@rakkhi this has been telegraphed for a long time already but is the first case I recall seeing this actually used.
It’s going to be very difficult for the human brain to grapple with the idea of receiving a call from the right number with the right voice saying the right things and to still have to contend with the fact that maybe none of it is real.
@rakkhi it’s nice in the sense that it doesn’t rely on the same signals as the brain and can’t be tricked in the same way but damn… I can absolutely do some real damage if I can call you and convince you that I’m your boss and I need you to do something for me urgently.
@rakkhi there are a whole range of attacks I can pull off where I don’t need to steal your creds because now I can just convince you to do it on my behalf with this capability
@rakkhi I don’t see how that helps in a whole range of scenarios that fundamentally aren’t authN/Z problems any more.
The example I gave before of a high pressure deep fake call to your accounts department where I essentially do the phone version of a BEC scam is going to continue working just fine because the right person is doing the right tasks for their job, they just happen to be doing them for the wrong reason and under false pretences.
The “correct” thing to do in that scenario is to call them back on a known number to verify but if you called me on a known number and you sound like my boss I wouldn’t think to do that and at no point is 2FA going to solve that situation. I don’t think more tech is the magic bullet here to be fair.
Add comment