I think it's much harder to deploy that to a large number of vulnerable WordPress and Joomla sites. And I'm not seeing it in the wild, but that's probably because no one uses 2fa
(I worry my replies come off as disagreement rather than nuanced agreement)
-
-
I don't think it's harder, but you're right - we don't see it for opportunistic phishing yet because why bother investing in supporting it to increase victim yield by 1%? It's just bad economics.
1 reply 0 retweets 4 likes -
The key point is that phishers aren't going to pack up and go home because they now have to phish two passwords instead of one, they'll just take the hit and rewrite their scripts when it makes economic sense to do so
2 replies 2 retweets 10 likes -
Agreed. My bet is that in the interim I can protect more users using SMS. Then transitioning them to push (ala Google approach) and U2f when we can.
1 reply 0 retweets 2 likes -
IMHO the issue with SMS 2FA isn't with the GSM attacks by https://de.m.wikipedia.org/wiki/Karsten_Nohl … but with rogue apps intercepting SMSes on smart phones. But either way, NIST 800-63B has deprecated SMS for 2FA, so it's basically dead. Or at least walking dead ;)
1 reply 0 retweets 0 likes -
Even U2F is useless on a compromised endpoint. If you require a solution for phishing to work on a compromised endpoint, then I wouldn't hold your breath waiting
.1 reply 0 retweets 4 likes -
The primary scenario that SMS 2FA prevents is account takeover via password reuse, not live phishing. Our data shows that the former is many many times more prevalent.
2 replies 3 retweets 24 likes -
Replying to @alexstamos @musevg and
I'm not sure what I said that you're disagreeing with! It seems completely plausible to me that dumped creds are tested more often than phishing, I don't think I've disputed that?
1 reply 0 retweets 0 likes -
I'm disagreeing with SMS 2FA being "basically useless". I don't think the data supports that.
5 replies 0 retweets 13 likes -
Replying to @alexstamos @taviso and
Don't have big, systematic data on this but I constantly hear all over the world from people without any 2FA whose accounts get taken over via password reuse and much rarer live phishing of SMS 2FA. I do push people to U2F but, ceteris paribus, SMS 2FA seems way better than none.
1 reply 1 retweet 7 likes
It happens rarely for opportunistic phishing because the economics don't make sense. Why change your code to increase victim yield by 1%? If that number increases, so will attacks. If 1% of users had to type "banana" into a form field, they would also be phished less.
-
-
Would you argue that my banana-factor authentication scheme is better than none if it has the same property of reducing opportunistic phishing when only enabled for 1% of users?
2 replies 0 retweets 0 likes -
Replying to @taviso @alexstamos and
I deal with a lot of people who are political targets but not necessarily state-level targets. There is a significant amount of opportunistic targeting of such people by people with zero tech skills nor economic incentives. Even SMS 2FA cuts that a lot.
1 reply 0 retweets 5 likes - 17 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.