I deal with a lot of people who are political targets but not necessarily state-level targets. There is a significant amount of opportunistic targeting of such people by people with zero tech skills nor economic incentives. Even SMS 2FA cuts that a lot.
-
-
Replying to @zeynep @alexstamos and
You're correct, when enabled for 1% of users it effectively makes them too expensive to phish. That's only true if attacker gets 1% more victims when he supports it. If he gets 30% more victims, economics change and worth supporting. Attacker already has capability to phish.
1 reply 0 retweets 1 like -
Replying to @taviso @alexstamos and
In my observations, password reuse and easy to guess passwords are the huge threats on their own. Phishing, while also not apparently that much harder in theory, is actually practically out-of-reach for many of these opportunistic attackers.
1 reply 1 retweet 4 likes -
Could attackers improve? Sure, in theory. But in theory people could be convinced not to reuse passwords or make them their kid’s name. That said, I spend much of my life trying to convince people to use auth apps or U2F.
3 replies 0 retweets 2 likes -
Replying to @zeynep @alexstamos and
I guess I'm not sure I understand where we disagree, we both agree that attackers can improve, and both agree they haven't yet while adoption is so low. Is it that you argue that even when forced to adapt because of high adoption of SMS-2FA, they'll just pack up and go home?
1 reply 0 retweets 0 likes -
Replying to @taviso @alexstamos and
Yes. In my experience, there is a non-negligible group of opportunistic attackers that can do password reuse/kid’s name password but will not/cannot escalate. This doesn’t apply to any high-value target or to systematic phishers (who have economic concerns).
2 replies 2 retweets 3 likes -
Replying to @zeynep @alexstamos and
I definitely disagree, you don't have to be a skilled attacker to buy a php phishing script. Right now it's more expensive for so little benefit, but when it's the only option, why wouldn't they?
1 reply 0 retweets 0 likes -
Replying to @taviso @alexstamos and
Because people don't operate like that. Why do people, even people whose lives are on the line, reuse passwords? Just saying "you have to buy a phishing script" will scare off so many opportunistic attackers.
2 replies 1 retweet 1 like -
Replying to @zeynep @alexstamos and
I'm confused, how did they get their existing script? Editing it themselves works too. You agree that SMS-2FA does not require any capability that the attacker has not already demonstrated, or you're saying adding or buying some code is a new capability that attacker won't have?
1 reply 0 retweets 0 likes -
Replying to @taviso @alexstamos and
I'm referring not to phishing but to password reuse/easy password which is what SMS 2FA helps block. That might be the only point where we disagree. In my world, password reuse/easy-to-guess password are huge vulnerabilites even among highly-motivated at-risk users.
1 reply 0 retweets 2 likes
Your question seems: is there a sizable group that if, they can't get in via [MYKIDSNAMEBIRTHYEAR] who'll just give up? In my admittedly observational view, yes.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.