Professional Documents
Culture Documents
OWASP Dallas: Unspoofable Anti-Phish Codes
OWASP Dallas: Unspoofable Anti-Phish Codes
*https://www.statista.com/statistics/266161/websites-most-affected-by-phishing/
Why Phishing Works in Practical World?
● It is a numbers game – Probability –0.01% but
population set >> millions
+
My Little Password
We are secure!
Welcome Advanced 2FA Phishing Automation
KEYLOGGER
MAN-IN-MIDDLE PHISHING OVER-THE-SHOULDER
MALWARE
How it Works: Account Takeover
Account takeover after victim follows phishing link with current 2-factor authentication
Regular Token Scenario
Man-in-Middle
Victim Proxy Server Authentication Server
SCENARIO B
Simulate This
Snoop on Victim Uses the Snooped Passcodes
Passcodes (Step 1) to Login (Step 2) Authentication Server
Time for a Hack!
Let’s Play ...
Account takeover through stolen credentials with anti-phishing codes
Bearer-Agnostic
UberPasscodes®
Victim
Authentication Server
Requests Login Page Proxies Login Request
Man-in-Middle
Victim Proxy Server Authentication Server
SCENARIO B
Simulate This
Snoop on Victim Uses the Snooped Passcodes
Passcodes (Step 1) to Login (Step 2) Authentication Server
How it Works: No Account Takeover
Anti-Phish Codes Prevent Account Takeover
UberPasscodes Scenario
UberPasscodes®
Victim
Authentication Server
Requests Login Page Proxies Login Request
Thus no account-take-overs
UberPasscodes® vs. FIDO2
Authentication No Changes to
No Capex No Changes
Verification Control Existing Federated & Quantum-safe? to Existing
(autonomous) Single Sign On (SSO) Applications
s
No- Needs
No, Relies on end-
Needs custom retrofits substantial
Fido U2F/A No user’s authenticator Vulnerable
software
trust/agent
changes
Summary Anti-Phish Codes
BY DESIGN
User cannot go to a phishy website and lose credentials
info@uberpasscodes.com
T: 1-(888)-240-8461
info@uberpasscodes.com
https://uberpasscodes.com/