Show HN: Phishar – Security Expert in Your Pocket (opens in new tab)

(phishar.com)

2 pointsCoxa6y ago2 comments

2 comments

helb6y ago

How does it cope with non-ASCII characters and various fonts? Suppose you had "ɡoogle.com" instead of "gooble.com" in that demo video (the first "g" is not a regular "g", but " U+0261 LATIN SMALL LETTER SCRIPT G")… Browsers tend to show IDN names in the "xn--…" punycode format, but not always.

https://en.wikipedia.org/wiki/IDN_homograph_attack

https://unicode.org/cldr/utility/confusables.jsp?a=google&r=...

https://ma.ttias.be/show-idn-punycode-firefox-avoid-phishing...

ivosluganovic6y ago

Thanks for posting!

While this might be common knowledge on this forum (is it?!), many users are unaware that even having 2FA does not protect them against credential theft via phishing. Such attacks are growing rapidly given recent exploit kits for OTP-based 2FA that are publicly available on Github (https://github.com/drk1wi/Modlishka).

PhishAR prevents such attacks by requiring that the visited domain and SSL are first checked by the user's app and only then revealing the OTP.

Any feedback would be very helpful. We are aiming at enterprise users where getting everyone to use FIDO U2F might be harder to achieve, but 2FA is mandatory (e.g. due to GDPR).

What do you think? Let us know if you would be happy testing the app once we get it a bit more polished.

j / k navigate · click thread line to collapse