Bitcoin
$9,259.65 -1.66%
BTC · 5w

Reminder of how phishing can defeat tech like Google Authenticator (TOTP). Always use U2F where possible

I’ll say it upfront for the techy people: (un)fortunately, this is NOT a MITM attack of U2F*. LastPass doesn’t support U2F so this is disappointingly simple. It uses Yubico OTP, which is phishable.

In this article, I demonstrate how to deploy a phishing attack on LastPass users, even when they are protected with Yubikey physical keys. I hope that this helps you appreciate that YubiKey ≠ U2F. Aside from that, I will give an overview of:

what is U2F, and why it is important how LastPass encrypts and handles your vault

*U2F stands for “Universal 2nd Factor”. This is the protocol that is likely used whenever you hear about security keys. 

Use security keys to prevent phishing

Google’s transparency report [1]

In recent years, phishing has proven to be one of the most effective ways of hacking people. Instead of using a fancy new exploit to steal a victim’s credentials, the hacker just asks the victims to hand their credentials over.

Moreover, with the new remote working conditions, we are more at risk of phishing attacks. This results in headlines such as “Phishing Attacks Increase 350 Percent Amid COVID-19 Quarantine (2020)” [2].

How do we combat this? Aside from educating employees on phishing attacks, security keys are an effective way to mitigate this increased risk. We see success stories such as (2018, Google: Security Keys Neutralized Employee Phishing):

“We have had no reported or confirmed account takeovers since implementing security keys at Google” [3]

In a phishing attack, the weak point is the human user. The user has the responsibility to distinguishing legitimate vs malicious sites. By using security keys and protocols such as U2F, you relieve some of this burden from the user. Using U2F, authentication “magically” doesn’t work when it is a malicious site, even when the victim is tricked.

Below we see LastPass endorsing the use of YubiKeys. In the diagram, we see that YubiKey...

Continue on pberba.github.io
Recent news
BTC -1.66% · twitter.com · 3h

CryptoArt

Amazing https://t.co/bdvKb1oqbr— Lewis 2018 🐻 fighter still standing (@Nomadicbushido) July 9, 2020
BTC -1.66% · needfud.com · 12h

10 tips for using Bitcoin more anonymously

You don't want your bank account to be visible to everyone. This applies also to Bitcoin. Here are a 10 tips on how to be more anonymous when using bitcoin.