|
https://twitter.com/abigbagofkeys/status/1191164129509167104?s=20
|
# ? Nov 4, 2019 03:20 |
|
|
# ? Jun 8, 2024 07:31 |
|
the challenge phrase when they call is “oi”, and if you answer “you sick oval office” then it’s considered valid
|
# ? Nov 4, 2019 03:50 |
|
From a while back butThe Fool posted:My bank has a password specifically for over-the-phone authentication that is totally separate from my online-banking password or my ATM PIN. USBank at least doesn't do this, and immediately asks you to type in your PIN when you call their fraud hotline. Interesting, and a bit unnerving when you're not sure if you've called the right number.
|
# ? Nov 4, 2019 04:30 |
|
I wonder how many people you could catch by just putting up a legit looking site with "bank of america fraud hotline" number and just have it capture those PINs
|
# ? Nov 4, 2019 04:37 |
|
CRIP EATIN BREAD posted:I wonder how many people you could catch by just putting up a legit looking site with "bank of america fraud hotline" number and just have it capture those PINs "Your phone number has not been recognized. Please enter card account number to associate your account with this phone number." "Account has been added to your mobile number, pending verification. Please enter PIN to verify"
|
# ? Nov 4, 2019 04:43 |
|
apparently when you integrate azure ad with duo you can still do password stuffing and bruteforce attacks. getting redirected to duo only happens if the password is valid.
|
# ? Nov 4, 2019 13:49 |
|
Shinku ABOOKEN posted:apparently when you integrate azure ad with duo you can still do password stuffing and bruteforce attacks. getting redirected to duo only happens if the password is valid. this is how most mfa systems work
|
# ? Nov 4, 2019 15:42 |
|
The Fool posted:this is how most mfa systems work well then most mfa systems are trash i can’t believe loving citrix got this right and they didn’t
|
# ? Nov 4, 2019 15:48 |
|
Shinku ABOOKEN posted:apparently when you integrate azure ad with duo you can still do password stuffing and bruteforce attacks. getting redirected to duo only happens if the password is valid. why would you integrate azure ad with duo instead of just using azure mfa?
|
# ? Nov 4, 2019 15:49 |
|
Shinku ABOOKEN posted:well then most mfa systems are trash the amount of user tickets generated from not knowing if it's the password or the token is not worth the added security. especially when you can handle it other ways like brute force detection, unknown location detection, disallowing common passwords, etc... and if ur doing push Auth there's no token to even enter.
|
# ? Nov 4, 2019 15:52 |
But if they're doing lovely MFA design, how likely are they to mitigate the lovely MFA design by doing those extra things, rather than just design the entire thing in a lovely way?
|
|
# ? Nov 4, 2019 15:57 |
|
Shaggar posted:the amount of user tickets generated from not knowing if it's the password or the token is not worth the added security. especially when you can handle it other ways like brute force detection, unknown location detection, disallowing common passwords, etc... you could just tell them which was wrong if they got one right though, and it indeed seems more secure that way. otoh just limiting to three attempts an hour with some logic to fully ban bruteforce attempts is indeed 99.9% of the security with less juggling of responsibilities.
|
# ? Nov 4, 2019 16:04 |
|
Microsoft’s goal is to just eliminate the password prompt entirely currently the model is: enter username perform primary auth perform secondary auth while for most people, the primary auth is just a password, but it doesn’t have to be and probably shouldn’t be passwords are bad
|
# ? Nov 4, 2019 16:04 |
|
has anyone here tried microsoft's passwordless implementation? afaik it's only for native azure ad, no hybrid support
|
# ? Nov 4, 2019 16:07 |
|
Cybernetic Vermin posted:you could just tell them which was wrong if they got one right though, and it indeed seems more secure that way. yes, let’s tell the attacker they got the otp right and just need to figure out the password if you’re going to gather both pieces at the same time you cannot indicate a partial failure, it’s either a full failure or a successful logon the other problem is that gathering a password and otp at the same time means you can’t use other mfa methods
|
# ? Nov 4, 2019 16:08 |
|
normal brain: blacklist login attempts after x number of failures galaxy brain: always fail the first time when password and 2fa is correct, a real user will just try again
|
# ? Nov 4, 2019 16:09 |
|
infernal machines posted:has anyone here tried microsoft's passwordless implementation? afaik it's only for native azure ad, no hybrid support I’m using it on my personal accounts and there are hybrid use cases if you’re using pass through auth or hash sync it’s trickier with adfs, but there are some options if you are running adfs 2019 with azure mfa
|
# ? Nov 4, 2019 16:10 |
|
I spent 6-ish hours yesterday being told that adfs is bad and phs is good
|
# ? Nov 4, 2019 16:11 |
|
what are peoples thoughts on ping. ADFS seems way less fucky to get working but i dunno.
|
# ? Nov 4, 2019 16:16 |
|
ping is kind of dumb, it's so often blocked by firewall rules and it's so much more low level than anything you'd be asking the remote machine to do that it's kind of useless you want to test for intended functionality most of the time, not that som epart of the os responds to icmp
|
# ? Nov 4, 2019 16:43 |
Pretty sure he means ping federation lol possible
|
|
# ? Nov 4, 2019 16:55 |
|
idk all those fuckin' acronyms, you don't see me running my rear end in here about "afl" or "relro" or all that poo poo
|
# ? Nov 4, 2019 17:02 |
|
Ping up your rear end
|
# ? Nov 4, 2019 17:03 |
|
pretty sure apple eol'd it anyway
|
# ? Nov 4, 2019 17:04 |
|
ymgve posted:galaxy brain: always fail the first time when password and 2fa is correct, a real user will just try again One of my banks does this to uncookied browsers. (Makes you do correct username/password twice before even prompting for OTP.) How do I know I'm not always typoing my account details? Because I'm pasting them in. James Baud fucked around with this message at 17:12 on Nov 4, 2019 |
# ? Nov 4, 2019 17:10 |
|
user-hostile security threatre is just awesome
|
# ? Nov 4, 2019 17:25 |
|
if you aren't being inconvenienced how would you know how secure you are
|
# ? Nov 4, 2019 17:41 |
|
power botton posted:what are peoples thoughts on ping. ADFS seems way less fucky to get working but i dunno. ping would be good in a world without adfs or azure ad
|
# ? Nov 4, 2019 18:18 |
|
to log into your account, please insert one drop of your blood into your dna tester
|
# ? Nov 4, 2019 18:19 |
|
Soricidus posted:to log into your account, please insert one drop of your blood into your dna tester theradfsanos
|
# ? Nov 4, 2019 18:32 |
|
Soricidus posted:to log into your account, please insert one drop of your blood into your dna tester why even ask? why not just use your enforced biometric fitness tracker auto prick you when needed
|
# ? Nov 4, 2019 18:56 |
|
Last Chance posted:why even ask? why not just use your enforced biometric fitness tracker auto prick you when needed When do you NOT need an auto prick?
|
# ? Nov 4, 2019 19:04 |
|
Volmarias posted:When do you NOT need an auto prick? idk i try to minimize my bmw driver interactions
|
# ? Nov 4, 2019 19:48 |
|
Shaggar posted:the amount of user tickets generated from not knowing if it's the password or the token is not worth the added security. especially when you can handle it other ways like brute force detection, unknown location detection, disallowing common passwords, etc... still why would you give attackers an oracle? it's already bad enough when our users show up on haveibeenpwned.com. we don't need attackers to also be able to guess passwords. also bruteforce protection does jack poo poo. if you lock out users after x failed attempts then you just dos yourself (happened before, management rightfully told IT to gently caress off and disable lock out). if you lock out malicious ips then attackers simply do distributed bruteforce.
|
# ? Nov 4, 2019 20:53 |
|
this can be solved if the login redirected you to 2fa regardless of cred validity btw
|
# ? Nov 4, 2019 20:54 |
|
not mfa related but i've had some fun dealing with a hosted service vendor whose fail2ban implementation repeatedly blocked an entire sales centre because one sales person fatfingered the creds on their iphone and kept forgetting to fix it
|
# ? Nov 4, 2019 21:04 |
|
Shinku ABOOKEN posted:this can be solved if the login redirected you to 2fa regardless of cred validity btw yes, I want my users to get push notifications every time their account comes up in the ongoing password spray attacks
|
# ? Nov 4, 2019 21:11 |
|
The Fool posted:yes, I want my users to get push notifications every time their account comes up in the ongoing password spray attacks You don't actually send the push if the password was wrong, you just pretend to. (Blah blah, timing oracle, you can do it right if you try.)
|
# ? Nov 4, 2019 21:15 |
|
James Baud posted:You don't actually send the push if the password was wrong, you just pretend to. If the attacker has the sms number, this still tells them if the password was correct
|
# ? Nov 4, 2019 21:18 |
|
|
# ? Jun 8, 2024 07:31 |
|
Volmarias posted:If the attacker has the sms number, this still tells them if the password was correct If they have the second factor and get the password right, the user is screwed anyway?
|
# ? Nov 4, 2019 21:21 |