Which TOTP suffers from too.
I still consider this and the "sim hijacking"* less important than the account life cycle issues @alexstamos highlights. Especially if you can just email support and convincingly claim you're locked out due to a new phone/lost @Yubico.
-
-
* Where's the data on "sim hijacking"? I remember
@riskybusiness covered a German SS7 attack, which had a bunch of caveats. Everything else seems to be targeted through social engineering cell phone providers, who have stepped up their security since.1 reply 0 retweets 0 likes -
People don't claim that SMS-2FA is perfect, they claim it's "an improvement". If the issue was SMS hijacking, then that would require a new capability from the attacker. In fact, it can just be phished, and therefore does not require any new capability from attackers.
2 replies 2 retweets 6 likes -
They could Phish it, but it's much harder for phishers to build the infra to do so before the code expires. Eg. Real time password entry and proxying the response, and then storing the session cookie. Fwiw I agree, but we need to work harder to reduce the u2f life cycle issues
1 reply 0 retweets 0 likes -
It requires a few new lines of php, yes. I don't agree that qualifies as "much harder"
I think the bare minimum requirement for "raising the bar" is a new capability the attacker hasn't already demonstrated.1 reply 0 retweets 7 likes -
I think it's much harder to deploy that to a large number of vulnerable WordPress and Joomla sites. And I'm not seeing it in the wild, but that's probably because no one uses 2fa
(I worry my replies come off as disagreement rather than nuanced agreement)1 reply 0 retweets 0 likes -
I don't think it's harder, but you're right - we don't see it for opportunistic phishing yet because why bother investing in supporting it to increase victim yield by 1%? It's just bad economics.
1 reply 0 retweets 4 likes -
The key point is that phishers aren't going to pack up and go home because they now have to phish two passwords instead of one, they'll just take the hit and rewrite their scripts when it makes economic sense to do so
2 replies 2 retweets 10 likes -
Agreed. My bet is that in the interim I can protect more users using SMS. Then transitioning them to push (ala Google approach) and U2f when we can.
1 reply 0 retweets 2 likes -
IMHO the issue with SMS 2FA isn't with the GSM attacks by https://de.m.wikipedia.org/wiki/Karsten_Nohl … but with rogue apps intercepting SMSes on smart phones. But either way, NIST 800-63B has deprecated SMS for 2FA, so it's basically dead. Or at least walking dead ;)
1 reply 0 retweets 0 likes
Even U2F is useless on a compromised endpoint. If you require a solution for phishing to work on a compromised endpoint, then I wouldn't hold your breath waiting
.
-
-
The primary scenario that SMS 2FA prevents is account takeover via password reuse, not live phishing. Our data shows that the former is many many times more prevalent.
2 replies 3 retweets 24 likes -
Replying to @alexstamos @musevg and
I'm not sure what I said that you're disagreeing with! It seems completely plausible to me that dumped creds are tested more often than phishing, I don't think I've disputed that?
1 reply 0 retweets 0 likes - 22 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.