New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
2FA phishing is very real
Crypto stolen.
2FA
- Do you have 2FA setup for your VPS accounts?46 votes
- Yes54.35%
- No45.65%
Comments
Of course. Totp 2fa aren't even meant to be phishing resistant. It'll only protect against pw leak and pw guessing. Passkey is what protect against phishing since it won't work on phish login page. Ideally its a hardware passkey like yubikey or nitrokey or whatever. That guy should've used a security key to begin with if he's maintaining such crucial npm repo.
Just get ubikey.
Most sites still not support keys, but 2FA.
2FA phishing has been around for years. The initial EvilNginx release was in 2017 and since then various other tools have been released.
Not much can help you if you find email from npmjs.help legitimate, not to mention where did the link even lead to.
Also the javascript npm ecosystem is cancer itself, dependencies on hundred packages ranging from single basic function to god knows what, nobody checks if they're legitimate, it makes opportunities like this happen. Because the language lacks proper standard library so 3rd party helpers needs to be included everywhere (maybe not so much in recently supported versions but companies are still pushing polyfills to 10 years old browser versions nobody uses anymore).
The best is always to reduce surface attack on your server, run fewer services, build from lower amount of 3rd party packages that can get infected.
2FA is bullshit.
Never follow unsolicited password/totp reset links. Got an unsolicited reset link in your inbox and you have doubts it might be legit? Then go to the service provider page, log in and check if it asks you to update anything, if it asks you to update then do as required, if it does not then delete the unsolicited request.
Stay safe!
So we’ve reached the magical land of "swollen" accounts. Let’s break down the recipe:
On the client side:
Fake email accounts. They’re 90% “almost real,” but hey, I tip my hat to the brave 10% who use actual real data.
Passwords so strong they could stop a toddler… “1234abcd.” Truly, Fort Knox would be jealous.
On the provider side:
Phone numbers? 99.9% fake. So SMS auth is basically sending OTPs into the void ( And here i mean Into the Void in SC ). Also, due to this why bother to implement??
We ( AKA Provider ) implement 2FA, trying to save the day. Result? Users manage to get their shiny new 2FA stolen too. Bravo.
So here we are: provider trying to protect accounts, clients arming hijackers with wet paper shields.
Any suggestions on how to protect an account when 90% of the registration data looks like it was generated by a bored cat smashing the keyboard?
Asking for a friend, of course.
Passkeys would be the solution.
But expect that the users you are talking about, will not use them in the first place.
We need to accept that at some point, it's the users responsibility.
True, I just love the folks opening Tickets on Pay-Pal as Cash back that their accounts was kidnapped by UFO's.
Then when we look in the logs/client data:
NAME: kutryhcgkndrh
Last Name: mrwuygtkxgh
City: sgmrujytghknsrubgh
Phone number: +1...... ( usually a MC DONALD'S of KFC or some nonsense-data )
Mail: [email protected]
I think I will do a top 10 at some point and post it on our page.
I mean, it could be also just fraud.
Have a bunch of customers like that which apparently have 20 credit cards 😅
I like the AWS "shared security model", which loosely paraphrased is:
"We are responsible for securing the cloud. You are responsible for securing what you put in the cloud"
So if the account login process is secure but the user gets their creds phished and abused, that's the user's responsibility and not the provider's.
Providers are responsible for securing their platforms, (for example preventing brute forcing and credential stuffing), but users have to accept responsibility for their creds and any access/permissions they configure.
I just noticed that this forum doesn't even offered 2fa lol. Might not be an issue for me as random user just shittalking 247, but i think those provider posting in the deal section could've benefit from 2fa.