blog! “FobCam '25 - All my MFA tokens on one page”

Some ideas are timeless. Back in 2004, an anonymous genius set up "FobCam". Tired of having to carry around an RSA SecurID token everywhere, our hero simply left the fob at home with an early webcam pointing at it. And then left the page open for all to see.

Security expert Bruce…

Read more: https://shkspr.mobi/blog/2025/04/fobcam-25-all-my-mfa-tokens-on-one-page/
⸻
#2fa #CyberSecurity #MFA #Satire(Probably) #security

(sophos.com) Evilginx: How Attackers Bypass MFA Through Adversary-in-the-Middle Attacks https://news.sophos.com/en-us/2025/03/28/stealing-user-credentials-with-evilginx/

A short descriptive article about Evilginx and how stealing credentials work, a few suggested ways of detecting etc.

Summary:
This article examines Evilginx, a tool that leverages the legitimate nginx web server to conduct Adversary-in-the-Middle (AitM) attacks that can bypass multifactor authentication (MFA). The tool works by proxying web traffic through malicious sites that mimic legitimate services like Microsoft 365, capturing not only usernames and passwords but also session tokens. The article demonstrates how Evilginx operates, showing how attackers can gain full access to a user's account even when protected by MFA. It provides detection methods through Azure/Microsoft 365 logs and suggests both preemptive and reactive mitigations, emphasizing the need to move toward phishing-resistant FIDO2-based authentication methods.

AU Tech folk: Which provider do you recommend for registering .au domains (eg .com.au, .org.au, .au etc)?

Second question. Do they currently support Multi-factor Authentication, specifically MFA TOTP (eg using an Auth App)?

Looking for alternatives to VentraIP as it's currently the only .au registra I know of that offers MFA TOTP.

New Privacy Guides article
by me:

If you are using a YubiKey,

you might get in some situations where you need to reset your key to factory default, and/or set up a backup of it on a spare key.

This tutorial will guide you
through each step to reset and back up your YubiKey successfully, with clear instructions and plenty of visual support.

I hope you find it helpful!

https://www.privacyguides.org/articles/2025/03/06/yubikey-reset-and-backup/

blog! “Towards a test-suite for TOTP codes”

Because I'm a massive nerd, I actually try to read specification documents. As I've ranted ad nauseam about the current TOTP spec being irresponsibly obsolete.

The three major implementations of the spec - Google, Apple, and Yubico - all subtly disagree on how it should be implemented. Every other MFA…

Read more: https://shkspr.mobi/blog/2025/03/towards-a-test-suite-for-totp-codes/
⸻
#2fa #CyberSecurity #HTOP #MFA #OpenSource #totp

I think I've created the *least* secure multi-factor authentication code.

Please can you try adding this to your MFA app and tell me if it *doesn't* work (give me the app name & your phone's OS).

THANKS GANG!

Delta Airlines recently announced that they added MFA, to both their site and their app.

But the only options are ones that require connectivity (SMS, email, push).

I have zero interest in making managing my travel ... dependent on whether various networks are up.

If security people can immediately think of common threat models that make them want to avoid your MFA entirely, due to core aspects of your business offering ... some stakeholders were missing (or overridden) in those meetings.

This Friday's art appreciation moment focuses on The Myth of Classical Whiteness, as seen at the #MFA Boston. There are three toots for this topic. First, the familiar and classical statue of Athena. #art #statue #antiquity #Athena #FridayArtAppreciation 1/

I recently saw an interesting thread elsewhere: someone expressing high frustration with two factor/multifactor authentication in their day to day life, and nearly every response being of agreement, sometimes very vehement. I don’t think most of these people worked in infosec or IT. Some were dealing with MFA on university systems, some on work systems. They all loathed it. But the why expressed by many for the loathing was what was really interesting. Sure, many expressed irritation about being interrupted multiple times a day by MFA prompts, some were annoyed that it was in place for what they saw as systems that “didn’t need to be that secure”, etc. The common refrains one hears from people in security awareness discussions and/or about less user friendly implementations. But the broadest sentiment?

That it didn’t matter because their PII - their SSNs, their credit card numbers, so on and so forth - had already been stolen so many times, that nothing was really being done to stop that from happening, that it was happening more and more and the companies responsible for losing the data weren’t being punished. In the face of all that, they didn’t want to have to keep dealing with the pain of being forced to use MFA when they felt it wasn’t helping anything,

I let my password expire on #myPay, the U.S. government's wage payment portal, and so it prompted me to change my password on my next login.
It prompted me after I entered my username and old password, but _before_ prompting me to enter my #MFA token.
Is this behavior correct?
#2FA #infosec #poll #FedLife

Fellow Tooters, please enable #MFA on the fediverse.

Faraway Russian hackers breached US organization via Wi-Fi https://www.helpnetsecurity.com/2024/11/25/enterprise-wi-fi-compromised/ #government-backedattacks #RussianFederation #brute-force #credentials #enterprise #Don'tmiss #Hotstuff #wireless #News #APT #MFA

It’s still October, so that means it’s also still #cybersecurity awareness month.

Here are my basic tips for everyone:

1. Develop good password management skills. Avoiding reusing passwords. Use long + complex passwords. Change default passwords. Use a password manager.

2. Enable #MFA.

3. Keep #software and firmware updated. Generally, this involves avoiding using EOL/deprecated software.

#security

https://avoidthehack.com/getting-started-cybersecurity

T-Mobile reaches $31.5 million settlement with FCC over past data breaches

Apparently, T-mobile is now mandated to implement better cybersecurity controls, such as properly segmenting networks and using phishing resistant #MFA.

This settlement covers the breaches in 2021, 2022, and 2023. Will we get a 2024 special?

#cybersecurity #infosec #databreach

https://cyberscoop.com/t-mobile-fcc-settlement-data-breach/

Hoe de Politiehack precies heeft plaatsgevonden, weet ik niet.

Wel weet ik dat veel "experts"hun kop in het zand steken of mij zelfs voor gek verklaren als ik schrijf dat:

1) Het opzet is dat mensen op internet nep niet van echt kunnen onderscheiden (https://security.nl/posting/859906/Speculatie_over_Politie-hack), en dat daar *dringend* iets aan gedaan moet worden;

2) Zij aanraden om zwakke MFA (https://security.nl/posting/859561/MFA-2FA_is_als_peniciline) te gebruiken in plaats van een wachtwoordmanager die op domeinnamen checkt;

3) Onder hen er *zelfs* zijn die stellen dat we, op *dit* internet, EDIW veilig zouden kunnen gebruiken (reactie op een posting van Ivo Jansch, één van de architecten van EDIW: https://tweakers.net/nieuws/204138/#r_18249704). Welliswaar met de opmerking dat er alternatieven moeten blijven bestaan (die er nu ook niet meer zijn voor communicatie met de overheid of met uw bank).

Zie ook https://www.security.nl/posting/827137/Kopie-ID-Kap-Ermee#posting833162, bovenaan die pagina en https://www.security.nl/posting/833217/Internet-toenemende_impersonatie.

#Politiehack #Politie #MFA #2FA #ZwakkeMFA #Zwakke2FA #DV #Certificaten #LetsEncrypt #LetsAuthenticateTheWebsiteFirst #AitM #MitM #Phishing #EvilProxy #PhaaS #Evilginx2 #EDIW #EUDIW #EC #KopieID #KopietjePaspoort #VideoIdent

(Bron van onderstaand plaatje: https://www.maxvandaag.nl/sessies/themas/media-cultuur/waarom-steken-we-ons-hoofd-in-het-zand-als-het-lastig-wordt/)