Emelia 馃懜馃徎
@thisismissem@hachyderm.io replied  路  activity timestamp 3 weeks ago
@rmondello the goal lf this campaign is stealing & selling credit card details, which is highly profitable for scammers.

iirc, requiring 2FA is coming as an option, however the compromised accounts look like accounts that wouldn't bother with 2FA (based on the data I have available), so they probably wouldn't bother with passkeys either unless passkeys were the only authentication mechanism, and well, that's a terrible idea for a variety of reasons, and would disproportionately affect marginalized people
Erik van Straten
@ErikvanStraten@infosec.exchange replied  路  activity timestamp 3 weeks ago
@thisismissem : we need browsers to show users all known details about a website, full page with (links to) explanations, right after setting up the https connection and verifying the certificate, but BEFORE loading content - if this is the first time the user visits the website (or if there were possibly relevant changes).

The less the browser can tell the user about the identity of the person (or organization) responsible for the website, the bigger the risks for the user when supplying personal information, credit card details or creating an account (passkeys, which have other disadvantages, are indeed useless in such cases).

More info in this thread: https://infosec.exchange/@ErikvanStraten/114886335722813414 (or ask me to elaborate again).

@rmondello

#SaferInternet#Phishing#InfoSec