← Back to context

Comment by cataflam

3 months ago

Hey, you're doing an exemplary response, transparent and fast, in what must be a very stressful situation!

I figure you aren't about to get fooled by phishing anytime soon, but based on some of your remarks and remarks of others, a PSA:

TRUSTING YOUR OWN SENSES to "check" that a domain is right, or an email is right, or the wording has some urgency or whatever is BOUND TO FAIL often enough.

I don't understand how most of the anti-phishing advice focuses on that, it's useless to borderline counter-productive.

What really helps against phishing :

1. NEVER EVER login from an email link. EVER. There are enough legit and phishing emails asking you to do this that it's basically impossible to tell one from the other. The only way to win is to not try.

2. U2F/Webauthn key as second factor is phishing-proof. TOTP is not.

That is all there is. Any other method, any other "indicator" helps but is error-prone, which means someone somewhere will get phished eventually. Particularly if stressed, tired, or in a hurry. It just happened to be you this time.

Good luck and well done again on the response!

32 comments

cataflam

Reply
graemep  3 months ago

> NEVER EVER login from an email link. EVER

Login using one off email links (instead of username + password) is increasingly common which means its the only option.

  • cataflam  3 months ago

    In that case

    1. You just requested it, I'm not saying to never click link on transactional emails you requested. You still need to click on those verify email links

    2. It replaces entering your password, so you're not entering your password on a link from an email, which is the very wrong thing.

  • hirako2000  3 months ago

    At least you've requested that email, to be able to login. The timing chance for a phishing mail to come here and there is insignificant. OP is referring to communications that are one way street, the (pseudo) organisation to you.

diggan  3 months ago

Or you know, get a password manager like the rest of us. If your password manager doesn't show the usual autofill, since the domain is different than it should, take a step back and validate everything before moving on.

Have the TOTP in the same/another password manager (after considering the tradeoffs) and that can also not be entered unless the domain is right :)

  • SchemaLoad  3 months ago

    I feel like it's extremely common for the autofill to not work for various reasons even when you aren't being phished. I have to manually select the site to fill fairly often, especially inside apps where the password manager doesn't seem to match the app to the website password.

    Passkeys seem like the best solution here where you physically can not fall for a phishing attack.

    • vaylian  3 months ago

      > I feel like it's extremely common for the autofill to not work for various reasons even when you aren't being phished.

      This is how Troy Hunt got phished. He was already very tired after a long flight, but his internal alarm bells didn't ring loud enough, when the password manager didn't fill in the credentials. He was already used to autofill not always working.

      1 reply →

    • diggan  3 months ago

      > I feel like it's extremely common for the autofill to not work for various reasons even when you aren't being phished

      I dunno, it mostly seems to not work when companies change their field names/IDs, or just 3rd party authentication, then you need to manually add domains. Otherwise my password manager (1Password) works everywhere where I have an account, except my previous bank which was stuck in the 90s and disallowed pasting the passwords. If you find that your password manager doesn't work with most websites (since it's "extremely common") you might want to look into a different one, even Firefox+Linux combo works extremely well with 1Password. Not affiliated, just a happy years+ user.

      > Passkeys seem like the best solution here where you physically can not fall for a phishing attack.

      Yeah, I've looked into Passkeys but without any migration strategy or import/export support (WIP last time I looked into it), it's not really an alternative just yet, at least for me personally. I have to be 100% sure I can move things when the time ultimately comes for that.

      2 replies →

  • cataflam  3 months ago

    I mostly agree and I do use one.

    You only need read the whole thread however to see reasons why this would sometimes not be enough: sometimes the password manager does not auto-fill, so the user can think it's one of those cases, or they're on mobile and they don't have the extension there, or...

    As a matter of fact, he does use one, that didn't save him, see: https://news.ycombinator.com/item?id=45175125

    • eviks  3 months ago

      > sometimes the password manager does not auto-fill

      So pick one that does? That's like its top 2 feature

      > he does use one

      He doesn't since he has no autofill installed, so loses the key security+ convenience benefit of automatch

      13 replies →

  • FooBarWidget  3 months ago

    I wish it's that easy. 1Password autofill on Android Chrome broke for me a month ago. Installed all updates, checked settings, still nothing. Back to phishing prone copy paste.