Tootfinder

Researchers detail "Pixnapping", a new covert attack to steal 2FA codes and other private data on Android; Google's September patch only partially mitigates it (Dan Goodin/Ars Technica)
https://arstechnica.com/security/2025/

Hackers can steal 2FA codes and private messages from Android phones
Malicious app required to make “Pixnapping” attack work requires no permissions.

It's finally Friday but don't head out for the weekend until you check out today's Metacurity for the top infosec developments you should know, including
--UK ICO fines LastPass $1.6 million over 2022 data breach,
--Cybercrims impersonate cops to get sensitive data on users,
--Throwaway phone numbers undercut SMS 2FA,
--Chinese inverters threaten the power grid,
--Second Irish HSE attack revealed,
--Irish Justice Minister apologizes for gaffe ov…

UK ICO fines LastPass $1.6 million over 2022 data breach
Cybercrims impersonate cops to get sensitive data on users, Throwaway phone numbers undercut SMS 2FA, Chinese inverters threaten the power grid, Second Irish HSE attack revealed, Irish Justice Minister apologizes for gaffe over PSNI data breach, Korea seeks punitive fines over breaches, much more

@… Vielleicht habe ich die frage auch falsch verstanden. Wenn es um ein zweites gerät für 2FA geht, das ist nicht nötig; die 2FA-app kann auch auf dem gleichen gerät laufen.

@… Vielleicht habe ich die frage auch falsch verstanden. Wenn es um ein zweites gerät für 2FA geht, das ist nicht nötig; die 2FA-app kann auch auf dem gleichen gerät laufen.

What's still keeping banks from moving on from SMS 2FA? Honest question.
#2fa #security

»Cyberkriminalität — Millionen Payback-Konten angreifbar:
Cyberkriminelle nutzen aktuell offenbar eine Schwachstelle im Sicherheitskonzept von Payback aus, um Kundendaten und Bonuspunkte zu stehlen«
Die Frage ist eigentlich: Weshalb nutzen populäre App Dienste immer noch kein Argon2 & Co. Passwort Hashes so wie E-Mail Adressen im Klartext und nicht zB 2FA / Passkeys?
📺

Millionen Payback-Konten angreifbar
Cyberkriminelle nutzen aktuell offenbar eine Schwachstelle im Sicherheitskonzept von Payback aus, um Kundendaten und Bonuspunkte zu stehlen. Dies zeigen Recherchen von STRG_F (NDR/funk). Potenziell betroffen sind Millionen Konten.

@… it doesn’t do 2FA with GHA, fwiw 😅

#infosec
They've mindlessly set it to be a password entry field so it can't be seen, but the 2FA app I'm copying the code from displays it in a nice large font.
They're checking the box for the sake of checking the box, not because it adds any security.
But at least it's inconvenient for all the users, so the policy has that going for it.

Security annoyance of the day: Mandatory 2fa that then gives you an option to trust a device for the next 7 days.
Frequent enough to be annoying, but lacks the e.g. anti-phish protections of doing it every time. Worst of both worlds.

@… Ah, wenn du unterwegs kein Internet hast, brauchst du auch keine 2FA – problem gelöst ;-)

@… Ah, wenn du unterwegs kein Internet hast, brauchst du auch keine 2FA – problem gelöst ;-)

#infosec annoyance of the day - I use a tool for work that requires me to put in a rolling one-time code for 2fa, and doesn't show the code as I'm typing it.
That would be ok, except if I switch apps to copy the code so I can paste it in, it usually forces me to re-enter my username and password, then even though I'm in the 30 second validity window, it refuses the code.
So I have to wait till the 30 seconds roll over, copy the code, switch to the tool, re-enter my username/password, hope it doesn't take so long to negotiate with the back end that the code in my clipboard expires, then finally paste the code.
Conveniently I only have to do it multiple times a day, every work day.

@… I wouldn’t expect so (but I couldn’t say 100%). Sounds like you made a config error somewhere? I locked down npm publishing access to require 2FA and disallow tokens and deleted my tokens from GitHub Settings too — I’d also check your Actions yml to make sure the token isn’t being used there

Ask a SaaS product what backup solutions they use and if they store it at a different company, you get nothing, no reply.
#hanko #HankoAuth #SaaS
Please have faith in Bezos
Shame…

@… Nach meiner erfahrung wird das oft suggeriert, ist aber nicht nötig. Wie gesagt, ich hatte nie ein smartphone. Ich benutze für 2FA (SWITCH edu-ID, Microsoft und GitHub) auf dem Mac Step Two, ohne separates mobilgerät.

@… Nach meiner erfahrung wird das oft suggeriert, ist aber nicht nötig. Wie gesagt, ich hatte nie ein smartphone. Ich benutze für 2FA (SWITCH edu-ID, Microsoft und GitHub) auf dem Mac Step Two, ohne separates mobilgerät.

Like all the rest of the nerds, I did a bit of tech support on family computers.
They're all popping up windows from scam virus scanners lying that subscriptions need to be renewed or machines are unprotected. People don't know how to remove these things. Luckily they also don't really know how to pay the subscription.
Their phones are updating on them. Changing where buttons used to be. Removing options. Forcing people to register to use they things they have been doing for years.
They don't know how to register.
Things pop up asking for passwords and they have no idea who is asking or which password to use.
I tell them that I don't really understand why they keep using Windows now it is so shitty and awful. They say they don't know how to use anything else. The fact they don't really know how to use windows either doesn't seem to register.
The tech corporations have given up completely on being user friendly. They are all deliberately user hostile and exploitative now.
Corporate tech is terrible. The industry is failing it's users, abusing them. People don't even know there is any other way. They are just giving up on achieving their tasks until someone can fix the pop-ups and subscription boxes and passwords and 2fa for them.
Tech sucks now. Sucks hard.
#tech #christmasTechSupport

SMS 2FA: exists
Me: paying just to login to banks😭

X plans to retire the Twitter.com domain, prompting users to re-enroll their security keys for 2FA, and will lock accounts that are not updated by November 10 (Will McCurdy/PCMag)
https://www.pcmag.com/news/using-a-security-key-on-x-re-enroll…

Was ist eine „gefälschte E-Mail-Adresse“? Und wie schützt 2FA dagegen, dass Dritte ein Account mit der eigenen Wohnadresse eröffnen?
https://www.srf.ch/sendungen/kassensturz-espresso/espresso/sicherheit-im-onlineshop-…

Oh, fun, apparently it’s impossible to log in to Porkbun on Firefox if you have a passkey registered, even if you’re using the password and also have TOTP 2fa enabled