Windows 10: New, very good, Gmail phising atack in the wild

As the word stupid became so popular with you and dencal, seems you are forgetting about fact, that defeating TSA is nothing new. Obviously you won't believe me, would you at least think about it if statement comes from security expert from IBM?

And again, I'm not saying that TSA isn't better than nothing, but thinking that you are invincible with it... now that would be stupid *Wink

 

My understanding was that Microsoft's own Authenticator app uses the same algorithm as Google Authenticator.
I only have the Windows Phone 7.5 version (so it's possible this compatibility has been removed now), but my old phone still let me login to my Google account when I tested it just now with the Microsoft Authenticator I have.

 

I use the S word to stress the fact that not using Two-Step Authentication is just that.

I have some difficulties to understand your apparent and pointless need to undermine that fact. Somewhat tired to your "yes, but..." I am unsubscribing this thread after posting this; feel free to post next "yes, but..." for other members to read, I will not see it.

As far as I know you can't get Google verifications to work in latest Microsoft Authenticator app in Windows Phone 8 or Windows 10 Mobile, but in all honesty I have to say I haven't even tried it.

 

I think the one I use is probably this Authenticator
For my phone, the Azure authenticator and this app are separate - I understand Microsoft has merged the two into one with the latest app.

I don't know if this means they've changed the algorithm for non-Azure accounts, but given the Microsoft accounts can also use both the old and presumably the new app, one would imagine it's the same algorithm as before, which would suggest it might work with Google?

Edit: This suggests the new MS Authenticator should still work with Google, Facebook etc.
Big Changes Coming to Microsoft Authenticator Apps - Thurrott.com

 

I think this is a good discussion/topic, and sorry to see Kari has unsubscribed....

Just thinking out loud:
If someone were a victim of a MIM (man-in-the-middle) attack, stealing the active cookie session, I think it's then possible to spoof the session, and access an account (even one that's protected with 2FA), at least long enough to do some major damage. I'm not sure exactly how it's done, but it appears to be possible (in my mind).

Just food for thought... *Smile

 

If its done from an unrecognised computer....it would require phone code authentication.

 

I did and consequences were severe for me. 2FA is great, in theory, just like relying on AV to detect malware.

That is exactly why I have posted it, people should know about the risks. I have seen too many people to loose access to their emails, even business, because they have followed the common advise and decided to use it. The only advice I could have offered them was to think twice about using it again. Nothing is perfect.

It is called 2FA for a reason, you need to provide 2 authentications to access your email, if you lose either, you are damned. If you could gain access with just one, then it would be pointless, it is fairly simple to understand.

Do you realize, that in many countries, you can get a replaced phone number without providing ID? Not to mention, that faking a phone number to get SMS has been POC way too many times.

That does not show the important part, since some browsers shows the certificate on the right side.

 

You didn't check the link I posted in the first post. Here is part of it

There is also news on ghaks.net

 

That is, what I was looking for, thanks. *Smile