Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
avodonosov 9 days ago

The scheme is impossible, because the GOOD site says in the email "NEVER SHARE THIS ONE TIME CODE WITH 3RD PARTY APPS OR INDIVIDUALS"

pjc50 9 days ago | parent | next [-]

You left out the /s tag. People don't read that bit.

avodonosov 9 days ago | parent [-]

/s tag?

Peope do read, if the email is short

account42 9 days ago | parent [-]

They only read what they need to finish what they are currently trying to do, which in this case is the code they need to log in.

avodonosov 9 days ago | parent [-]

I know from experience that well designed messages with secure code are very understandable and make it virtually impossible to miss the warning.

On what grounds you say people dont read? Any evidence?

Hackbraten 9 days ago | parent [-]

> I know from experience that well designed messages with secure code are very understandable

This premise seems flawed.

How can you possibly know from experience that something is “very understandable” if the only brain you have is your own?

How do you anticipate how other people with brains different from yours are going to behave in situations of cognitive impairment or extreme stress, things that happen in the real world?

avodonosov 9 days ago | parent [-]

There are common properties of phycology shared by people. UI design and ergonomics rely on such properties. In psrticular, how people read text.

But I am speaking of myself only. From experience receiving well designed message comparing to the experience with badly designed messages.

I am a data point of evidence supporing my view. The opinion that "people don't read" is a complete speculation, without convincing evidence.

The real problem that many services simply not include the warning in the message.

Hackbraten 9 days ago | parent [-]

OP’s claim was not that “people don’t read.”

It was that “[t]hey only read what they need to finish what they are currently trying to do.”

Those are two different claims.

avodonosov 9 days ago | parent [-]

Ok. When they need the code they will have to scan through a message like

    Do not share the code 3456
and will read the words, because they read left to right.

The code should be in the same font as the rest of the text.

Hackbraten 8 days ago | parent [-]

I can assure you that by now, my brain is conditioned to lock into the four-digit code as soon as it can, entirely ignoring everything around it, including the words to the left.

I’m an avid reader. But there are limits to what I can process, and our world has become so full of noise that it has become a coping strategy for brains to selectively ignore stuff if they feel it’s not important at the moment. That effect becomes even more pronounced as the brain deteriorates with age.

avodonosov 8 days ago | parent [-]

I do not believe that receiving such a message you will not notice the phrase.

And more so if you receive them constantly.

But of course, you are entitled to your opinion, even if it's wrong.

Perz1val 9 days ago | parent | prev [-]

Phising = pretending you're the first party

avodonosov 9 days ago | parent [-]

Tuesday follows Monday

Perz1val 9 days ago | parent [-]

I don't know if you're sarcastic or just missing the problem; which is that people will be presented with lika a facebook login page, on a site with url like `facebook.quick-login.com` or `facebock.com` and they'll enter the passcode since as fair as they were concerned, they did everything correct. The disclaimer does shit preventing that, they »obviously« didn't share the code with any other website, they entered it on the facebooks as they were told!

avodonosov 8 days ago | parent [-]

I am sarcastic because this discussion is about a different attack. Not about fishing.

(The OP says one time codes are worse than passwords. In case of fishing passwords fail the same way as one time codes.)

I was also sarcastic/provocative even in the prev comment, saying the GOOD site always includes a warning with the code making the attack impossible. A variation of the attack is very widely used by phone scammers: "Hello, we are updating intercomm on your appartment block. Please tell us your name and phone number. Ok, you will receive a code now, tell it to us". Yet many online services and banks still send one time codes without a warning to never share it!

The fishing point may also be used in defence of one time codes: if the GOOD service was using passwords instead of one time codes, the BAD could just initiated fishing attack, redirecting the user to a fake login page - people today are used to "Login with" flow.