|
Top-level
 AS DEFENSES INCREASE, other avenues of attack are unlocked as being cost-effective and needed. Suddenly your uniquely strong defense is the norm and defeating it is too. The point is staying ahead of the curve. We are now at the stage where attackers invest in durable telco compromise to allow attackers in. You MUST respond. 21 comments
@SwiftOnSecurity Can we just reinstall Humanity instead of dealing with all the malware on this instance? Could I ask you for a bit more explanation? If a crook goes to my bank's website, types in my email address, and clicks "forgot password," then even if the crook is able to intercept the one-time authentication code that's texted to my phone, they still won't be able to get into my bank account, unless they're first able to get into my email account to get my "reset password" link, right?  @SwiftOnSecurity I can defeat all Exchange email account compromise by just... not using Exchange. π @SwiftOnSecurity I was sim hijacked a few years ago. Within 10minutes they got into my email and pivoted to coinbase. And the only thing that saved me was that account was non SMS 2 factor  @L0G1S @SwiftOnSecurity Given the wide availability of alternative 2fa methods, it's hard to see firms that only offer SMS as anything other than complacent or complicit.  @L0G1S @SwiftOnSecurity I hear a lot about Sim hijacking in the states but less so in Australia. This is anecdotal of course. Does anyone know if itβs just as easy to do in Australia?  @L0G1S @SwiftOnSecurity I really, really prefer non-sms based 2fa. Once they've got your phone and email, most services will allow attackers to do password resets without anything else. They're the twin keys of the castle and in most cases you only need one or the other. I've seen so many people get owned top to bottom because of this shit. Hardware tokens all the way.  @jbiserkov @SwiftOnSecurity Weird non sequitur but okay I was referencing https://knowyourmeme.com/memes/good-luck-im-behind-7-proxies @SwiftOnSecurity So, in other words, stop using SMS-based 2FA, and start using Google Authenticator, or equivalent. @SDWolf @SwiftOnSecurity Better yet, physical security keys (although that may be overkill)!  @SDWolf @SwiftOnSecurity Now if I could get any of the banks I requirements l regularly deal with to even offer 2FA... @drwho @SwiftOnSecurity My credit union has offered several 2FA options for about a decade, including phone (call or SMS), e-mail, or they'll even mail you an EnTrust token. But, they didn't add Google Authenticator-style 6-digit OTP support until a couple months ago. @SDWolf @SwiftOnSecurity I've been trying to convince three of them to implement 2FA since the Before Times. No luck yet.  @SwiftOnSecurity And yet, some attacks remain implausible.
TOTP is still safe, as are backup recovery codes. SMS or phone-based authentication was always built on shifting sands and never should've been trusted. |
Gregory's Server
There was a time you could defeat almost all email account compromise by justβ¦ turning off legacy authentication in Exchange. You became a ghost. Thatβs how all attacker tools worked.
Now they have upgraded to account for modern authentication.
YOU CANNOT STOP improving. You are aging quickly.