undefined | Better HN

0 pointsdogman1442y ago0 comments

There’s more to phishing threat models than strictly credential theft, as you seem to imply.

If passkeys are around, phishing will certainly still exist, and shift to dropping malware on endpoints or w/e vs going after logins

0 comments

brabel2y ago

I don't think you know what phishing means. By "dropping malware on endpoints" I think you mean having a website serving malware? That's not phishing. For an attack to be "phishing", the website needs to be pretending to be some other website that the user trusts. Passkeys completely prevent the user from logging in to another website than the one they've created an account with.

Your attack only works on people who basically "trust any website" at all. For those, yeah there's no salvation.

dogman144OP2y ago

I’m a security engineer, I’m pretty fluent on the topic. And phishing comes in beyond the methods you describe -> malicious attachments downloaded, etc etc.

brabel2y ago

I do agree but in this discussion we're talking about the general problem of logging in to a website. That's the case where phishing is the most devastating. Solving that problem is a huge step in making people's online lives more secure. Just because we didn't solve all problems, doesn't mean we shouldn't solve what we can solve. If you're a security engineer, it's your job to promote ways for people to be more secure online. And this is what I am trying to do myself.

1 more reply

j / k navigate · click thread line to collapse

0 comments

brabel2y ago

Your attack only works on people who basically "trust any website" at all. For those, yeah there's no salvation.

dogman144OP2y ago

I’m a security engineer, I’m pretty fluent on the topic. And phishing comes in beyond the methods you describe -> malicious attachments downloaded, etc etc.

brabel2y ago

1 more reply

j / k navigate · click thread line to collapse