undefined | Better HN

0 points2rsf5y ago0 comments

phishable how? "your account has been hacked, please provide us a TOTP code"?

0 comments

7 comments · 1 top-level

UncleMeat5y ago· 6 in thread

1. Somebody loads fakebank.com.

2. It pops up a username/password screen. The user types in their credentials for realbank.com.

3a. The owners of fakebank.com use your creds to log in to realbank.com and are presented with a TOTP page.

3b. fakebank.com loads another page that asks the user for their TOTP. The user enters it, still thinking they are logging in to realbank.com

4. The owners of fakebank.com use the TOTP to authenticate as the user with realbank.com.

Entire SDKs to automate this are sold on the black market.

dguo5y ago

This is certainly a vulnerability, but it also depends on how you get your TOTP codes. I use Bitwarden's browser extension to get mine, and if the domain is incorrect, the extension won't present me with the code. I think this is a decent level of protection from phishing.

tialaramex5y ago

I encourage you, as an exercise at least, to think about what you'll do when it doesn't work.

You're sure this is the right web site. But Bitwarden won't fill out the code. What could be wrong? Did the idiots who make this web site change the URL?

Now, maybe you're a far above average user and you would calmly determine the exact cause, assuming at every step that the most likely explanation is you're being phished. Hopefully that's more likely now that you've done this exercise. I would love to believe I'm in this category.

But most users will just be frustrated, why wasn't it filled out? Is there a way to get the code from Bitwarden anyway? There is, it's a bit fiddly but you can do it. Lots of users are going to do that. They might even help each other to give their credentials to bad guys, community spirit.

Hopefully some of those users pause because this is unusual and a few of them will realise in that moment that they're being phished. But experiments suggest most won't.

dguo5y ago

I did consider this, and I would also like to believe that my first thought would be "I am being phished" rather than "I'm sure this is the right web site." I do understand that many users (including myself on a bad day) might not recognize a phishing situation. But at least there is a layer of defense that SMS doesn't have.

Maybe the Bitwarden extension should warn users when they try to copy/view a TOTP code by searching for a login rather than using a matched entry.

U2F is my preferred method of MFA, but many services don't support it, and there can be practical issues even for the ones that do. For example, some services support U2F in a browser but not in mobile apps.

sgerenser5y ago

Couldn’t this entire scenario play out exactly the same with SMS codes?

UncleMeat5y ago

Yes.

The point is the TOTP is precisely as bad as SMS for the common case (phishing) and only safer in a rare case (SIM-swap). This comes with large downsides (losing access).

TOTP is, at best, a very marginal improvement over SMS. This is what makes the online push to complain about services that use SMS 2FA and demand a switch to TOTP very strange.

dheera5y ago

TOTP is far, far better for travellers who need to swap their SIM cards frequently, or need to work out of places with internet access but no cell reception.

1 more reply

j / k navigate · click thread line to collapse

0 comments

7 comments · 1 top-level

UncleMeat5y ago· 6 in thread

1. Somebody loads fakebank.com.

2. It pops up a username/password screen. The user types in their credentials for realbank.com.

3a. The owners of fakebank.com use your creds to log in to realbank.com and are presented with a TOTP page.

3b. fakebank.com loads another page that asks the user for their TOTP. The user enters it, still thinking they are logging in to realbank.com

4. The owners of fakebank.com use the TOTP to authenticate as the user with realbank.com.

Entire SDKs to automate this are sold on the black market.

dguo5y ago

tialaramex5y ago

I encourage you, as an exercise at least, to think about what you'll do when it doesn't work.

You're sure this is the right web site. But Bitwarden won't fill out the code. What could be wrong? Did the idiots who make this web site change the URL?

Hopefully some of those users pause because this is unusual and a few of them will realise in that moment that they're being phished. But experiments suggest most won't.

dguo5y ago

Maybe the Bitwarden extension should warn users when they try to copy/view a TOTP code by searching for a login rather than using a matched entry.

sgerenser5y ago

Couldn’t this entire scenario play out exactly the same with SMS codes?

UncleMeat5y ago

Yes.

The point is the TOTP is precisely as bad as SMS for the common case (phishing) and only safer in a rare case (SIM-swap). This comes with large downsides (losing access).

TOTP is, at best, a very marginal improvement over SMS. This is what makes the online push to complain about services that use SMS 2FA and demand a switch to TOTP very strange.

dheera5y ago

TOTP is far, far better for travellers who need to swap their SIM cards frequently, or need to work out of places with internet access but no cell reception.

1 more reply

j / k navigate · click thread line to collapse