[mschuster91]

>If they already have your phone, you're already pwned.

No, that's not what GP means. If the attacker manages to get malware on the Mac, for example by exploiting a browser 0day, then the attacker can simply circumvent the 2FA by making the Mac fetch the 2FA code. The user won't notice it.

[gruez]

If the attacker manages to get malware on the mac, they can also wait for you to do a login, and steal your 2fa code as you enter it.

[ViViDboarder]

Or just steal your session tokens. Not all apps are secure enough to prevent session roaming.

[dwaite]

Or just remote drive your session. Token exfiltration isn't required if you can do XSS or say script injection via browser extensions (and exfiltration is more likely to hit anomaly/fraud detection)

[cortesoft]

Same could be said of the phone, right? A zero day on the phone would circumvent the 2FA.

Really, the SMS part is the actual weak link in the chain. Easier to hijack SMS than own a computer or phone.

[mschuster91]

> Easier to hijack SMS than own a computer or phone.

That depends on the country, in Germany it's way more difficult.

[TylerE]

Why would you say that? All it takes is one telco employee taking a bribe or screwing up some configuration or...

[Fnoord]

Why?