Proton adds security key support as an additional 2fa option – Computer – News

By Derek Atkinson 2 years ago

With TOTP, it is possible to intercept the code using a reverse proxy. This has always been the case and for a long time there have been open source packages that make this fairly easy.

If you set up a reverse proxy on pr0t0nmail.com for example (zeros instead of o), which hooks everything up to the normal domain, you can intercept the code. Or even easier, you don’t even need the code because you can intercept and use the session cookie.
So if you can get someone to go to pr0t0nmail.com with a phishing email, and everything is restricted to the proxy, you are in place because there is no TOTP “check”

Like I said, there were already open source packages available for reverse proxy phishing which makes this fairly easy for the “big players” like Facebook, Office 365, etc. But with enough knowledge, anyone can do this for almost any site using TOTP. But it got worse this year because now there are a number of services where everything is taken care of for you. Phishing as a Service.
Any script kid can do this with little money without knowing how it works. Pay money, register a domain, run a script et voila, a phishing site is complete and up and running with TOTP support (and other OTP mechanisms too, like push notifications on your phone).
Just read this: https://resecurity.com/b…ypass-emerged-in-dark-web
It even needs a video tutorial with the steps for a Microsoft phishing site. The video is 4 minutes long and includes the images that the user (the victim) sees…

U2F/FIDO protects against this because it is a client/server model. When the client (your web browser in this case) talks to pr0t0nmail.com, it doesn’t have a key for that domain, so no authentication can be done. Voila, you don’t have to worry! (Ok, that’s a little, because the phishing site intercepted your password and username. So hopefully your password is unique….)

See also  Google claims to improve Chrome's performance by tweaking the JavaScript-Computer-News engine

That’s why I always use my yubikey on any important site and have support for it. And I have my important domains on Protonmail, so I’m using Yubikey there now too. Although it still has TOTP as a backup, it’s still more secure because I only use yubikey, and if that doesn’t work, I know something is going on.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may also like

Actress Maxima Delfina Chaves learns Dutch: “The sounds are different” | RTL Street

By Derek Atkinson 23 hours ago

“Google is working on new Nest Hub Max and Nest Audio”

By Derek Atkinson 1 day ago

Kees van der Spek helps the fraudulent couple who promised a million dollar inheritance: they lost 400 thousand euros | RTL Street

By Derek Atkinson 2 days ago

The Rediscover Kanto event is live and will last over two weeks!

By Derek Atkinson 3 days ago

This new battery is fully charged in a few seconds

By Derek Atkinson 4 days ago

This new feature in WhatsApp is useful if you are receiving a lot of messages

By Derek Atkinson 1 week ago