This document summarizes a presentation about new phishing techniques and the use of Universal 2nd Factor (U2F) authentication to help prevent phishing. U2F uses specialized USB or NFC devices to strengthen two-factor authentication with challenge-response authentication that cannot be spoofed. The presentation discusses how U2F provides phishing protection and privacy by involving the website origin and using public key cryptography tied to the device. It also covers how U2F has evolved into the passwordless FIDO2 standard. The presentation concludes with a reminder that phishing continues evolving and users need to be careful of URLs visited while technical solutions advance.

1. La nuova generazione del
phishing
Giuseppe Trotta, Managing Security Consultant,
FortConsult|NCC Group
Security Summit
Milano, 14th March 2019

2. Whoami
• Pentester
• Red-Teamer
• Security Researcher

3. 3

4. MiTM Phishing 101
4
- IP spoofing
- ARP spoofing
- DNS spoofing
www.gooooooogle.com
www.google.com

5. Didn't we solve this already?
5

6. Didn't we solve this already?
6

7. 7
Didn't we solve this already?

8. 8

9. 9

10. 10

11. 2FA Authentication is DEAD.
Long live to
Universal 2nd Factor (U2F)
11

12. What exactly is U2F?
"Universal 2nd Factor (U2F) is an open authentication standard
that strengthens and simplifies two-factor authentication using
specialized USB or NFC devices based on similar security
technology found in smart cards.
While initially developed by Google and Yubico, with contribution
from NXP Semiconductors, the standard is now hosted by
the FIDO Alliance."
12

13. 13
U2F? FIDO who?!

14. 14
U2F? FIDO who?!

15. 15
U2F? FIDO who?!

16. 16
U2F? FIDO who?!

17. How U2F Works
17

18. How U2F Works
18

19. Phishing Protection
19
www.gooooooogle.com
www.google.com
Request Origin
(www.gooooooogle.com)
!=
Registered Relay
(www.google.com)

20. • Security Keys: Practical Cryptographic Second Factors for the
Modern Web
http://fc16.ifca.ai/preproceedings/25_Lang.pdf
• Breaking FIDO: Are Exploits in There?
https://www.blackhat.com/docs/us-16/materials/us-16-
Chong-Breaking-FIDO-Are-Exploits-In-There.pdf
20
How U2F Works

21. • The Origin is involved with generating the key
– If you accidentally end up on a phishing site, your device will generate a different key (and the
checksum will fail), so there is nothing the attacker can do to get a useful code – your account
is completely safe"
• It's a physical device
– If your computer gets infected with malware the attackers still won't be able to steal the
secret key inside it. In fact, most keys require you to physically press the button on top to
activate them, so an attacker can't use it remotely at all, even if you leave it plugged in
• Uses public key cryptography
– if an attacker manages to compromise the server, she won't be able to sign the challenge
because the private key cannot be derived from the public key
• Challenge-response mechanism
– means we can stop time-delay and replay attacks: the signature from the security key is strictly
single use, and you can't generate it in advance
• Protects your privacy
21
PROS/CONS

22. 22
PROS/CONS

23. Hands-on Demo?
REFUSE
23
ACCEPT

24. 24
https://github.com/FiloSottile/mkcert

25. 25
Future is FIDO2

26. FIDO2 is the passwordless evolution of FIDO U2F. The overall
objective for FIDO2 is to provide an extended set of functionality
to cover additional use-cases, with the main driver being
passwordless login flows. The U2F model is still the basis for
FIDO2 and compatibility for existing U2F deployments is provided
in the FIDO2 specs.
26
Future is FIDO2

27. Future is FIDO2
27

28. Future is FIDO2
28
https://www.yubico.com/2018/08/10-things-youve-been-wondering-about-
fido2-webauthn-and-a-passwordless-world/

29. Final considerations
• Let's all upgrade to devices
• Be careful to URLs you visit
• Motivate attackers are hard to beat
• Phishing is evolving a lot ... Be prepared
29

30. 30

31. 31

32. Final considerations
32

33. Final considerations
33

34. THANKS!
@giutro
34