Ask HN: What's to prevent someone from spoofing a website?
4 by EGreg | 4 comments on Hacker News.
I just got an email from Backblaze about resetting my credentials, because they detected they were not secure enough. And I thought -- why can't the entire thing be done from a website with a very similar unicode character somewhere in there, such as a or the russian "B"? The entire website can be cloned (or just that one page). But they'll just ask you to enter your existing password, before changing it. Many people would fall for it. They see the green lock, the https://ift.tt/nHazuK6 or whatever. And then what? Sites can mitigate this by sending a "magic link" to your email to authorize any important actions, like a password change. That way they won't be able to make use of "what you know", without also getting into your email ("what you have"). But instead, many sites ask you to confirm it on your authenticator app by entering a number on the site. The problem with this is that the attacker can just proxy this while having you on the line with some real-time some social engineering and enter the number themselves. How much protection is there, really, against this? I ended up copying the link, deleting the domain and typing it myself just in case.
Don't forget to subscribe our youtube channel Click here:- http://www.youtube.com/c/techgk Product of the day
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment