Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

1. Somebody loads fakebank.com.

2. It pops up a username/password screen. The user types in their credentials for realbank.com.

3a. The owners of fakebank.com use your creds to log in to realbank.com and are presented with a TOTP page.

3b. fakebank.com loads another page that asks the user for their TOTP. The user enters it, still thinking they are logging in to realbank.com

4. The owners of fakebank.com use the TOTP to authenticate as the user with realbank.com.

Entire SDKs to automate this are sold on the black market.



This is certainly a vulnerability, but it also depends on how you get your TOTP codes. I use Bitwarden's browser extension to get mine, and if the domain is incorrect, the extension won't present me with the code. I think this is a decent level of protection from phishing.


I encourage you, as an exercise at least, to think about what you'll do when it doesn't work.

You're sure this is the right web site. But Bitwarden won't fill out the code. What could be wrong? Did the idiots who make this web site change the URL?

Now, maybe you're a far above average user and you would calmly determine the exact cause, assuming at every step that the most likely explanation is you're being phished. Hopefully that's more likely now that you've done this exercise. I would love to believe I'm in this category.

But most users will just be frustrated, why wasn't it filled out? Is there a way to get the code from Bitwarden anyway? There is, it's a bit fiddly but you can do it. Lots of users are going to do that. They might even help each other to give their credentials to bad guys, community spirit.

Hopefully some of those users pause because this is unusual and a few of them will realise in that moment that they're being phished. But experiments suggest most won't.


I did consider this, and I would also like to believe that my first thought would be "I am being phished" rather than "I'm sure this is the right web site." I do understand that many users (including myself on a bad day) might not recognize a phishing situation. But at least there is a layer of defense that SMS doesn't have.

Maybe the Bitwarden extension should warn users when they try to copy/view a TOTP code by searching for a login rather than using a matched entry.

U2F is my preferred method of MFA, but many services don't support it, and there can be practical issues even for the ones that do. For example, some services support U2F in a browser but not in mobile apps.


Couldn’t this entire scenario play out exactly the same with SMS codes?


Yes.

The point is the TOTP is precisely as bad as SMS for the common case (phishing) and only safer in a rare case (SIM-swap). This comes with large downsides (losing access).

TOTP is, at best, a very marginal improvement over SMS. This is what makes the online push to complain about services that use SMS 2FA and demand a switch to TOTP very strange.


TOTP is far, far better for travellers who need to swap their SIM cards frequently, or need to work out of places with internet access but no cell reception.


Sure. I'm not opposed to supporting it. It is just weird to me to see people pushing for it with seemingly equal vigor as U2F.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: