Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
acdha 3 days ago

I also use WebAuthn where possible but wouldn’t be so cocky. The most likely reason why we haven’t been phished because we haven’t been targeted by a sophisticated attacker.

One side note: most systems make it hard to completely rely on WebAuthn. As long as other options are available, you are likely vulnerable to an attack. It’s often easier than it should be to get a vendor to reset MFA, even for security companies.

typpilol 3 days ago | parent | next [-]

But this wasn't even really a spear fishing attack.

It was a generic Phish email you were in every single Corp 101 security course

acdha 3 days ago | parent [-]

The attacker did have a great domain name choice, didn’t overuse it to the point where it got on spam block lists, and got them at a moment of distraction, so it worked. It’s really easy to look at something in a training exercise and say “who’d fall for that” without thinking about what happens when you’re not at your best in a calm, focused state.

My main point was simply that the better response isn’t to mock them but to build systems which can’t fail this badly. WebAuthn is great, but you have to go all in if you want to prevent phishing. NPM would also benefit immensely from putting speed bumps and things like code signing requirements in place, but that’s a big usability hit if it’s not carefully implemented.

typpilol 3 days ago | parent [-]

I wouldn't consider a .help domain to be a great choice.

Ive literally never for a support email or any email from a .help domain.

I'm not mocking them, just trying to understand how so many red flags slipped past.

Domain name No auto-fill Unannounced MFA resets Etc...

My point is that nothing could have saved this person except extreme security measures. There's literally no conclusion here besides:

1. Lock everything down so extremely that it's extremely inconvenient to prevent mistakes 99% of people don't make. (How many npm packages vs the total have been hijacked, less than 1%)

2. This person was always going to be a victim eventually... And that's a hard pill to swallow. For me and the maintainer. Being in network security it's my actual nightmare scenario.

The only lesson to be learned is you need extreme security measures for even the most experienced of internet users. This wasn't your grandma clicking a link, it's a guy who's been around for decades in the online / coding world.

It also makes me suspicious but that's a road I'd rather keep myself

sneak 3 days ago | parent | prev [-]

The failure here was that his password manager was not configured and he manually copied and pasted the credentials into the wrong webpage.

A password manager can’t manage passwords if you don’t configure it and use it.

acdha 3 days ago | parent [-]

Yes, and we know that’s a thing which people are trained to do by all of the sites which are sloppy about their login forms or host names so we should assume that attackers can trick people into doing it, even many people who think they are too smart for it. Hubris is quite a boon for attackers.