Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
jddj 9 days ago

In practice it's maybe slightly harder, because they'd have to convince a user to enter their google 2fa code into a site that isn't obviously google?

I'd imagine a convincing enough modal would do the trick though, in a lot of cases.

chii 9 days ago | parent | next [-]

> convince a user to enter their google 2fa code into a site that isn't obviously google?

if the BAD site itself looks legit, and has convinced a user to do the initial login in the first place, they won't hesitate to lie and say that this 2-factor code is part of their partnership with google etc, and tells you to trust it.

A normal user doesn't understand what is a 2factor code, how it works, and such. They will easily trust the phisher's site, if the phisher first breaks the user and set them up to trust the site in the beginning.

What google does is to send a notification to the user's phone telling them someone tried to access their account if this happened (or any new login to any new device you previously haven't done so on). It's a warning that require some attention, and depending on your state of mind and alertness, you might not suspect that your account is stolen even with this warning. But it is better than nothing, as the location of the login is shown to you, which should be _your own location_ (and not some weird place like cypress!).

SethMurphy 9 days ago | parent [-]

What I don't understand is how the site will send the 2FA code request to the bad actors phone, instead of the real users phone? Is this not part of what makes it more secure than a text or email? Wouldn't the bad actor need to be logged into the authenticator as the user your trying to hack?

chii 8 days ago | parent [-]

> how the site will send the 2FA code request to the bad actors phone, instead of the real users phone?

the 2FA code in this case is in the email, not via an app. This email is triggered by BAD on their end, but it is sent by GOOD.

If the 2fa is _only_ via the authenticator app, then the BAD will need to convince the user to type in that 2fa code from the app into the BAD site (which is harder, as nobody else does this, so it should raise suspicions from the user at least).

johnisgood 9 days ago | parent | prev [-]

If we are talking about TOTP, there is a time limit to that, which makes it harder, yeah.

Urd- 9 days ago | parent [-]

Not much harder. The state of the art of phishing right now is proxy based setups like evilginx which pass along credentials in real time. Then you just save the session cookie or change/add the 2fa mechanisms so you can get in whenever you want with the stolen credentials.