Hacker Neue

Preferences
avodonosov parent
The scheme is impossible, because the GOOD site says in the email "NEVER SHARE THIS ONE TIME CODE WITH 3RD PARTY APPS OR INDIVIDUALS"
pjc50
You left out the /s tag. People don't read that bit.
avodonosov OP
/s tag?

Peope do read, if the email is short

account42
They only read what they need to finish what they are currently trying to do, which in this case is the code they need to log in.
avodonosov OP
I know from experience that well designed messages with secure code are very understandable and make it virtually impossible to miss the warning.

On what grounds you say people dont read? Any evidence?

Hackbraten
> I know from experience that well designed messages with secure code are very understandable

This premise seems flawed.

How can you possibly know from experience that something is “very understandable” if the only brain you have is your own?

How do you anticipate how other people with brains different from yours are going to behave in situations of cognitive impairment or extreme stress, things that happen in the real world?

5 More Comments →
Perz1val
Phising = pretending you're the first party
avodonosov OP
Tuesday follows Monday
Perz1val
I don't know if you're sarcastic or just missing the problem; which is that people will be presented with lika a facebook login page, on a site with url like `facebook.quick-login.com` or `facebock.com` and they'll enter the passcode since as fair as they were concerned, they did everything correct. The disclaimer does shit preventing that, they »obviously« didn't share the code with any other website, they entered it on the facebooks as they were told!
avodonosov OP
I am sarcastic because this discussion is about a different attack. Not about fishing.

(The OP says one time codes are worse than passwords. In case of fishing passwords fail the same way as one time codes.)

I was also sarcastic/provocative even in the prev comment, saying the GOOD site always includes a warning with the code making the attack impossible. A variation of the attack is very widely used by phone scammers: "Hello, we are updating intercomm on your appartment block. Please tell us your name and phone number. Ok, you will receive a code now, tell it to us". Yet many online services and banks still send one time codes without a warning to never share it!

The fishing point may also be used in defence of one time codes: if the GOOD service was using passwords instead of one time codes, the BAD could just initiated fishing attack, redirecting the user to a fake login page - people today are used to "Login with" flow.

This item has no comments currently.

Keyboard Shortcuts

Story Lists

j
Next story
k
Previous story
Shift+j
Last story
Shift+k
First story
o Enter
Go to story URL
c
Go to comments
u
Go to author

Navigation

Shift+t
Go to top stories
Shift+n
Go to new stories
Shift+b
Go to best stories
Shift+a
Go to Ask HN
Shift+s
Go to Show HN

Miscellaneous

?
Show this modal