@fifonetworks : it's a taboo. Nobody really wants to accept that infosec is extremely hard, and most are in denial that they're at bigger risks than they think they are.

We (security people) often come up with a bunch of measures without explaining why they are a good idea, what side effects they have and which risks are not covered at all.

Here's one example: "use 2FA".

WEAK MFA
• Why use 2FA/MFA in the first place? Because most people use (and reuse) extremely weak passwords. 2FA does not _SOLVE_ *that* problem.

• SMS and voice are a bad idea anyway because of the risks of telephone "line" interception, call redirects or "SIM-swaps" (i.e. a miscreant hijacks your phone number).

• Many TOTP apps suck or sucked (see https://www.usenix.org/conference/usenixsecurity23/presentation/gilsenan by Conor Gilsenan
@conorgil et al. in https://infosec.exchange/@conorgil/109542074585730853). A *lot* of people lost access to their accounts because Google Authenticator would not make backups of the underlying secrets, which people found out about after their phone died or was stolen. Authy in particular is bad (in Dutch: https://tweakers.net/nieuws/207532/#r_18549330).

Effectively TOTP apps make people use a second password (unique for each website-account) that, supposedly, they do not have to remember, nor are they made aware that therefore (secure!) backups are a necessity. If those secrets are simply stored in their cloud-accounts, without encryption using an *independent* password, then they offer an extremy overestimated level of protection (it's mostly security by obscurity in such a case).

• None of the regular 2FA/MFA solutions protect against "evil proxies" (like those based on EvilGinx2) often provided by PhaaS (Phishing as a service) providers, used by a rapidly increasing number of attackers - as acknowledged by Microsoft in 2019 (link + details in https://infosec.exchange/@ErikvanStraten/112974991373414022 - whose marketeers, IMO misleading, still love to tell anyone that they should use Microsoft Authenticator).

STRONG MFA
Strong MFA (such as provided by passkeys and hardware keys) eliminates the *human* vulnerability of not knowing whether a given domain name belongs to the apparent (easily impersonated) owner of a website.

However, an increasing number of mis-issued certificates (this week, for potentially all of the .mobi TLD: https://arstechnica.com/security/2024/09/rogue-whois-server-gives-researcher-superpowers-no-one-should-ever-have/; some earlier attacks: https://infosec.exchange/@ErikvanStraten/112914050216821746) means that passkeys and hardware keys are *not* as phishing-resistant as marketeers like us to believe.

That apart from the fact that passkeys and hardware keys are *not at all* without other issues.

PHISHING
There are roughly two types of phishing:

1) Where the user shares information with a website of an owner they believe to have interacted with before, or

2) Where they share personal info with, and/or pay money to, a website of an owner who is "new" to them (like a webshop that they've never done business with before).

Of course, 2FA/MFA do not help at all in case 2 (example in https://infosec.exchange/@ErikvanStraten/112988945087291542).

IMO it is impossible to teach most people to reliably distinguish between fake and real on the internet (this is not only *my* opinion: https://security.googleblog.com/2024/05/on-fire-drills-and-phishing-tests.html).

The common "instructions" to distinguish between fake an real websites are totaly unreliable, like "check for typos" or use a site like scamadvisor. There are way too many false positives *and* false negatives, while cybercriminals have an easy job to evade all such criteria. It should not be a requirement to be a forensics expert to safely use the internet.

INTERNET IS TOO INSECURE
We need to fix the internet first before we bother people with (currently unreliable) measures (typically without pointing out remaining or new risks).

FIX
Big tech have turned certificates into something comparable to passports that only show a totally meaningless SSN (Social Security Number). Which is why cybercrime is booming on the internet (for example, look at the approx. 1500 domain names listed below "Website data" in https://www.scamadviser.com/check-website/href.li).

Fix: see https://infosec.exchange/@ErikvanStraten/113079966331873386.

EXAMPLE
See the images below. When tapping "Scan", Chrome on my Android phone goes full screen and scans C:\Users\ (among others). Eventually it advised me to download "t4gf8h.zip" (https://www.virustotal.com/gui/file/0858ecedb7bfa0c148cd2ed282cd0dc7e11beee5c00fccebc4eb9f98094a7a67/summary).

FAKE VS REAL (AUTHENTIC)
Even strong MFA/2FA does not help. How are (non-nerd) Windows users supposed to know that this is *NOT* a McAfee website and *NOT* a McAfee virus scanner, with currently (according to VT, which may not be 100% correct, but -in my experience- provides a good indication) is detected by only 7/67 scanners?