Cloudflare: Someone tried to pull the Twilio phishing tactic on us too Cloudflare says it was subject to a similar attack to one made on comms company Twilio last week, but in this case it was thwarted by hardware security keys that are required to access applications and services. Twilio reported a breach after employees received phishing text messages claiming to be from the company's IT …
Even a basic noddy Google Authenicator 2FA setup would have stopped this dead. Twilio take note.
I am getting increasing browned off with big corp* incompetence having to be hidden by making out that hackers are some kind of supervillain.
*as in they can afford decent security.
I'm not sure a Google Authenticator style 2FA would have stopped them. According to the article the login credentials are sent instantly from the fake login page via Telegram. Assuming the fake login page also then asks for the 2FA code, the man in the middle has a (max 30 second) window of opportunity to capture and use that 2FA code to login.
Your Google Authenticator may display a code for 30 seconds but its possibly valid up to 3 minutes before its displayed and 3 minutes after its displayed. Compared to Kerberos' 5-minute delta, this is slightly better but in the case of TOTP this delta is usually administrator configurable (my systems allow to to allow up to +/- 3 minutes of clock drift between the authenticators and the server(s)).
You *are*, because Google Authenticator would *not* have stopped this dead. That's the point that Cloudflare is making:
It's precisely because Cloudflare *weren't* using something like Google Authenticator and rather something like YubiKey (set up to check that the request came from somewhere legit, which Google Authenticator *DOES*. *NOT. *DO*), that the attack was thwarted.
Would help if you read the technical details of the attack *carefully*, or you look like an ass. You *do* have a point about corporates yammering on about 'the bad hackers' when security could be done properly.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
