the original tweet for a demo with SMS 2FA, just imagine a push request instead of SMS and the same attack works.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.