zbigniew November 9, 2022 10:16 AM

This is nothing new. Social engineering can be used to penetrate almost anything that requires user interaction.

Yet another PEBCAK issue.

That said, a useful reminder that technical solutions don’t necessarily solve non-technical problems.

Günter Königsmann November 9, 2022 11:37 AM

I don’t like calling something like this PEBCAK: If the problem is called “stupid users” it’s hard to improve Phishing resistance on the machine side and in many 2-factor systems one can see that even user interaction is part of the phishing process it might not be the only factor that makes phishing easy.

Clive Robinson November 9, 2022 12:41 PM

@ ALL,

Re : Show me the money path.

The opening paragraph of Roger Grimes article should be read with a degree of caution,

“Human societies have a bad habit of taking a specific, limited-in-scope fact and turning it into an overly broad generalization that gets incorrectly believed and perpetuated as if it were as comprehensively accurate as the original, more-limited fact it was based on.”

Whilst the single sentance paragraph is “true” it’s also “false”.

Because it is not “human societies” but “individuals with intent” pushing a view point benificial to them.

These individuals by and large are crooks, nomatter which side of the fence they sit.

That is one side is exploiting “actual security systems” for illicit gain.

Whilst the other side is exploiting the masses by pushing the known to be defective “actuall security systems” for illicit gain.


“Who is to blaim for the insecurity that blights human society curently?”

Well it’s safe to say it is not the generalised “human society” who are in effect the long suffering audience to the “drama” by the players on stage on both sides of the curtain.

The simple fact is,

1, All actial security systems are deficient by design.

Having designed many security systems in my time I know this to be a matter of fact not fiction. The only real question is,

2, Deficient by accident or intent?

Again I know from long experience it’s actually mostly by intent.

We quite deliberately design insecure security systems and blaim the would be victims by such quips ad,

3, People will not pay for security.

However the consumer having never been offered easily improved security at equitable pricing,

4, People have never been given the opportunity to “vote with their wallets”.

5, Nor will they ever be, due to the business model pushed by those who control the market.

That is to keep the market going indefinately, security products that are known to be defective, and effectively the next lowest hanging fruit to attackers are sold at premium pricing. Knowing that within 18months the systems will fail and thus need to be upgraded at increased premium pricing.

This is the sort of nonsense that appeared in the 1900’s in all unregulated markets. The most notable in terms of information available is “The lemon market” of consumer transportation. The entire US Auto-industry was on a downward spiral of steadily increasing “lipstick on a pig” vehicles that were causing rising road fatalities… Effectively “Death on the instalment plan”. It was I should note just the US where this was happening, it’s just in the US it was more hideously obvious.

The actual point of origin for automobile safety regulation is to a certain extent clouded in history. Some claim it came about due to the Japanese and their light weight less fuel guzzeling designs.

But looking back it shows clearly that safety regulation forced the market to change. It alowed for engineering inovation to gain a meaningful part of the design process. With efficiency regulation added the old “Lemon Car” market died.

The important point is not that regulation saved lives and reduced carbon foot print, but it also saved the auto-industry and importantly reivigorated the engineering behind all vehicles, thus alowing “profit” to be made by inovation improving utility rather than the “dumbing down” self defeating downward spiral where profit could only be made via designing out safety, reliability and much more besides.

Regulation is feared by “fly by night” profit takers, who see no value in increasing utility by inovation. They actually see it as “stealing money from their pocket” because susyainability is also sern as bad by them because it limits the chaos they engender to make their profit (so called “hidden hand”).

To a certain extent regulation should be welcomed as it enables things to move forward sensibly and safely. The problem is as our tecunologies become more complex then so does the regulation to keep up with it.

This is frequently portrayed by the “fly by nights” as increasing unnecessary cost etc. However I guess asking the friends and relatives of those that died on the Boeing Aircraft –where software needlessly flew the aircraft into the ground– might give a rather different oppinion.

Nobody who can think about legislation and regulation for a few minutes would argue that they are always good. Often when it comes to societal issues they are so far behind the times that they are positively detrimental for “political” reasons.

One of the advantages of non societal issues that science and technology mainly fall under is that it is easily posible to have non-political legislation and regulation. Overly simply you decide what needs to be regulated and then make the regulation based on standards. The problem is then stopping “Regulatory Capture” by the “fly by nights”…

But what we need in “actual security system” design is regulation by well drveloped and proof based standards. Otherwise we will just perpetuate the useless, bottomless, money pit that the market currently is.

Ted November 9, 2022 3:34 PM

In another article Roger estimates that 90% of MFA is overly susceptible to easy phishing. This would include SMS and voice-based MFA, one-time passwords, and push notifications.

In fact, he says one pen tester laughs when he hears a client has push notifications. He knows exactly how he is going to get in. 3 out of 5 people just hit approve.

I don’t know where the term phishing-resistant came from. But it’s in the government’s Federal Zero Trust Strategy released in January 2022.

I like Roger’s approach of proposing threat modeling and education for everyone. If I was in charge of anyone’s authentication I think I would enjoy reading Roger’s book.

Chris Adams November 9, 2022 6:48 PM

I agree that it’s useful to consider the bounds of what a particular system can deliver but I think this post would be more effective with additional editing. It would in particular be useful to talk about specific systems and especially to spell out what is actually in scope for most of them — for example, if a user’s activity is compromised because the application they’re using is hosted on compromised infrastructure that has nothing to do with the MFA system and while it’s not without any value to recognize that it really has to be in the broader “there is no one single bullet which solves all problems” rather than presenting it as an MFA issue.

Similarly, the “Fake Successful Login” attack is an example of how a phishing campaign can be convincing but it has a diferent target. It’s well worth considering but it feels confusing to list it here without recognizing how it’s unlike the other scenarios discussed.

The one I would focus the most attention on is the reset / support flow since that’s a very hard problem. Most organizations will see significant, immediate security improvements from adopting WebAuthn but that only works if the attackers can’t talk someone into downgrading or disabling it which has a certain robustness risk.

ResearcherZero November 10, 2022 3:45 AM

If you know the diet and the habitat of the fish, there is a likelihood it may be caught.

Francis Louis Mayer November 10, 2022 9:41 PM

I read Clive Robinson’s comment and it is spot on. It is idiotic that the information technology infrastructure is not hardened like a rock by deep dive software assurance with strict and highly enforced standards. I watched as Ralph Nader and other leaders forced the automotive industry to make the vehicles safe and roadworthy by design through forcing the issue. Why should the user be required to figure out what is good and what is not? The scammers always study the training and tactics of defense and then figure away around it so that any amount of training will never be good enough. What has to happen is deep hardening and deep well thought out inherent design mechanisms to crush all attacks in a manner that does not require the users to figure out all these little details to be safe. Email systems are still crap. The systems should by design prohibit links from being able to do anything or to elevate privileges in any way. Crappy security involves theatrics and machinations that the users need to do to be secure. Real security is effective and invisible to the users, public, and the attackers. It can be done but it takes political will and a big hammer to force the issue. If drivers on our highways were told, “look you need to learn all these tactics to avoid these land mines that we allow people to bury in the roads or you will die” the public would be outraged and be coming with pitchforks and torches for the political and governmental leaders. The lousy state of security where robust security and resiliency is not being actually engineered in is totally unacceptable and stupid.

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.