Passwords are a gain. Remembering them is an almost impossible mission, creating safe versions makes us entering several special symbols, and to top it off, we see leaks of these data from time to time. Therefore, the different technology companies seek a definitive solution to end them. One of the alternatives that is gaining more popularity is apparently simple and elegant: Enter the email or phone and receive a single -use code. But it is not completely safe.
Large companies adopt the ‘Magic Link’. The login without password has been adopted by different companies such as Microsoft. The promise is clear: eliminate friction and risk of reused passwords in different services. However, what seems like an ingenious solution is becoming a security nightmare, a system that, in certain scenarios, can be even worse than the denoted passwords, as the expert Daniel Huang recognizes. And it is not a theoretical threat; It is already actively exploited.
Introducing the email is the first step of deception. A priori seems like a simple and harmless system, and as users we are getting used to that If we receive a code you have to use it. But where? This is where a cyber of the intention finds a new reef for attacks of Phishing improperly effective.
It all starts receiving an email or a SMS of Phishing Very convincing. It can be an irresistible offer or a security notice that attracts a lot of attention that is accompanied by access to a web page, which is a perfect clone to the original through which they are being passed in the SMS. This is where they ask that the phone or email be introduced, and it only remains to wait for the next step.
Behind the screen is where the attacker is located. Where it is not seen, the hacker introduces the email or phone on the legitimate website, which makes the real service Send a six -digit code completely valid to the input tray or the mobile messages section. And here it is where the false website Ask that the verification code that has been received be introduced, taking advantage of the previous times where doing this had happened absolutely nothing.
Here the damage is done. The code is received by the attacker who will use it on the Real website, starting session and changing all the login information as email or telephone to seize an account. And defense systems serve as little, since a password manager cannot self -model anything and as the code is legitimate and sent from a real service spam filters They will not jump either.
A security problem that has already been exploited. This does not remain alone in theory, but has been put into practice. One of the most notorious examples is Microsoft’s login system for Minecraft accounts, as shown In the company forums either In Reddit threads. Many players point to how they lost access to the account of the morning due to this type of fraud.
The employer was always the same: they received an email with some excuse about their Mojang account and following the steps delivered the hint access code in the silver tray.
Classic access code or passwords. This is the great decision that must now be made by large companies. And one of the solutions that would guarantee have a safe password is A good password manager. In the event that it is of quality, access credentials are linked to a specific URL, and that is why if an illegitimate website will be accessed, the web address will not coincide and will not be self -realized.
The best defense is common sense. With both access systems, 100% security is not achieved. In the past we have seen Very important password leaks, Like hackers They published very extensive files with credentialsthe robbery scams that have been reported either the strategies that are followed To make the robbery of credentials, Even in Chrome. That is why, as security councils, the most important thing is Check web addresses and distrust everything that can get out of the normal.
Images | Brett Jordan Towfiqui Barbhuiya
In Xataka | Si fraud: what is and why it is not recommended with a “yes” when it calls you an unknown number
GIPHY App Key not set. Please check settings