Windows 10: New, very good, Gmail phising atack in the wild

TairikuOkami
Three weeks ago you posted the above statement, now you are advising against two factor authentication.
To say it is irresponsible is putting it mildly. *

 

@TairikuOkami is experienced user and in my opinion can manage the threats in his own way. This could be only irresponsible to inexperienced users. They can get a lot of good conclusion from debates as this one *Smile

Thanks @Kari for great explanation of 2 step verification process. You really are geek Guru (and I'm serious about that).
But I would like to add that this process doesn't eliminate possibility for hackers gaining access to users email. So stating that you can publish your email address online is a bit irresponsible too. So please can you be a bit gentler to us humans.

 

Could you please educate and civilize me and tell me how could for instance you access my Google or Microsoft account in case you knew my password if I have two-step authentication enabled, asking the security / verification code at every sign in from a not by me accepted trusted device?

You don't have to go details, just tell the method you would use to get the verification code.

Sincerely,

 

It happens in context of this thread title. First you get social attack (mail with attachment) and if you are not careful you get to gmail login page (like in description of this attack).

This doesn't apply to you as you would never put info into that fields...
user can put info in gmail login page, after that bad guys intercept that info and try to login to real gmail account. Now, there are at least two possibilities that you can give them access code..

1. code in that text attachment could also contain keylogger - you know the rest

2. if they can reproduce first login page, what stops them to reproduce false code interception page too??

One of this method have already been used by bad guys, other just came to mind... And if I can think of some methods, you can imagine what hackers could think of...

 

Keyloggers do not help to access accounts with two-step authentication, simply because all codes are for single use. I have no issues with you getting a code as soon as I have used it because it is no longer valid. You simply have no chance to get my codes, that's the point. Not with keyloggers. Only chance would be to physically get hold of my phones.

I want to stress the importance and security of two-step authentication, therefore I suggest the following:

If you are up to it, I'll send you valid credentials (complete email address and password) to one of my Microsoft accounts. I prove it to you first in a private online live meeting that username and password are valid. I will also prove later, after your agreed time to try to hack into my account that I have not accessed the account in the meantime and changed the password. I will save a valid, original Windows 10 PRO product key in a text file in OneDrive of that account.

You have then let's say a month to try to access that account. If you can manage it, you can keep the Windows license found in OneDrive. If not, you'll provide one Windows 10 PRO license for me.

OK?

 

no way Kari *Smile

You missed the point, that this is social attack. I don't have to gain access to your PC (and admit, that keyloger thing was my thought - bad thou). Other variant have been used before. You get the code and you are using it, but you don't use it for real account, but typing it in fake page (like the first one).
You are right, code can only be used once.

To be clear, 2 step verification is by miles more safe than single. But doesn't eliminate threats completely. And this is also dangerous - giving false feeling of total safety.

 

My point: let's say one of these days I do something stupid (it happens, take my word, depending on amount whisky I have consumed that day). Let's say I open a phishing site like this in question and enter my email address, password and a single use security code.

What happens? Nothing because that code was used and no longer valid. If the scammer would then contact Microsoft pretending to be me saying he / she has forgotten the password and phone was stolen but he needs to access the account, or clicked "I have forgotten password" and then selected "I can't access any of those" when the list of verification options would be shown, the account would immediately be locked for 30 days and I would receive an email about it to my primary verification email, plus a text message to that phone scammer told has been stolen. Those messages would contain a link for me to sign in, verify my identity, reset password and re-open the account.

Only if I would not react within this 30 day period would scammer gain access to my account.

 

If you use you code on phishing site, then it is still valid for actual gmail / MS site. In minutes after you are locked out of your account...

 

I use authenticator app. The codes change every 30 seconds and are valid about a minute thereafter. Honestly, I do not have much fear about they being used.

 

Of course you don't have to fear...

This is from my previous respond to you...

I'm only stating that average user could (and it already was successful) give his /hers code to phising site..

 

Whilst it is an admiral trait to defend an obvious acquaintance, it is stupidity of the highest order to defend information that could compromise the safety of anyone reading it believing he is an expert on the subject.

As to your knowledge on two factor authentication.....it is obvious Kari,s clearly explained workings have not registered with you.

 

Or that my explanation of possible weakness reached you. I'm using it myself (2 step auth, that is)

Not that I'm defending anybody's behavior. I'm just recognizing it as human.

Edit. mystery to me dencal... why would you think of Tariku as my acquaintance? See his posts on forum and generally approve them...

 

He is a member isn't he, so you are acquainted with his posted opinions, are you not, as I with yours.
Did I infer personal acquaintance ?

 

You pretty much did. Obvious in that statement pretty much implies it

As for the other part of your statement...

I still think that debate and conclusions made from it are worth more than a single statement. And that average user of Ten Forums is capable of understand difference between safety practices of particular users...

 

An effort to get this thread back to the topic:

Not using Two-Step Authentication (also known as Two Factor Authentication, TSA, 2FA) to protect your online accounts is not only dangerous but also extremely stupid in todays online world full of scammers trying to get in to your accounts.