You're correct, when enabled for 1% of users it effectively makes them too expensive to phish. That's only true if attacker gets 1% more victims when he supports it. If he gets 30% more victims, economics change and worth supporting. Attacker already has capability to phish.
-
-
Replying to @taviso @alexstamos and
In my observations, password reuse and easy to guess passwords are the huge threats on their own. Phishing, while also not apparently that much harder in theory, is actually practically out-of-reach for many of these opportunistic attackers.
1 reply 1 retweet 4 likes -
Could attackers improve? Sure, in theory. But in theory people could be convinced not to reuse passwords or make them their kid’s name. That said, I spend much of my life trying to convince people to use auth apps or U2F.
3 replies 0 retweets 2 likes -
Replying to @zeynep @alexstamos and
I guess I'm not sure I understand where we disagree, we both agree that attackers can improve, and both agree they haven't yet while adoption is so low. Is it that you argue that even when forced to adapt because of high adoption of SMS-2FA, they'll just pack up and go home?
1 reply 0 retweets 0 likes -
Replying to @taviso @alexstamos and
Yes. In my experience, there is a non-negligible group of opportunistic attackers that can do password reuse/kid’s name password but will not/cannot escalate. This doesn’t apply to any high-value target or to systematic phishers (who have economic concerns).
2 replies 2 retweets 3 likes -
If we disagree, it’s that I don’t this SMS 2FA is basically worthless. If you’re a vendor, I’d be begging you not to do it that way, and to adopt U2F and/or auth app. Still, for many users, those are surprisingly hard steps.
1 reply 1 retweet 2 likes -
Replying to @zeynep @alexstamos and
I get that, but my point was you can achieve the same result that we both like (lower opportunistic phishing) with my silly banana scheme. Is my banana scheme basically worthless? If yes, then why is it worse than SMS-2FA?
1 reply 0 retweets 0 likes -
Replying to @taviso @alexstamos and
"Banana" is fixed word? Once again, anything that involves typing something, not a huge barrier to opportunistic attacks. Mutter the words "php script", and a surprisingly non-negligent number of them seem to scatter.
1 reply 0 retweets 1 like -
Replying to @zeynep @alexstamos and
Yes, fixed word, must be typed into a form field. Your php script will have to be changed to support it. So you're saying that my banana scheme isn't worthless, and has value?
1 reply 0 retweets 0 likes -
Replying to @taviso @alexstamos and
This may seem really weird, but even that might have a non-zero impact. Though the distance between (1) regular phishing and (2) editing php script is probably much closer than the difference between (3) guessing easy password and (4) escalating to phishing a hard password.
2 replies 0 retweets 1 like
(1) can probably do (2) a lot more often than (3) and do (4). I understand that these aren't necessarily seemingly that different or big steps but opportunistic attackers often share similar population vulnerabilities to people reusing passwords.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.