Re: [mailop] Phishing and 2FA auth

2022-11-20 Thread Ángel via mailop 
On 2022-11-20 at 18:58 +, Slavko via mailop wrote:
> Dňa 20. novembra 2022 17:55:18 UTC používateľ Ken Simpson <
> ksimp...@mailchannels.com> napísal:
> > One-time passwords can always be man-in-the-middle'd, since there's
> > no way
> > for the user to determine whether or not there is someone in the
> > middle
> > snooping their OTP and password. The phishing attack only has to
> > deceive
> > the user into entering their password and their OTP, both of which
> > can then
> > be forwarded to the real login page behind the scenes.
> 
> Now we are back on start (my first message), that OTP solves problem
> only partially -- user doesn't need to take action, as passwords will
> expire soon, often sooner, than would be password changed by user.
> 
> And by this, OTP doesn't solves sending SPAM from leaked passwords
> + OTP as while token is valid, they can misuse victim's account and
> send tons of SPAMs in relative short time. And one still have to
> apply some form of rate limiting...

An OTP would be valid for *seconds*. Maybe even *minutes*. That greatly
reduces the risks of password stealing. Of course, a system could
require an OTP for login, but once the attacker authenticates "live",
the session might end up open at the bad guy browser for months...



> 
> > Hopefully, WebAuthn  gains
> > traction, making passwords irrelevant by allowing devices to
> > maintain a secure authentication key for each website within a
> > trusted execution environment such as Apple's so-called "Secure
> > Enclave."
> 
> Hmm, i am not aware of that and i am not sure, if i want to leave
> browser (or device) to decide if i am logged in or not. As soon or
> latter it will be misused and leave users in middle state -- you will
> not be logged in, but site will be able to identify you.

Webauthn uses a "device" which will provide an authentication _for a
given website_. That should remove the risk of leaking your password to
a fake website, as it would be a different url.

> 

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Phishing and 2FA auth

2022-11-20 Thread Slavko via mailop 
Dňa 20. novembra 2022 17:55:18 UTC používateľ Ken Simpson 
 napísal:
>One-time passwords can always be man-in-the-middle'd, since there's no way
>for the user to determine whether or not there is someone in the middle
>snooping their OTP and password. The phishing attack only has to deceive
>the user into entering their password and their OTP, both of which can then
>be forwarded to the real login page behind the scenes.

Now we are back on start (my first message), that OTP solves problem
only partially -- user doesn't need to take action, as passwords will expire
soon, often sooner, than would be password changed by user.

And by this, OTP doesn't solves sending SPAM from leaked passwords
+ OTP as while token is valid, they can misuse victim's account and send
tons of SPAMs in relative short time. And one still have to apply some
form of rate limiting...

>Still, OTP is considered better than SMS because of attacks on the mobile
>infrastructure that allow bad guys to potentially receive your SMS
>messages, whereas the OTP code is generated directly on your device.

I am aware of SMS weakness, in theory (i never tried) i am able to realize
it, not needed to discuss this.

>Hopefully, WebAuthn  gains traction,
>making passwords irrelevant by allowing devices to maintain a secure
>authentication key for each website within a trusted execution environment
>such as Apple's so-called "Secure Enclave."

Hmm, i am not aware of that and i am not sure, if i want to leave browser
(or device) to decide if i am logged in or not. As soon or latter it will be
misused and leave users in middle state -- you will not be logged in, but
site will be able to identify you.

Anyway, at first look it seems to do SPAM flood from compromised devices
even simpler, and you will see real user's IP on server side.

regards


-- 
Slavko
https://www.slavino.sk/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Phishing and 2FA auth

2022-11-20 Thread Gellner, Oliver via mailop 

> On 19.11.2022 at 16:54 Slavko via mailop  wrote:
>
> Please, can it be really as "simple"? If yes, then my inderstanding is,
> that 2FA doesn't solves leaked passwords problem, as asvertised
> by many sites, but it solves only that this problem will be selfsolved
> as token expires (week or two), without user's password changes.
> Is my understanding right?
>
> If yes, then 2FA is not holly grail of solving the SPAM & leaked
> passwords problem, as attacker can send a lot of SPAM via this
> phished account (ignore rate limiting for now) until OTP expires.
> Right?


As an addition, Multi factor authentication doesn‘t say anything about which 
factors are used or their security. No MFA method provides unbreakable security 
and makes attacks impossible, however in any case it greatly increases the 
barrier for an attack. For example instead of passwords, which are changed 
every few months to never, TOTP expire every 30 to 60 seconds and make password 
reuse attacks impossible. U2F as another example, as mentioned by Ken, provides 
a secret that is cryptographically tied to a service/site which prevents 
phishing via lookalike or typosquatting domains.

The problem with MFA is not that it‘s not secure, but rather that it is more 
difficult to use than 1FA and often also provides no simple recovery procedure 
for forgotten credentials.

—
BR Oliver


dmTECH GmbH
Am dm-Platz 1, 76227 Karlsruhe * Postfach 10 02 34, 76232 Karlsruhe
Telefon 0721 5592-2500 Telefax 0721 5592-2777
dmt...@dm.de * www.dmTECH.de
GmbH: Sitz Karlsruhe, Registergericht Mannheim, HRB 104927
Geschäftsführer: Christoph Werner, Martin Dallmeier, Roman Melcher

Datenschutzrechtliche Informationen
Wenn Sie mit uns in Kontakt treten, beispielsweise wenn Sie an unser 
ServiceCenter Fragen haben, bei uns einkaufen oder unser dialogicum in 
Karlsruhe besuchen, mit uns in einer geschäftlichen Verbindung stehen oder sich 
bei uns bewerben, verarbeiten wir personenbezogene Daten. Informationen unter 
anderem zu den konkreten Datenverarbeitungen, Löschfristen, Ihren Rechten sowie 
die Kontaktdaten unserer Datenschutzbeauftragten finden Sie 
hier.
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Phishing and 2FA auth

2022-11-20 Thread Jaroslaw Rafa via mailop 
Dnia 20.11.2022 o godz. 12:16:59 Slavko via mailop pisze:
> 
> Thank you for details. I think that now i better understand that, now i asume,
> that particular SW is either outdated or that OTP phishing works only in some
> cases, not generally.

By the way, 2FA was never meant as a tool to protect against phishing.

It was only meant to protect against password leakage, ie. cases when someone
(passively) gets to know your password. An example scenario is when there is
a security breach at some online service, and a database of usernames and
password hashes becomes public, then someone manages to de-hash (crack) your
password. He still cannot login without the second factor.

2FA was not meant to protect against active credentials extraction, as in
the case with phishing and a fake website.
-- 
Regards,
   Jaroslaw Rafa
   r...@rafa.eu.org
--
"In a million years, when kids go to school, they're gonna know: once there
was a Hushpuppy, and she lived with her daddy in the Bathtub."
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Phishing and 2FA auth

2022-11-20 Thread Ken Simpson via mailop 
One-time passwords can always be man-in-the-middle'd, since there's no way
for the user to determine whether or not there is someone in the middle
snooping their OTP and password. The phishing attack only has to deceive
the user into entering their password and their OTP, both of which can then
be forwarded to the real login page behind the scenes.

Still, OTP is considered better than SMS because of attacks on the mobile
infrastructure that allow bad guys to potentially receive your SMS
messages, whereas the OTP code is generated directly on your device.

Hopefully, WebAuthn  gains traction,
making passwords irrelevant by allowing devices to maintain a secure
authentication key for each website within a trusted execution environment
such as Apple's so-called "Secure Enclave."

Regards,
Ken

On Sun, Nov 20, 2022 at 4:20 AM Slavko via mailop  wrote:

> Dňa 19. novembra 2022 17:07:22 UTC používateľ Ken Simpson via mailop <
> mailop@mailop.org> napísal:
>
> >Not all 2FA approaches are equal. The most robust 2FA systems are ones in
> >which both the service and the second-factor client robustly authenticate
> >each other. Two-way authentication eliminates the possibility that someone
> >can sit in the middle of the second-factor exchange to gain access.
> >
> > ...
>
> Thank you for details. I think that now i better understand that, now i
> asume,
> that particular SW is either outdated or that OTP phishing works only in
> some
> cases, not generally.
>
> regards
>
>
> --
> Slavko
> https://www.slavino.sk/
> ___
> mailop mailing list
> mailop@mailop.org
> https://list.mailop.org/listinfo/mailop
>


-- 

Ken Simpson

CEO, MailChannels



Facebook   |  Twitter   |
LinkedIn  |  Help Center


Our latest case study video: watch here!

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Phishing and 2FA auth

2022-11-20 Thread Slavko via mailop 
Dňa 19. novembra 2022 17:07:22 UTC používateľ Ken Simpson via mailop 
 napísal:

>Not all 2FA approaches are equal. The most robust 2FA systems are ones in
>which both the service and the second-factor client robustly authenticate
>each other. Two-way authentication eliminates the possibility that someone
>can sit in the middle of the second-factor exchange to gain access.
>
> ...

Thank you for details. I think that now i better understand that, now i asume,
that particular SW is either outdated or that OTP phishing works only in some
cases, not generally.

regards


-- 
Slavko
https://www.slavino.sk/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Phishing and 2FA auth

2022-11-19 Thread Ken Simpson via mailop 
Hi Slavko

Not all 2FA approaches are equal. The most robust 2FA systems are ones in
which both the service and the second-factor client robustly authenticate
each other. Two-way authentication eliminates the possibility that someone
can sit in the middle of the second-factor exchange to gain access.

For example, if SMS is used as the second factor, an attacker can present a
convincing website that collects your password and forwards it to the
service you are trying to log in to. That convincing website can also ask
you for the SMS code the service sends to your device, passing the second
factor along and completing the login.

The same goes for OTP systems like Authy or Google Authenticator.

With the advent of the secure enclave and other trusted execution
environments in mobile devices, services can now rely on an encrypted
exchange with your mobile device as the second factor. Many large,
frequently phished services, such as Google and Adobe, provide a
dedicated authentication app that fulfills this purpose. Enterprise options
like Duo perform the same function.

Fido U2F keys are yet another very secure 2FA option. These devices
participate in a secure exchange with the service, with the web browser
only acting as an intermediary to carry encrypted data between the hardware
key and the service itself. A phishing site would not gain anything of
value by intercepting the hardware key's information because the data is
encrypted directly with the service and cannot be tampered with by an
intermediary.

Unfortunately, authentication is only as secure as the weakest link. If a
service offers a weak two-factor option, some users will opt for that, and
their accounts will be less secure and more open to phishing.

Regards,
Ken



On Sat, Nov 19, 2022 at 7:51 AM Slavko via mailop  wrote:

> Hi all,
>
> recently i search in github projects to find some tools/templates for
> phishing messages as i want to train my colleagues (i am not
> interested in real phishing).
>
> As result i found one Go project for that, but i found a lot of projects,
> which declares itself as for training/learning of course, with pished
> sites templates/copies and some of them declares, that they are
> able even to get 2FA OTPs. I have no links to them and i didn't inspect
> in details how it works as i am not interested in that. I only remember,
> that they catch OTPs too by some way in their site copies.
>
> But my curiousity grows with time in topic what 2FA solves then,
> thus i want ask about it here, in hope to better understand it.
>
> Please, can it be really as "simple"? If yes, then my inderstanding is,
> that 2FA doesn't solves leaked passwords problem, as asvertised
> by many sites, but it solves only that this problem will be selfsolved
> as token expires (week or two), without user's password changes.
> Is my understanding right?
>
> If yes, then 2FA is not holly grail of solving the SPAM & leaked
> passwords problem, as attacker can send a lot of SPAM via this
> phished account (ignore rate limiting for now) until OTP expires.
> Right?
>
> Or i miss something?
>
> thanks
>
> --
> Slavko
> https://www.slavino.sk/
> ___
> mailop mailing list
> mailop@mailop.org
> https://list.mailop.org/listinfo/mailop
>


-- 

Ken Simpson

CEO, MailChannels



Facebook   |  Twitter   |
LinkedIn  |  Help Center


Our latest case study video: watch here!

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop