|
|
|
|
|
|
by UncleMeat
1580 days ago
|
|
|
The phishing flow is precisely the same as the normal auth. You click a link. It takes you to evil.com that looks like your bank page. You type in your password. The system takes your password and starts an auth flow with the actual bank. You are shown a TOTP page. You type in your code. The system takes your code and completes the auth with your bank. This is 100% automated and the only observable different is the URL. After this happens it takes you to a “something went wrong” page and has a link back to your real bank website. With U2F this impossible because you cannot sign a message for bank.com when visiting evil.com. |
|
|