@molly0xfff
Choose at least 2 of these different factors:
- Something you have
- Something you have had
- Something you have been having
- Something you had had
- Something you will be having
- Something you will have been having
@molly0xfff
Choose at least 2 of these different factors:
Is MFA authenticator anxiety a thing? Is there a name for it?
I always have enough time when I open the authenticator app and put in the code before it times out, but I still get nervous that I will run out of time before the new number appears.
Is there a name for that type of feeling?
This is yet another reminder to utilize a password manager and allow it to generate long, complex passwords. Also, always enable MFA!
Quite a cool little song about MFA (2FA)
Handle MFA like a pro so you don’t get locked out or let the bad guys in
Why you should use MFA, what about passkeys, what kind of MFA to use, how to make it easier to use, and how to protect yourself against being locked out of an account because of MFA.
#infosec #MFA #passwordManager #passkeys
https://blog.kamens.us/2025/05/06/handle-mfa-like-a-pro-so-you-dont-get-locked-out-or-let-the-bad-guys-in/
Why #MFA is getting easer to bypass and what to do about it
Nowy wymiar phishingu: omijanie uwierzytelniania wieloskładnikowego
Eksperci z grupy badawczej Cisco Talos zwracają uwagę na ewolucję ataków phishingowych, które stają się coraz bardziej wyrafinowane i potrafią omijać nawet uznawane za silne zabezpieczenia, takie jak uwierzytelnianie wieloskładnikowe (MFA – MultiFactor Authentication).
Najnowsze techniki wykorzystują zaawansowane metody, aby wykraść dane uwierzytelniające i tokeny sesji, uzyskując dostęp do kont użytkowników. Według analiz Cisco Talos, współczesne ataki phishingowe często opierają się na technikach „man-in-the-middle” (AiTM – Adversary-in-the-Middle), wykorzystując serwery proxy działające jako pośrednicy w procesie uwierzytelniania. Atakujący w ten sposób przechwytują dane logowania oraz kluczowe pliki cookie sesji po tym, jak użytkownik pomyślnie przejdzie proces MFA. Pozyskane w ten sposób tokeny pozwalają cyberprzestępcom na dostęp do konta ofiary nawet po zmianie hasła.
Rozwój narzędzi typu „Phishing-as-a-Service” (PhaaS), takich jak Evilproxy, znacząco ułatwia cyberprzestępcom przeprowadzanie skomplikowanych ataków AiTM. Platformy te oferują gotowe szablony stron phishingowych podszywających się pod popularne usługi, a także mechanizmy utrudniające wykrycie ataku przez systemy bezpieczeństwa – na przykład poprzez blokowanie dostępu do fałszywych stron adresom IP należącym do firm zajmujących się cyberbezpieczeństwem.
Charakterystyczną cechą nowoczesnych zestawów do omijania MFA jest wstrzykiwanie złośliwego kodu JavaScript do wyświetlanych stron. Kod ten służy do zbierania dodatkowych informacji o ofierze i zarządzania przekierowaniami po kradzieży pliku cookie uwierzytelniającego. Ponadto, atakujący często wykorzystują nowo zarejestrowane domeny i certyfikaty SSL, co utrudnia ich szybkie zidentyfikowanie jako złośliwe.
Eksperci Cisco Talos podkreślają, że samo wdrożenie MFA nie stanowi już stuprocentowej ochrony. Konieczne jest uzupełnienie go o dodatkowe warstwy bezpieczeństwa i monitorowanie nietypowych aktywności na kontach, takich jak dodawanie nowych urządzeń do MFA. Kluczową rolę odgrywa również edukacja użytkowników w zakresie rozpoznawania coraz bardziej przekonujących prób phishingu i inżynierii społecznej. Nowe metody ataków wymagają od organizacji ciągłego dostosowywania strategii obrony i inwestowania w zaawansowane narzędzia wykrywania zagrożeń.
Why MFA is getting easer to bypass and what to do about it - An entire cottage industry has formed around phishing attacks that bypass ... - https://arstechnica.com/security/2025/05/phishing-attacks-that-defeat-mfa-are-easier-than-ever-so-what-are-we-to-do/ #multifactorauthentication #passwords #security #phishing #webauthn #biz #mfa
@GossiTheDog I just logged into #snowflake, no MFA required.
Did #snowflake force legacy instances to use #mfa? Do you know?
That's Not How A SIM Swap Attack Works
https://shkspr.mobi/blog/2025/04/thats-not-how-a-sim-swap-attack-works/
There's a disturbing article in The Guardian about a person who was on the receiving end of a successful cybersecurity attack.
EE texted to say they had processed my sim activation request, and the new sim would be active in 24 hours. I was told to contact them if I hadn’t requested this. I hadn’t, so I did so immediately. Twenty-four hours later, my mobile stopped working and money was withdrawn from my bank account.
With their alien sim, the fraudster infiltrated my handset and stole details for every account I had. Passwords and logins had been changed for my finance, retail and some social media accounts.
(Emphasis added.)
I realise it is in the consumer rights section of the newspaper, not the technology section, and I dare-say some editorialising has gone on, but that's nonsense.
Here's how a SIM swap works.
Do you notice the missing step there?
At no point does the attacker "infiltrate" your handset. Your handset is still in your possession. The SIM is dead, but that doesn't give the attacker access to the phone itself. There is simply no way for someone to put a new SIM into their phone and automatically get access to your device.
Try it now. Take your SIM out of your phone and put it into a new one. Do all of your apps suddenly appear? Are your usernames and passwords visible to you? No.
There are ways to transfer your data from an iPhone or Android - but they require a lot more work than swapping a SIM.
So how did the attacker know which websites to target and what username to use?
What (Probably) Happened
Let's assume the person in the article didn't have malware on their device and hadn't handed over all their details to a cold caller.
The most obvious answer is that the attacker already knew the victim's email address. Maybe the victim gave out their phone number and email to some dodgy site, or they're listed on their contact page, or something like that.
The attacker now has two routes.
First is "hit and hope". They try the email address on hundreds of popular sites' password reset page until they get a match. That's time-consuming given the vast volume of websites.
Second is targetting your email. If the attacker can get into your email, they can see which sites you use, who your bank is, and where you shop. They can target those specific sites, perform a password reset, and get your details.
I strongly suspect it is the latter which has happened. The swapped SIM was used to reset the victim's email password. Once in the email, all the accounts were easily found. At no point was the handset broken into.
What can I do to protect myself?
It is important to realise that there's nothing you can do to prevent a SIM-swap attack! Your phone company is probably incompetent and their staff can easily be bribed. You do not control your phone number. If you get hit by a SIM swap, it almost certainly isn't your fault.
So here are some practical steps anyone can take to reduce the likelihood and effectiveness of this class of attack:
Stay safe out there.
blog! “That's Not How A SIM Swap Attack Works”
There's a disturbing article in The Guardian about a person who was on the receiving end of a successful cybersecurity attack.
EE texted to say they had processed my sim activation request, and the new sim would be active in 24 hours. I was told to contact them if I hadn’t requested this. I hadn’t, so I did …
⸻
#2fa #CyberSecurity #MFA #security #sim
Pixalate’s March 2025 Netherlands Publisher Rankings for https://www.byteseu.com/915151/ #AdQuality #CTV #MFA #MobileApps #Netherlands #Pixalate #ProgrammaticAds #reports #websites
Finally! 7 Factor Authentication!
NEW: Russian APT Storm-2372 is using device code phishing to bypass #MFA in attacks against organisations in Europe and the US.
Read: https://hackread.com/russia-storm-2372-hit-mfa-bypass-device-code-phishing/
FobCam '25 - All my MFA tokens on one page
https://shkspr.mobi/blog/2025/04/fobcam-25-all-my-mfa-tokens-on-one-page/
Some ideas are timeless. Back in 2004, an anonymous genius set up "FobCam". Tired of having to carry around an RSA SecurID token everywhere, our hero simply left the fob at home with an early webcam pointing at it. And then left the page open for all to see.
Security expert Bruce Schneier approved0 of this trade-off between security and usability - saying what we're all thinking:
Here’s a guy who has a webcam pointing at his SecurID token, so he doesn’t have to remember to carry it around. Here’s the strange thing: unless you know who the webpage belongs to, it’s still good security. Crypto-Gram - August 15, 2004
Nowadays, we have to carry dozens of these tokens with us. Although, unlike the poor schmucks of 2004, we have an app for that. But I don't always have access to my phone. Sometimes I'm in a secure location where I can't access my electronics. Sometimes my phone gets stolen, and I need to log into Facebook to whinge about it. Sometimes I just can't be bothered to remember which fingerprint unlocks my phone1.
Using the Web Crypto API, it is easy to Generate TOTP Codes in JavaScript directly in the browser. So here are all my important MFA tokens. If I ever need to log in somewhere, I can just visit this page and grab the code I need2.
All My Important Codes
What The Actual Fuck?
A 2007 paper called Lessons learned from the deployment of a smartphone-based access-control system looked at whether fobs met the needs of their users:
However, we observed that end users tend to be most concerned about how convenient [fobs] are to use. There are many examples of end users of widely used access-control technologies readily sacrificing security for convenience. For example, it is well known that users often write their passwords on post-it notes and stick them to their computer monitors. Other users are more inventive: a good example is the user who pointed a webcam at his fob and published the image online so he would not have to carry the fob around.
As for Schneier's suggestion that anonymity added protection, a contemporary report noted that the owner of the FobCam site was trivial to identify3.
Every security system involves trade-offs. I have a password manager, but with over a thousand passwords in it, the process of navigating and maintaining becomes a burden. The number of 2FA tokens I have is also rising. All of these security factors need backing up. Those back-ups need testing4. It is an endless cycle of drudgery.
What's a rational user supposed to do5? I suppose I could buy a couple of hardware keys, keep one in an off-site location, but somehow keep both in sync, and hope that a firmware-update doesn't brick them.
Should I just upload all of my passwords, tokens, secrets, recovery codes, passkeys, and biometrics6 into the cloud?
The cloud is just someone else's computer. This website is my computer. So I'm going to upload all my factors here. What's the worst that could happen7.
↩︎
↩︎
↩︎
The neologism "doxing" hadn't yet been invented. ↩︎
As was written by the prophets: "Only wimps use tape backup: real men just upload their important stuff on ftp, and let the rest of the world mirror it" ↩︎
I in no way imply that I am rational. ↩︎
Just one more factor, that'll fix security, just gotta add one more factor bro. ↩︎
This is left as an exercise for the reader. ↩︎
blog! “FobCam '25 - All my MFA tokens on one page”
Some ideas are timeless. Back in 2004, an anonymous genius set up "FobCam". Tired of having to carry around an RSA SecurID token everywhere, our hero simply left the fob at home with an early webcam pointing at it. And then left the page open for all to see.
Security expert Bruce…
⸻
#2fa #CyberSecurity #MFA #Satire(Probably) #security
Gestern war ich auf der #DMEA
https://www.dmea.de/de/about/dmea/
Nur wenige Stunden, aber interessante Talks zu Themen wie #MFA, #Cloud und #Messenging im Gesundheitswesen. Hier fand ich die Präsentationen von #famedly recht interssant. Ein Anbieter von TK Messenger https://www.famedly.com/ den ich selbst auch beruflich seit einiger Zeit teste. Er nutzt das #matrix Protokoll. Und wie ich erfahren durfte, arbeitet deren Chef wohl auch mit an #fluffychat der Multiaccount Messenger.
The solution to this problem is not MFA.
When you have a problem with passwords getting compromised/phished/bruteforced, and you solve it with #MFA, now you have two problems.
The solution to this problem is smart cards.