Email or username:

Password:

Forgot your password?
Top-level
SwiftOnSecurity

There was a time you could defeat almost all email account compromise by just… turning off legacy authentication in Exchange. You became a ghost. That’s how all attacker tools worked.
Now they have upgraded to account for modern authentication.
YOU CANNOT STOP improving. You are aging quickly.

11 comments
Tony Yarusso

@SwiftOnSecurity Can we just reinstall Humanity instead of dealing with all the malware on this instance?

Becky

@SwiftOnSecurity aging? HA! I’m dessicating. Practically just grumpy carbon isotopes

DELETED

@SwiftOnSecurity

Could I ask you for a bit more explanation?

If a crook goes to my bank's website, types in my email address, and clicks "forgot password," then even if the crook is able to intercept the one-time authentication code that's texted to my phone, they still won't be able to get into my bank account, unless they're first able to get into my email account to get my "reset password" link, right?

Adora (She/Her) :flag_transgender:

@barney @SwiftOnSecurity

But basically what swift is describing is both:

that a lot of services let you use your phone as a full login method if everything else fails without additional auth by default (example Gmail. Pretend you forgot your password and try it)

Also your password may leak, be stolen or reused from somewhere compromised and you expect the 2fa to protect against that (example bank)

Plus like your example that verifies email, if they get into your email because it allows single factor, isn't that the same thing?

@barney @SwiftOnSecurity

But basically what swift is describing is both:

that a lot of services let you use your phone as a full login method if everything else fails without additional auth by default (example Gmail. Pretend you forgot your password and try it)

Also your password may leak, be stolen or reused from somewhere compromised and you expect the 2fa to protect against that (example bank)

Rich Felker

@SwiftOnSecurity I can defeat all Exchange email account compromise by just... not using Exchange. 😂

░▒▓ Logis ▓▒░ :donor:

@SwiftOnSecurity I was sim hijacked a few years ago. Within 10minutes they got into my email and pivoted to coinbase. And the only thing that saved me was that account was non SMS 2 factor

Fishd

@L0G1S @SwiftOnSecurity Given the wide availability of alternative 2fa methods, it's hard to see firms that only offer SMS as anything other than complacent or complicit.

Andrew Feeney

@L0G1S @SwiftOnSecurity I hear a lot about Sim hijacking in the states but less so in Australia. This is anecdotal of course. Does anyone know if it’s just as easy to do in Australia?

🔗 David Sommerseth

@andrewfeeney @L0G1S I dunno about the approach @SwiftOnSecurity describes.

But the IMSI catchers are "affordable" these days.

arstechnica.com/information-te

With an IMSI catcher you can also snitch up SMSes. And the SS7 signalling system typically used between telco companies to enable communication between phone subscribers regardless of the network they are connected to is riddled with security issues.

Basically consider all phone network communication to be broken by default. And make use of proper #E2EE on top of that network instead. E2EE gives you a protection which does not depend on your communication channel itself to be secure.

@andrewfeeney @L0G1S I dunno about the approach @SwiftOnSecurity describes.

But the IMSI catchers are "affordable" these days.

arstechnica.com/information-te

With an IMSI catcher you can also snitch up SMSes. And the SS7 signalling system typically used between telco companies to enable communication between phone subscribers regardless of the network they are connected to is riddled with security issues.

Infoseepage #StopGazaGenocide

@L0G1S @SwiftOnSecurity I really, really prefer non-sms based 2fa. Once they've got your phone and email, most services will allow attackers to do password resets without anything else. They're the twin keys of the castle and in most cases you only need one or the other. I've seen so many people get owned top to bottom because of this shit. Hardware tokens all the way.

Go Up