"The more effective approach to both risks is a focused pursuit of secure-by-default systems in the long term, and a focus on investment in engineering defenses such as unphishable credentials (like passkeys) and implementing multi-party approval for sensitive security contexts throughout production systems."
I'd say that basically means: no #Microsoft products.
Victim proves how to easily steal someone’s FNB bank payment card details and buy a tank of petrol in South Africa
This is actually not a very difficult hack, but what is really critical is to NEVER click on links that arrive by e-mail or SMS. Rather, note any reference/tracking number and go independently to the website via your browser and check it out if you ...continues
IT: Hello! This is Roger from IT. We've identified a problem with your Okta access and we need to replace your company Yubikey. We've already mailed you a replacement, return your old Yubikey in the box that will have a return shipping label. Please write down your company email and Yubikey PIN on a sticky note and include it in the box so we can fully remove the old Yubikey from Okta. The delivery is scheduled for today so your work wont be impacted come Monday.
Social Engineering in Cybersecurity; Threats and Defenses by Gururaj H L & Janhavi V & Ambika V, 2024
In today’s digitally interconnected world, the threat landscape has evolved to include not just sophisticated technical exploits but also the art of human manipulation. The primary aim of this textbook is to provide a comprehensive and in-depth exploration of social engineering attacks.
@webmontagkiel und @evawolfangel ist dann tatsächlich in Kiel angekommen. Einen Zug nach mir. Der Vortrag war wirklich witzig. Quitessenz: Jede Person, JEDE, kann Opfer von #phishing werden. #Retrööt sehr erwünscht, eigener Upload irgendwo nicht erlaubt! #Sketchnotes
I like how there's so many products and so much money spent on endpoint defense,
malware detection, incident response, scanning of files, behavioral changes and signals
and all that shit...
but then companies end up losing millions to a simple phishing attack.
I'm doing the SC-200 by Microsoft, and I barely see things that talk about this
Auf dem #BSIKongress2024 wurde gerade wieder die These aufgestellt, die größte Sicherheitslücke sei der Mensch. Wir müssen endlich von dieser Sichtweise wegkommen, beim Auto sagen wir auch nicht, dass das größte Sicherheitsproblem sei die zu dünne Schädeldecke, sondern wir schreiben Gurte und Airbags vor.
Die Tatsache, dass die meisten erfolgreichen Angriffe über #Phishing & Social Engineering erfolgen, bedeutet nicht automatisch, dass die Mitarbeiter das Problem sind, sondern vielmehr, dass die Mitarbeiter zu oft in Situationen gebracht werden, in denen sie die einzige Verteidigungslinie des Unternehmens sind.
Google's passkeys, introduced in 2022, have become a popular and secure alternative to traditional passwords, being used over 1 billion times across 400 million-plus Google accounts. These passkeys, which rely on fingerprints, face scans, or PINs for authentication, are faster and more resistant to phishing than passwords. Google plans to integrate passkeys into its Advanced Protection Program, enhancing security for high-risk users. Additionally, third-party password managers like Dashlane and 1Password can now support passkeys, further expanding their use. The technology is supported by major companies like eBay, Uber, PayPal, and Amazon, indicating a shift towards passkey-based authentication as a more secure and efficient method.
Einmal mit #Followerpower ins Wochenende! Tootet/Postet euren Tipp zum Thema IT-Sicherheit oder Datenschutz. Kleiner Denkanstoß fürs Wochenende - vielleicht nimmt der ein oder andere eine schöne Idee bzw. Tipp mit. Gerne auch auf Projekte mit Links verweisen und eine kurze Beschreibung ergänzen. Danke euch! 🙏
@kuketzblog Einen #FIDO2 Hardware-Token sich selbst und den Liebsten schenken. Kostet nicht die Welt und ist aktuell das Einzige, das gegen #Phishing schützt und auch das Geheimnis.
🆕 blog! “Bank scammers using genuine push notifications to trick their victims”
You receive a call on your phone. The polite call centre worker on the line asks for you by name, and gives the name of your bank. They say they're calling from your bank's fraud department. "Yeah, right!" You think. Obvious scam, isn't it?…
You receive a call on your phone. The polite call centre worker on the line asks for you by name, and gives the name of your bank. They say they're calling from your bank's fraud department.
"Yeah, right!" You think. Obvious scam, isn't it? You tell the caller to do unmentionable things to a goat. They sigh.
"I can assure you I'm calling from Chase bank. I understand you're sceptical. I'll send a push notification through the app so you can see this is a genuine call."
Your phone buzzes. You tap the notification and this pops up on screen:
This is obviously a genuine caller! This is a genuine pop-up, from the genuine app, which is protected by your genuine fingerprint. You tap the "Yes" button.
Why wouldn't you? The caller knows your name and bank and they have sent you an in-app notification. Surely that can only be done by the bank. Right?
Right!
This is a genuine notification. It was sent by the bank.
You proceed to do as the fraud department asks. You give them more details. You move your money into a safe account. You're told you'll hear from them in the morning.
This is reasonably sophisticated, and it is easy to see why people fall for it.
The scammer calls you up. They keep you on the phone while...
The scammer's accomplice calls your bank. They pretend to be you. So...
The bank sends you an in-app alert.
You confirm the alert.
The scammer on the phone to your bank now has control of your account.
Look closer at what that pop is actually asking you to confirm.
We need to check it is you on the phone to us.
It isn't saying "This is us calling you - it is quite the opposite!
This pop-up is a security disaster. It should say something like:
Did you call us?
If someone has called you claiming to be from us hang up now
[Yes, I am calling Chase] - [No, someone called me]
I dare say most people would fall for this. Oh, not you! You're far too clever and sceptical. You'd hang up and call the number on your card. You'd spend a terrifying 30 minute wait on hold to the fraud department, while hoping fraudsters haven't already drained your account.
But even if you were constantly packet sniffing the Internet connection on your phone, you'd see that this was a genuine pop-up from your genuine app. Would that bypass your defences? I reckon so.
Criminals are getting increasingly good at this. Banks are letting down customers by having vaguely worded security pop-up which they know their customers don't read properly.
And, yes, customers can sometimes be a little gullible. But it is hard to be constantly on the defensive.
@Edent If you call Bank of America, they will verify you using a code sent by SMS that contains, “DO NOT share this Sign In code.”
I’ll confirm with the agent that they’re asking for the one that says under no circumstances am I to share with anyone, and they reply cheerfully, “yeah that’s the one.” 🤦♂️