@ErikvanStraten@todon.nl
·
Jun 03, 2026
Erik van Straten
@ErikvanStraten@todon.nl
I BLOCK boosters of Auschwitz spam (reason: my grandfather was a Jew and Auschwitz was hijacked by Zionists incl. WestBank settler Dani Dayan; see https://todon.nl/@ErikvanStraten/115536032444852356). Independent 65+ Dutch security researcher. I hate injustice, propaganda and discrimination. I try to be as objective as possible. Mission: make the internet a safer place! Primary focus: #impersonation (i.e. when #authentication fails). Other: #Gaza #Ukraine #vaccination (last anti-Covid jab 20250916). Notes: • Don't auto-trust me. It may be a spoof, even if "I" say it's not (my account may be hacked). • Muting users of URL-shorteners (like buff.ly) • Now BLOCKING "Gazans" begging for money
todon.nl
@sophieschmieg@infosec.exchange : *if* the second factor consist of 6 digits and regularly changes (TOTP: usually every thirty seconds), then it is typically worse than 1 in a million chance.
Because the client clock may be out of sync with the server clock, typically a time window larger than 30 seconds is used to increase fault tolerance.
I suggest you read https://www.oasis.security/blog/oasis-security-research-team-discovers-microsoft-azure-mfa-bypass
I remembered that attack, but Pouyan (@i@toot.pouyan.net) had already referenced "AuthQuake" in an earlier toot (https://toot.pouyan.net/notice/B6xuBX6lzrGenpC74y) - but you may have missed that.
W.r.t. 2FA: if the server, after entering the user-ID and an incorrect password, responds with "wrong userID or password" - before asking for the 2FA code (or a timing difference reveals that the first factor is either wrong or correct), then the attacker's life gets a lot easier.
And if 2FA is reduced to 1FA in "device code" phishing attacks, even passkeys and FIDO2 hardware keys will not prevent account takeovers.
Also "password reset" mechanisms may have flaws (upto Instagram's AI assistent being easily convinced by fraudsters).
@dangoodin@infosec.exchange @cibyr@omg.wtf.sh
#TOTP #TimeWindow #RFC6238 #2FA #Weak2FA #MFA #WeakMFA #BruteForce
0
0
0
@briankrebs__dup_6@infosec.exchange
·
Feb 23, 2026
BrianKrebs
@briankrebs__dup_6@infosec.exchange
Independent investigative journalist. Covers cybercrime, security, privacy. Author of 'Spam Nation,' a NYT bestseller. Former Washington Post reporter, '95-'09. Signal: briankrebs.07 krebsonsecurity @ gmail .com Linkedin: https://www.linkedin.com/in/bkrebs
infosec.exchange
A slick new phishing-as-a-service offering demonstrates just how easily a username+password and a one-time token can be phished. Dubbed "Starkiller," the service uses cleverly disguised links to load the target brand's real website, and then acts as a relay between the victim and the legitimate site -- forwarding the victim's username, password and multi-factor authentication code to the legitimate site and returning its responses.
https://krebsonsecurity.com/2026/02/starkiller-phishing-service-proxies-real-login-pages-mfa/
#phishing #MFA #starkiller
102
12
108
You've seen all posts