Gregory's ServerThere was a time you could defeat almost all email account compromise by just… turning off legacy authentication in Exchange. You became a ghost. That’s how all attacker tools worked.
Now they have upgraded to account for modern authentication.
YOU CANNOT STOP improving. You are aging quickly.
|
Top-level
 11 comments
@SwiftOnSecurity Can we just reinstall Humanity instead of dealing with all the malware on this instance? Could I ask you for a bit more explanation? If a crook goes to my bank's website, types in my email address, and clicks "forgot password," then even if the crook is able to intercept the one-time authentication code that's texted to my phone, they still won't be able to get into my bank account, unless they're first able to get into my email account to get my "reset password" link, right?  @SwiftOnSecurity I can defeat all Exchange email account compromise by just... not using Exchange. 😂 @SwiftOnSecurity I was sim hijacked a few years ago. Within 10minutes they got into my email and pivoted to coinbase. And the only thing that saved me was that account was non SMS 2 factor  @L0G1S @SwiftOnSecurity Given the wide availability of alternative 2fa methods, it's hard to see firms that only offer SMS as anything other than complacent or complicit.  @L0G1S @SwiftOnSecurity I hear a lot about Sim hijacking in the states but less so in Australia. This is anecdotal of course. Does anyone know if it’s just as easy to do in Australia?  @L0G1S @SwiftOnSecurity I really, really prefer non-sms based 2fa. Once they've got your phone and email, most services will allow attackers to do password resets without anything else. They're the twin keys of the castle and in most cases you only need one or the other. I've seen so many people get owned top to bottom because of this shit. Hardware tokens all the way. |
@SwiftOnSecurity
that darn SMTP and POP3…