undefined | Better HN

0 pointstantalor12y ago0 comments

> Does spear phishing employees email accounts and using their password to access control panels count as a bug?

Yes, because those control panels should require 2FA, so password-only access is a bug.

0 comments

3 comments · 1 top-level

ars_technician12y ago· 2 in thread

2FA is susceptible to spear phishing if all the attacker needs is a one time login.

Remember that credentials and tokens can be relayed.

tantalorOP12y ago

Not necessarily. FIDO fixes this.

http://www.fidoalliance.org/user-experience.html

ars_technician12y ago

How? A phishing site can relay any of this information by acting as a client to the real site while prompting the end user for the requested credentials.

The only way FIDO could prevent this would be to make the credentials dependent on the URL in the browser, but I don't see where it does this.

1 more reply

j / k navigate · click thread line to collapse