undefined | Better HN

0 pointsUncleMeat5y ago0 comments

I do use a similar approach to backup the Symantec secret - but what percentage of users do you think are capable of doing this? 0.1%?

> It's hard to train users to not forward TOTP tokens sent to them to someone else, if the real service will text or push-notifies the user their TOTP token "at random" (i.e. because the attacker tried to log in.) But if the service never does that — if you always have to go and fetch the token from your TOTP app — then you can just tell the user that the only time they are to go do that, is right after they've typed their username and password as part of logging in themselves; and that anything else is a phishing attempt.

A phishing attempt will do precisely this. You get a fake login page, type in your creds, and then you get a fake TOTP page.

> It's hard to train users to not type their username+password into phishing login pages, if the services you use constantly send you emails containing deep links. But if the service never does that — if the service always tells you to go your browser and navigate to the site yourself — then it's easy to teach users to never trust a login initiated through an email.

In a prior life I did some research on phishing. It is embarrassingly easy to fool even professional security researchers. Nobody is capable of consistently preventing phishing by using their own eyes and brain.

0 comments

1 comments · 1 top-level

derefr5y ago

If you can manage a 100% policy of using no services that ever require users to do X, then you can also just disable doing X entirely through MDM. Phishing emails can't get your users if your users' email clients don't open links other than to whitelisted domains. :)

j / k navigate · click thread line to collapse