> Yes, it can be phished if you fall for that, but it removes several attack vectors. How was the first factor (the password) compromised? Assuming the user is using site-unique passwords, in 99% of cases where an…
That's assuming your attacker already has your password, or the service allows SMS password reset. (thus negating the second factor. Essentially SMS becomes the only factor.)
TOTP or SMS, it's just another text password you're entering in that's fully phishable. TOTP just "feels" more secure.
Those margins are misleading because they're _multi_ service operators, and accounting standards require that you can only list direct costs. Revenue is easy: how much did you take in for video? phone? Internet access?…
> Integrating a password manager with a browser is too fragile and risky way of using both. It is best to have them fully separated so they can't communicate. They should communicate exclusively via the user. Passwords…
So if a site is compromised and requires a password rotation, do you just never use that site again?
All the encryption happens client-side. For this to be a problem you not only have to gain access to the blobs stored on their service, but you also have to be able to decrypt them. I expect they probably pay more…
This is technically true, but the most likely scenarios that result in the discovery of your secret key (128bits of entropy) + master password (?? additional bits) involve things like a device compromise. If your…
> Not at all. TCP already does its own rate limiting without external throttling. Individually, cars brake on the freeway to avoid hitting the car in front of them. Collectively on a busy freeway, that sets off a chain…
The backup function is moving to Finder before iTunes disappears entirely.
True, but these days you can disable iCloud backups without giving up all that much. (it also re-keys Messages in iCloud when you turn off backups) Keychain, messages, and health data are all E2E encrypted and synced to…
They offer ways to export your media via the Google Photos API, but you only get the "high quality compressed" version (even if you are storing in original quality) and it strips the location data out of the EXIF tags.…
2FA only helps if it's a 2-way authentication mechanism like U2F. TOPT codes are completely phish-able using ridiculously easy to setup kits out there like CredSniper[0]. Set up a MITM proxy authentication site, get the…
You can be in control of your actual data pretty easily with gmail. One of the better options I’ve found for maintaining a local archive is the Got Your Back[0] script. It maintains an SQLite DB with all of the message…
In all honesty, it's probably not worth worrying about. The implementation of 2FA you're referring to here is just adding a 2nd secret, with a small twist of having time component. There are very few scenarios where…
Fidelity already has best-in-class checking account features? The CMA account has mobile image deposit, free online bill pay, check writing (with free checks), free ACH transfers, free wire transfers, ATM/debit card…
While the new funds are attracting all the attention, I find these other changes more interesting: Expense Ratios have been slashed across existing funds: https://www.fidelity.com/mutual-funds/investing-ideas/index-...…
You find examples like this all over the place: https://security.stackexchange.com/questions/49521/does-two-... It gets worse if you search around for people talking about how they use 2FA codes to protect their…
This was also my first thought when reading this. It almost makes me wonder if it was really a SMS exploit at all — when someone has the user, pass, and 2FA code, that sounds to me like the target clicked on a…
> At least IPv6 is getting developed and it's is easier to update than DAB, so one can hope that one day in the far future it becomes usable to people like me. Millions of people unknowningly use IPv6 every day:…
Proxying the authentication isn't really an "advanced" attack. In a 19 minute video[0] the author of CredSniper[1] gives a complete walk-through for setting up his proof of concept tool, including building the login…
> Google and Apple both have mobile (non-SMS) based two factor prompts that seem equally immune to phishing? Any "type in a code" or "approve this login (yes/no)?" authentication factor is technically vulnerable. All…
> TOTP is very useful! Just use a TOTP authenticator app on your phone, and don't put them in 1Password. I was fully in that camp before I started talking with friends on red teams that were allowed to actually start…
This is where it comes down to user behavior. One of the security engineers from Stripe gave a talk about this at Blackhat last year -- she had phishing campaigns that had users ignore that autofill didn't work and…
They got around 2FA over SMS because a number of services like GMail offered password reset via SMS as well as 2FA over SMS. It was the password reset process that was the most vulnerable, and strangely the part that…
> Yes, it can be phished if you fall for that, but it removes several attack vectors. How was the first factor (the password) compromised? Assuming the user is using site-unique passwords, in 99% of cases where an…
That's assuming your attacker already has your password, or the service allows SMS password reset. (thus negating the second factor. Essentially SMS becomes the only factor.)
TOTP or SMS, it's just another text password you're entering in that's fully phishable. TOTP just "feels" more secure.
Those margins are misleading because they're _multi_ service operators, and accounting standards require that you can only list direct costs. Revenue is easy: how much did you take in for video? phone? Internet access?…
> Integrating a password manager with a browser is too fragile and risky way of using both. It is best to have them fully separated so they can't communicate. They should communicate exclusively via the user. Passwords…
So if a site is compromised and requires a password rotation, do you just never use that site again?
All the encryption happens client-side. For this to be a problem you not only have to gain access to the blobs stored on their service, but you also have to be able to decrypt them. I expect they probably pay more…
This is technically true, but the most likely scenarios that result in the discovery of your secret key (128bits of entropy) + master password (?? additional bits) involve things like a device compromise. If your…
> Not at all. TCP already does its own rate limiting without external throttling. Individually, cars brake on the freeway to avoid hitting the car in front of them. Collectively on a busy freeway, that sets off a chain…
The backup function is moving to Finder before iTunes disappears entirely.
True, but these days you can disable iCloud backups without giving up all that much. (it also re-keys Messages in iCloud when you turn off backups) Keychain, messages, and health data are all E2E encrypted and synced to…
They offer ways to export your media via the Google Photos API, but you only get the "high quality compressed" version (even if you are storing in original quality) and it strips the location data out of the EXIF tags.…
2FA only helps if it's a 2-way authentication mechanism like U2F. TOPT codes are completely phish-able using ridiculously easy to setup kits out there like CredSniper[0]. Set up a MITM proxy authentication site, get the…
You can be in control of your actual data pretty easily with gmail. One of the better options I’ve found for maintaining a local archive is the Got Your Back[0] script. It maintains an SQLite DB with all of the message…
In all honesty, it's probably not worth worrying about. The implementation of 2FA you're referring to here is just adding a 2nd secret, with a small twist of having time component. There are very few scenarios where…
Fidelity already has best-in-class checking account features? The CMA account has mobile image deposit, free online bill pay, check writing (with free checks), free ACH transfers, free wire transfers, ATM/debit card…
While the new funds are attracting all the attention, I find these other changes more interesting: Expense Ratios have been slashed across existing funds: https://www.fidelity.com/mutual-funds/investing-ideas/index-...…
You find examples like this all over the place: https://security.stackexchange.com/questions/49521/does-two-... It gets worse if you search around for people talking about how they use 2FA codes to protect their…
This was also my first thought when reading this. It almost makes me wonder if it was really a SMS exploit at all — when someone has the user, pass, and 2FA code, that sounds to me like the target clicked on a…
> At least IPv6 is getting developed and it's is easier to update than DAB, so one can hope that one day in the far future it becomes usable to people like me. Millions of people unknowningly use IPv6 every day:…
Proxying the authentication isn't really an "advanced" attack. In a 19 minute video[0] the author of CredSniper[1] gives a complete walk-through for setting up his proof of concept tool, including building the login…
> Google and Apple both have mobile (non-SMS) based two factor prompts that seem equally immune to phishing? Any "type in a code" or "approve this login (yes/no)?" authentication factor is technically vulnerable. All…
> TOTP is very useful! Just use a TOTP authenticator app on your phone, and don't put them in 1Password. I was fully in that camp before I started talking with friends on red teams that were allowed to actually start…
This is where it comes down to user behavior. One of the security engineers from Stripe gave a talk about this at Blackhat last year -- she had phishing campaigns that had users ignore that autofill didn't work and…
They got around 2FA over SMS because a number of services like GMail offered password reset via SMS as well as 2FA over SMS. It was the password reset process that was the most vulnerable, and strangely the part that…