• biscuitswalrus
      link
      fedilink
      arrow-up
      3
      ·
      9 months ago

      On many systems, the weakest link is that it needs to accommodate a ‘lost my x’ eg mfa, password etc.

      Systems often have a way to get in by resetting them by validating through more factors but often weaker ones, “not phishing resistant” factors like security questions. That way the account can get it removed or a new one put on.

      Mfa isn’t a silver bullet, it is another layer of Swiss cheese, most people will think twice about giving it away on a chat app. But there’s a reason IT departments sign you up for those phishing simulation and training videos.

      But you could still be right in this case, I just wanted to note broadly speaking you can’t assume prefect security is achieved with mfa. You still need to be constantly vigilant.

      • Dudewitbow@lemmy.zip
        link
        fedilink
        arrow-up
        1
        ·
        9 months ago

        not saying its perfect, but would have protected him in this specific case. the weakest link is always the human element, and the layers of protection are there to limit what hackers need in order to gain full access.

        • biscuitswalrus
          link
          fedilink
          arrow-up
          1
          ·
          9 months ago

          Although that might be true, the moment the ‘friend’ gave away his account recovery answers to the phisher I think he would have been compromised either way. It was likely that the phisher was in real time actioning a account recovery, and using the friend as the proxy to give answers to the prompts. Plus since it’s already second hand info we can’t tell, but if the phisher simply asked ‘can you read me the code on your authenticator’ or ‘press approve and you’ll complete the recovery process’ and would have been successful.

          In investigating account breaches I’ve found most people shamefully don’t retell the whole story they’re embarrassed and upset and fearing loss of employment. They kind of shut down. In this case, social status or opinion could bet harmed so it would be hard to trust the story is complete. Generally my logs come from entra ID and you can see the authentication came from the mobile device even though it was a prompt generated by the phisher.

          Anyway I’m a big advocate for layers of security and you’re completely right in your stance. Technology is fragile to exactly what you said. We live in a world of incomplete information using trust and judgement under time pressure and poor sleep. Phishing attacks are ruthlessly designed to target that weakness in people. I’m empathetic when it is successful.