About that 2FA. What is your opinion on SMS-2FA? @taviso was kind of harsh about it:https://twitter.com/taviso/status/942082082385182720 …
-
-
Replying to @rinorragi @taviso
It’s something in addition to a password alone so that’s good, the discussion then is how readily exploitable it is
2 replies 0 retweets 3 likes -
I guess there is also a discussion about who you are trying to protect from and where do you live. Operators tend to be different around the globe. Also high profile players like you two might have different kind of concerns than regular users.
1 reply 0 retweets 0 likes -
But back to original question. Would you invest on developing SMS-2FA and do you feel that it might give the user false sense of security?
1 reply 0 retweets 0 likes -
Replying to @rinorragi @taviso
Yes, then no. SIM hijacking is very targeted and when you consider that in the context of common attacks like credential stuffing, it’s a big leap forward.
3 replies 0 retweets 3 likes -
Replying to @troyhunt @rinorragi
The problem with SMS-2FA isn't "sim hijacking" - The issue is you're trying to solve the problem of an attacker who can steal passwords with a second password.
2 replies 17 retweets 46 likes -
Which TOTP suffers from too. I still consider this and the "sim hijacking"* less important than the account life cycle issues
@alexstamos highlights. Especially if you can just email support and convincingly claim you're locked out due to a new phone/lost@Yubico.3 replies 0 retweets 1 like -
* Where's the data on "sim hijacking"? I remember
@riskybusiness covered a German SS7 attack, which had a bunch of caveats. Everything else seems to be targeted through social engineering cell phone providers, who have stepped up their security since.1 reply 0 retweets 0 likes -
People don't claim that SMS-2FA is perfect, they claim it's "an improvement". If the issue was SMS hijacking, then that would require a new capability from the attacker. In fact, it can just be phished, and therefore does not require any new capability from attackers.
2 replies 2 retweets 6 likes -
They could Phish it, but it's much harder for phishers to build the infra to do so before the code expires. Eg. Real time password entry and proxying the response, and then storing the session cookie. Fwiw I agree, but we need to work harder to reduce the u2f life cycle issues
1 reply 0 retweets 0 likes
It requires a few new lines of php, yes. I don't agree that qualifies as "much harder"
I think the bare minimum requirement for "raising the bar" is a new capability the attacker hasn't already demonstrated.
-
-
I think it's much harder to deploy that to a large number of vulnerable WordPress and Joomla sites. And I'm not seeing it in the wild, but that's probably because no one uses 2fa
(I worry my replies come off as disagreement rather than nuanced agreement)1 reply 0 retweets 0 likes -
I don't think it's harder, but you're right - we don't see it for opportunistic phishing yet because why bother investing in supporting it to increase victim yield by 1%? It's just bad economics.
1 reply 0 retweets 4 likes - 24 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.