| ▲ | x0x0 4 days ago | |
I watched a presentation from Stripe internal eng that was given I forget where. An internal engineer there who did a bunch of security work phished like half of her own company (testing, obviously). Her conclusion, in a really well-done talk, was that it was impossible. No human measures will reduce it given her success at a very disciplined, highly security conscious place. The only thing that works is yubikeys which prevent this type of credential + 2fa theft phishing attack. edit: karla burnette / talk https://www.youtube.com/watch?v=Z20XNp-luNA | ||
| ▲ | cataflam 3 days ago | parent [-] | |
Yes! Here is the whitepaper (from 2017 I think), I read that and used it, it's excellent https://karla.io/files/ichthyology-wp.pdf > At Stripe, rather than focusing on mitigating more basic attacks with phishing training, we decided to invest our time in preventing credential phishing entirely. We did this using a combination of Single Sign On (SSO), SSL client certificates, and Universal Second Factor (U2F) | ||