undefined | Better HN

0 pointsTerr_1y ago0 comments

> In the EU these hardware keyfobs are now forbidden for banking [...] an app-based confirmation gives you the opportunity to review the transaction you are confirming;

I'm confused, that seems like it confuses two independent aspects:

1. Whether the TOTP code comes from a fob-device versus a phone-device.

2. Whether some interactive interface you're using gives you a chance to see/confirm what you're about to authorize or not.

A phone app can lie to you about the transaction you're about to authorize regardless of whether the TOTP code was transcribed from an external device, transcribed from another app on the same phone, or auto-filled by itself.

0 comments

fph1y ago

This assumes that the banking app receives push data about the transaction by the bank, and simply has an "approve" button A simple 2FA app like Authy/Aegis that produces a number has the same problems as the keyfob.

The threat model is: malicious actor posing as the bank website, but legitimate keyfob or legitimate app. With the keyfob, the website intercepts a valid password and a valid 2FA code; with the app, nothing happens because it doesn't receive push data from the true bank.

I hope it is more clear now!

Terr_OP1y ago

> with the app, nothing happens because it doesn't receive push data from the true bank.

I don't see how that feature matters to a man in the middle attack during logon, since:

1. User opens web browser at a phishing site, which is masquerading as their bank, and starts the login process.

2. Phishing site interacts with bank.

3. Bank sends push-notification to the phone# that's on-file for that user: "Hey, that you logging in right now? Press the Yes button if so."

4. User sees it, expects it, presses the button, and then proceeds to hand over their TOTP and password to the phishing site anyway.

I suppose it might help on a per-transaction basis if the phishing site tries to trigger a hidden transaction, but at that point the app is just a way to streamline: "We sent you a code by SMS, enter that code to confirm the transaction."

fph1y ago

The point is that the app displays data on the transaction. If the phishing site tries to trigger a hidden transaction (or modify one that you are entering), you can review amount, recipient, and description _on the app_.

j / k navigate · click thread line to collapse

0 pointsTerr_1y ago0 comments

> In the EU these hardware keyfobs are now forbidden for banking [...] an app-based confirmation gives you the opportunity to review the transaction you are confirming;

I'm confused, that seems like it confuses two independent aspects:

1. Whether the TOTP code comes from a fob-device versus a phone-device.

2. Whether some interactive interface you're using gives you a chance to see/confirm what you're about to authorize or not.

0 comments

fph1y ago

I hope it is more clear now!

Terr_OP1y ago

> with the app, nothing happens because it doesn't receive push data from the true bank.

I don't see how that feature matters to a man in the middle attack during logon, since:

1. User opens web browser at a phishing site, which is masquerading as their bank, and starts the login process.

2. Phishing site interacts with bank.

3. Bank sends push-notification to the phone# that's on-file for that user: "Hey, that you logging in right now? Press the Yes button if so."

4. User sees it, expects it, presses the button, and then proceeds to hand over their TOTP and password to the phishing site anyway.

fph1y ago

j / k navigate · click thread line to collapse