Hacker News new | ask | show | jobs
by tantalor 4574 days ago
> Does spear phishing employees email accounts and using their password to access control panels count as a bug?

Yes, because those control panels should require 2FA, so password-only access is a bug.
1 comments
ars_technician 4574 days ago
2FA is susceptible to spear phishing if all the attacker needs is a one time login.

Remember that credentials and tokens can be relayed.

link
tantalor 4574 days ago
Not necessarily. FIDO fixes this.

http://www.fidoalliance.org/user-experience.html

link
ars_technician 4572 days ago
How? A phishing site can relay any of this information by acting as a client to the real site while prompting the end user for the requested credentials.

The only way FIDO could prevent this would be to make the credentials dependent on the URL in the browser, but I don't see where it does this.

link
tantalor 4572 days ago
With FIDO, the user doesn't manually enter a 2FA token into a form field. Instead they press a button or something which directly transmits the token over SSL to the authentication server.

MITM is still possible, but there are other ways to combat that, such as TLS Channel IDs [1] or Bearer Tokens [2].

[1] http://www.google.com/intl/en/chrome/browser/privacy/whitepa... [2] http://www.browserauth.net/

link