Hey everyone, welcome back to My Weird Prompts. We are coming to you as always from our home here in Jerusalem. I am Corn Poppleberry, and I am joined by my brother and resident technical encyclopedia.
Herman Poppleberry, at your service. It is good to be here, Corn. We actually chose today’s topic ourselves, though our housemate Daniel was just talking about this the other day after he had a close call with a suspicious login notification. We realized that while we have touched on security before, we have never really done a deep dive into the crumbling facade of two factor authentication.
Yeah, the two factor fallacy. That is what I have been calling it in my head lately. We tell everyone to enable two factor authentication, or two F A, as if it is this magical shield that makes you unhackable. But as of early twenty twenty-six, the data is telling a very different story. Over seventy percent of successful enterprise breaches now involve some form of session hijacking rather than just guessing a password. That is a staggering number when you think about how much we have invested in these systems.
It is a massive shift, Corn. We have moved from the era of breaking the door down to the era of simply convincing the doorman that you are already inside. Most people think that once they hit that text message code or tap a button on their phone, they are safe. But the reality is that two factor authentication is a spectrum, not a binary switch. Some versions of it are essentially a screen door in a hurricane, while others are a bank vault.
And that is what we are going to untangle today. We want to move beyond the surface level advice. If you are listening to this, you probably already know you should not use password as your password. You probably already have an authenticator app. But we want to talk about why that might not be enough anymore, especially with the rise of real time phishing kits and session theft. We are moving from the simple "is it on?" to "how is it implemented?"
We are going to look at the authentication gap. That is the space between you typing in your credentials and the server deciding you are who you say you are. That gap is where the attackers are living these days. It is the "time of check to time of use" vulnerability on a human scale.
It is funny you mention the gap, Herman. I was reading a report recently that suggested that for many high value targets, two factor authentication has actually become a primary target rather than a secondary obstacle. It is not something they bypass after getting the password. It is something they target simultaneously.
That is because the password has become the easy part. With billions of leaked credentials floating around the dark web, attackers often start with your password. The two factor code is the only thing standing in their way, so they have built incredibly sophisticated tools specifically to intercept it in real time. We have to stop thinking of two factor as a second lock and start thinking of it as a conversation that can be eavesdropped on.
So let us start there. Let us talk about the big one that has been making headlines lately. Reverse proxy phishing. I am talking about tools like Evil Proxy and Evil Ginx. Most people think phishing is just a fake website that steals your password, but this is different, right?
It is fundamentally different. In a traditional phishing attack, the attacker makes a fake version of, say, your bank website. You type in your username and password, they save it to a database, and then the site usually just crashes or redirects you to the real bank. But you still have your two factor authentication, so the attacker cannot log in later because the code you would have used has expired.
Right, because those six digit codes are time based. They usually last for thirty or sixty seconds.
But a reverse proxy attack, like what you see with Evil Ginx, acts as a transparent bridge. This is what we call an Adversary in the Middle, or A i t M, attack. The attacker is not showing you a fake website. They are showing you the real website, but they are sitting in the middle. When you go to the phishing link, the attacker’s server fetches the real login page from Microsoft or Google and serves it to you. You type your password into the real looking fields, and the attacker passes that password to the real server in real time.
So the real server thinks a legitimate login is happening, and it triggers the two factor prompt.
Precisely. The real server sends the text message or the push notification to your phone. You see it, you think everything is normal because you are currently trying to log in, so you enter the code or tap approve. That code goes back to the attacker’s proxy, which then passes it to the real server. The real server says, great, you are authenticated, and it sends back a session cookie.
And that cookie is the golden ticket.
That is the whole point of the attack. The attacker does not even care about your password or your code after the login is finished. They grab that session cookie, which is the digital token that says "this browser is logged in for the next thirty days." Once the attacker has that cookie, they can put it into their own browser and they are in your account. No password needed, no two factor code needed. They have hijacked the session that you just authorized.
This is what blows my mind, Herman. We spent years telling people to look for the padlock icon or check the U R L. But these reverse proxies can be very convincing. They can use subdomains that look incredibly legitimate, like "login dot microsoft dot security-update dot com." And since the page content is literally pulled from the real site, all the branding, the security logos, and the layout are perfect.
It is a massive problem because it bypasses the "something you have" requirement of two factor authentication by making you use that "something you have" for the attacker’s benefit. We saw a massive example of this in the middle of twenty twenty-five. A major SaaS provider—we will call them Skyward Cloud—had over four hundred employee accounts compromised in a single weekend. The attackers used a reverse proxy kit that was so sophisticated it even proxied the "help" chat on the login page. Employees thought they were talking to their own I T department while their session tokens were being drained.
That is terrifying. It is not just a technical failure; it is a total subversion of the user's trust. I want to circle back to the hierarchy in a bit, but let us talk about the older, more brute force way of beating two factor authentication. S M S interception and S I M swapping. We covered the S M S paradox back in episode seven hundred and four, but it feels like the problem has only shifted, not disappeared.
It is actually getting more targeted. S I M swapping is a social engineering attack on the human element of the cellular networks. An attacker calls up your mobile provider, pretends to be you, and convinces a customer service representative to port your phone number to a new S I M card that the attacker holds. Usually, they claim they lost their phone or got a new one.
And once that number is ported, every two factor code sent via text message goes straight to the attacker’s device.
And the scary part is how little technical skill it requires. It just requires a convincing story and maybe some basic personal info like your birthdate or the last four digits of your Social Security number, which, let us be honest, are basically public record at this point after the big data breaches of the early twenties. But there is also a more technical version of this that most people do not realize is still possible. The S S seven vulnerabilities.
S S seven. That stands for Signaling System Number Seven, right? It is a protocol from the nineteen seventies.
Yes, and it is the backbone of how cellular networks talk to each other globally. It was designed in an era when we assumed that everyone on the network was a trusted state actor or a massive telecommunications company. It has no built in end to end encryption for the routing information. It is essentially a trust based system in a world that is no longer trustworthy.
So if an attacker gets access to an S S seven gateway, which you can apparently just rent or buy access to on the dark web for a few thousand dollars, they can essentially tell the global network that your phone number is currently roaming on their network.
Right. They do not even need to swap your S I M card. They just reroute the S M S traffic to their own terminal. You might not even notice your service is gone for a few minutes while they intercept the code, log into your bank, and move the money. This is why S M S is considered the absolute bottom tier of two factor authentication. It is better than nothing, but it is fundamentally broken because it relies on a telecommunications infrastructure that was never built for security. It is like trying to build a skyscraper on a foundation of wet sand.
It is amazing that we still rely on it so heavily. I mean, think about how many major banks in the United States still insist on S M S. You try to set up a hardware key or a T O T P app, and they tell you that for your security, they must send a text. It is infuriating.
It is a legacy debt issue. They want to ensure that the least tech savvy customer can still access their account. But in doing so, they are keeping the door unlocked for sophisticated attackers. We have to realize that the convenience of S M S is exactly what makes it a liability. If it is easy for you to receive, it is easy for an attacker to intercept.
Okay, so if S M S is the bottom tier, what about push notifications? You know, the ones where you just tap a button that says "Yes, it is me." A lot of people think those are more secure because they are tied to a specific device and an encrypted app.
They are better than S M S because they are not traveling over the cellular signaling network in the same way. They go through Apple or Google’s notification services. However, they are vulnerable to a very human attack called M F A bombing, or push notification fatigue.
I love that term. Fatigue. It sounds so polite for what is essentially a psychological assault.
That is exactly what it is. Imagine it is three o’clock in the morning. Your phone starts buzzing. It is a notification saying, "Are you trying to log in?" You hit deny. Ten seconds later, it buzzes again. Deny. Again. Deny. This happens fifty times in a row. Eventually, you are tired, you are annoyed, or you think maybe your phone is glitching, and you just hit approve to make the noise stop.
Or you accidentally hit approve because you were trying to clear the notification so you could go back to sleep. I have definitely cleared notifications in a daze before.
Precisely. We saw this in the high profile breaches of companies like Uber and Cisco back in twenty twenty-two, and it has only become more common. The attackers had the passwords, and they just bombarded the employees with push requests until someone finally tapped yes. It is a psychological bypass of a technical control. It exploits the human desire to make an annoyance go away.
It is the digital equivalent of someone ringing your doorbell over and over until you open it just to yell at them, and then they just push past you into the house.
That is a perfect analogy. And the solution to that is something called number matching, which we are seeing more of now. Instead of just a "Yes" or "No" button, the website shows you a two digit number, and you have to type that specific number into the app on your phone. That breaks the fatigue attack because you cannot just blindly tap approve. You have to actually look at the screen where the login is happening.
That seems like such a simple fix, but it took years for it to become standard. Even now, plenty of services do not use it. But even with number matching, we are still back to the reverse proxy problem, aren't we? If I am on a phishing site that is acting as a proxy, it will show me the two digit number from the real site, and I will type it into my real app, and the attacker is in.
You are exactly right. Neither T O T P apps nor push notifications, even with number matching, can protect you from a sophisticated reverse proxy. They are all vulnerable because the secret, the thing that proves who you are, is being handled by the browser. And if the browser is talking to a proxy, the secret is leaked. This is the core of the "Authentication Gap" we talked about.
This leads us to the middle of the hierarchy, then. Let us talk about T O T P apps, like Google Authenticator or Authy. These are the ones where you scan a Q R code and then get a rotating six digit number. Most people think these are unhackable because they are offline.
They are certainly more resilient than S M S, but they have their own weaknesses. One is the seed theft. When you scan that Q R code, you are essentially sharing a secret key, called a seed, between the server and your phone. That key is stored in a database on your device. If you get infected with mobile malware—what we call an info stealer—the malware can go in and scrape those secret keys.
Wait, so if my phone is compromised, they don't even need to see the rotating code?
Once they have the seed, they can generate your codes forever on their own device. They do not need your phone anymore. They have cloned your authenticator. Modern malware like the "Lumma" or "Vidar" stealers are specifically designed to hunt for these SQLite databases on your phone or computer.
And then there is the cloud backup issue. Some apps like Authy or the newer versions of Google Authenticator allow you to back up your codes to the cloud so you do not lose them if you lose your phone. But now, your two factor security is only as strong as the password and the two factor protection on your cloud account. If someone gets into your Google account, they now have the keys to every other account you have secured with that authenticator app.
It is a cascading failure. We are moving the risk around rather than eliminating it. It is like having a super secure lock on your front door but keeping the spare key in a wooden box on the porch. If the box is broken into, the lock doesn't matter. This is why I always tell people to be very careful with cloud syncing for authenticators. It is a massive convenience, but it introduces a single point of failure that spans your entire digital life.
Let us talk about the human element again. You mentioned social engineering with S I M swapping, but what about the help desk? This is a huge vulnerability that people often overlook. You can have the best two factor setup in the world, but if a twenty year old at a support center can be talked into resetting your account, none of it matters.
This is the help desk bypass. Attackers will call support and put on a performance. They might have a recording of a crying baby in the background, or they might pretend to be an executive who is about to walk into a multi million dollar meeting and just locked themselves out of their account. They play on human empathy. They know that most customer service reps are trained to be helpful, not to be security guards.
We saw this with the M G M Resorts hack. The attackers allegedly just called the help desk, found an employee’s info on LinkedIn, and convinced the support staff to reset the credentials and the multi factor authentication. It took ten minutes and zero lines of code. It paralyzed an entire casino empire.
It is a reminder that security is a process, not just a product. If your recovery process is weaker than your primary authentication, then your primary authentication is effectively useless. Most companies have terrible policies for verifying identity over the phone. They ask for things like your mailing address or your birthdate, which are easily found online. If I can reset your YubiKey requirement by telling a support rep your zip code and your mother’s maiden name, then the YubiKey is just theater.
So, we have painted a pretty bleak picture so far. S M S is broken, push notifications can be bombed, T O T P apps can be phished or scraped by malware, and the help desk is a soft target. Is there anything that actually works?
There is, and this is where we get to the top of the hierarchy. F I D O two and hardware keys, like the YubiKey. These are fundamentally different from everything else we have discussed. They represent a shift from "shared secrets" to "asymmetric cryptography."
Tell me why. Why is a physical U S B key better than a code on my phone?
It comes down to something called origin binding. When you use a hardware key, the browser and the key have a little cryptographic conversation. The key says to the browser, "Which website am I talking to right now?" If the browser says "I am talking to accounts dot google dot com," the key checks its internal memory. If that matches the site it was originally set up with, it signs a challenge and lets you in.
But what happens if I am on a phishing site? What if I am on "accounts dot google dot security dot com"?
That is the magic. The key sees that the domain does not match exactly. It does not matter how much the website looks like Google. The key knows it is not the right origin. It will refuse to sign the challenge. The attacker’s reverse proxy can pass the request along all it wants, but the hardware key will not provide the necessary cryptographic proof because it is bound to the real domain.
So even if I am tricked, the hardware cannot be tricked.
It removes the human error from the equation. You could be the most gullible person on earth, you could type your password into the phishing site, you could plug in your key and tap the button, and it still would not work for the attacker. The key simply will not talk to a fake domain. This is why hardware keys are the only form of two factor authentication that is truly phish proof.
It is a massive leap in security. I remember when Google rolled these out to their entire workforce of over eighty thousand people years ago. They reported that after the switch, they had zero successful phishing takeovers. Zero. In a world where we usually talk about reducing risk, seeing a number like zero is incredible.
It is the gold standard. And the good news is that it is becoming more accessible. Most modern smartphones now have a version of this built in, called passkeys. It uses the same underlying technology, Web Auth n, but it uses your phone’s secure enclave and your fingerprint or face I D instead of a separate U S B stick. It is essentially turning your phone into a hardware key.
Passkeys are interesting, but I have heard some people express concern about them. Is it not just another version of the cloud backup problem? If my passkey is synced to my I Cloud or Google account, aren't we back where we started?
That is a very astute point, Corn. There is a tension between security and recoverability. If you have a physical YubiKey and you lose it, and you do not have a backup key, you are locked out. For a lot of people, that is too much risk. So, Apple and Google have designed passkeys to be synced.
But that means if my I Cloud account is compromised, the attacker gets my passkeys.
Yes, but the trade off is that the passkeys themselves are still phish proof. An attacker might steal your passkeys from the cloud, but they still cannot phish them from you in real time. And to get into your I Cloud in the first place, they would have to get past your primary authentication, which should also be a passkey. It creates a much stronger circle of security, even if it is not quite as absolute as a standalone, non syncable hardware key.
I think it is important to mention the supply chain risk here too. We have been talking about how attackers bypass the technology, but what happens if the provider itself is the problem? We saw this with the Last Pass breach a while back, where the attackers got into the developer environment.
That is the nightmare scenario. If the company that provides your two factor service is compromised, they might be able to intercept the seeds or bypass the authentication entirely at the server level. This is why diversification is important. You do not want every single one of your digital keys living in the same vault. If you use one company for your password manager and another for your two factor, you are creating layers.
It also makes me think about the geopolitical angle. Being here in Jerusalem, we are very aware of state sponsored cyber activities. If you are a high value target, a journalist, a politician, or a researcher, you have to assume that state actors are not just trying to phish you. They might be trying to compromise the infrastructure you rely on.
We have seen instances where state actors have pressured telecommunications companies to facilitate S I M swaps or S S seven intercepts. If you are relying on S M S in a country where the government controls the phone lines, you essentially have no security against that government. This is why the shift toward hardware keys and end to end encrypted authentication is not just a technical preference, it is a matter of national security and individual liberty.
It is a powerful point, Herman. Strong encryption and robust authentication are tools of freedom. They allow people to operate without the constant fear of being silenced or compromised by an adversary.
And it is not just about state actors. The democratization of these attack tools is what worries me. Five years ago, setting up a reverse proxy like Evil Ginx required significant technical skill. Today, you can find pre configured kits on GitHub with step by step tutorials. Criminals are running these as a service. You do not even need to know how it works; you just pay a subscription fee and provide the phishing templates. It is "Phishing as a Service."
It is the industrialization of cybercrime. So, let us get practical for our listeners. We have talked about the hierarchy. If someone is listening to this and they are currently using S M S for everything, what should their roadmap look like?
Step one is to get off S M S wherever humanly possible. If a service offers a T O T P app option, take it. Even if you just use a free app like Microsoft Authenticator or Google Authenticator, you have immediately moved yourself out of the reach of S S seven attacks and basic S I M swapping. That is the easiest win.
Step two?
Step two is to audit your most important accounts. Your email, your banking, and your primary identity provider like Apple or Google. For those, you should really consider buying a physical hardware key. They are not that expensive, usually around twenty five to fifty dollars, and they are the single best investment you can make in your digital security. Look for F I D O two or U two F compatibility.
And make sure you buy two. One for your keychain and one to keep in a safe place at home as a backup.
Do not be the person who has one key and loses it. That is a recipe for a very bad day. And step three would be to look for the number matching feature in your push notifications. If you use an app that just has a "Yes" or "No" button, see if there is a setting to enable more secure prompts. Microsoft and Google have made this the default for many, but some third party apps are still lagging behind.
What about the recovery side? How do we secure the help desk vulnerability?
That is harder because you do not always have control over the company’s policies. But you can do things like setting up a verbal passcode with your cellular provider. Most carriers allow you to add a pin or a password that must be provided before any changes are made to your account. It is not perfect, but it adds a layer of friction for a social engineer.
I also tell people to be very careful about what they share on social media. If your security questions are things like your mother’s maiden name or the street you grew up on, and those things are easily findable on your Facebook or LinkedIn, you have effectively turned your security into a public document.
I actually recommend lying on those security questions. Your mother’s maiden name doesn't have to be her real name. It can be a random string of words that you store in your password manager. The computer doesn't know the difference; it just knows if the strings match. Treat those questions like a second password.
That is a great tip. Treat security questions like a second password, not a trivia quiz. It makes the "Help Desk" attack much harder if the attacker doesn't know you've answered "What was your first pet's name?" with "Purple-Battery-Ninety-Nine."
Precisely. And one more thing for the more technically inclined listeners. Pay attention to your session durations. If a service allows you to stay logged in for six months, that is a six month window for an attacker to use a stolen cookie. For sensitive accounts, it is often better to set shorter session limits or to require re authentication for sensitive actions, like changing your password or transferring money.
It is that balance between convenience and security again. We have become so used to never having to log in that we have forgotten how dangerous that can be. We want the digital world to be frictionless, but friction is exactly what keeps us safe.
It is all about risk management. You do not need a YubiKey for your pizza delivery account. But for your primary email, which is the gateway to every other account you own through the password reset function, you need the absolute best protection available. If your email falls, everything else falls like a house of cards.
We actually covered some of the history of how we got to this point in episode seven hundred and twenty four, where we talked about the evolution of proving you are human. It is interesting to see how the goalposts keep moving. First it was just passwords, then it was captchas, then it was two factor, and now we are moving toward this passwordless F I D O two future.
It is an arms race, Corn. As soon as we build a better wall, the attackers build a taller ladder. But with hardware keys and passkeys, we have finally moved to a wall that is cryptographically grounded in a way that makes the old ladders obsolete. It does not mean the race is over, but it means the attackers have to find a completely different way to play the game. They have to move from attacking the "transmission" to attacking the "endpoints."
I wonder what that next phase looks like. If they cannot phish the key, do they go back to old school malware? Do they try to compromise the hardware manufacturers?
We are already seeing some of that. Supply chain attacks on the chips themselves or side channel attacks that try to measure the power consumption of a device to figure out the cryptographic key. We talked about that in episode six hundred and seventy nine, "The Sound of Secrets." It sounds like science fiction, but it is the reality of high level espionage. If they can't steal the key, they try to hear it being used.
It is fascinating and terrifying at the same time. But for ninety nine percent of people, just moving up the hierarchy from S M S to a T O T P app or a hardware key will put them ahead of the vast majority of automated attacks.
You do not have to be faster than the bear; you just have to be faster than the guy next to you. Most attackers are looking for low hanging fruit. If you make your account even slightly difficult to hack, they will move on to someone else who still has S M S enabled. It is a cynical truth, but it is the reality of the internet.
That is a bit of a grim way to look at it, but it is the truth of the digital world. We have to take responsibility for our own digital borders. We can't wait for the platforms to protect us; we have to use the tools they provide correctly.
We really do. And I think the transition to passkeys over the next couple of years is going to be the biggest leap forward we have seen in decades. It is the first time we have a security solution that is actually more convenient than the thing it is replacing. No more typing in six digit codes, no more waiting for text messages. Just a fingerprint or a face scan and you are in. It removes the friction that usually makes people avoid good security.
I am looking forward to that day. I am tired of my phone being a constant source of anxiety with all these notifications. I want my security to be invisible but invincible.
You and me both, brother. You and me both. We are getting there, but until then, we have to stay vigilant and understand that "enabled" is not the same as "secure."
Well, I think we have covered a lot of ground today. From the vulnerabilities of the nineteen seventies telecommunications protocols to the cutting edge of cryptographic hardware keys. The main takeaway is clear. Two factor authentication is not a silver bullet. It is a tool, and like any tool, you have to know how to use it correctly.
And you have to know its limitations. Don't be complacent just because you see that little checkmark next to two factor authentication in your settings. Take a look at which method you are using and ask yourself if it is appropriate for the value of the account you are protecting. If it's your life savings, maybe don't rely on a text message.
Well said, Herman. If you found this discussion helpful, or if it made you realize you need to go update your security settings, we would love to hear from you. You can find us at myweirdprompts dot com, where we have a contact form and the full archive of all nine hundred and forty three episodes. We will have links in the show notes for some of the hardware keys and apps we mentioned.
Yeah, and if you have a second, leaving a review on Spotify or your favorite podcast app really does help the show. It helps other curious people find us and join the conversation. We love seeing the community grow.
Definitely. We appreciate all of you who have been with us for so many episodes. It is your questions and your curiosity that keep us going. We are always looking for new topics, so send them our way.
And thanks again to our housemate Daniel for the inspiration for today's deep dive. It is always interesting to see how these technical topics manifest in our daily lives. Hopefully, he's got his YubiKey set up by now.
Alright, that is it for this week. Stay safe out there in the digital wilderness, everyone. Remember, the doorman is only as good as the ID you give him.
And keep those hardware keys close. Until next time.
This has been My Weird Prompts. We will talk to you soon.
