As opposed to username/password, where... An attacker that controls the email address can log right in.
Unless you mean to say I should set up 2FA for my CSS theme variable helper website?
Passkeys and OAuth/social login are great, but everyone has an email. And I don't think any mainstream site supports only passkey as an auth method (and no other way).
"Passkeys and OAuth/social login are great, but everyone has an email"
big tech is only allowing Social login from another big tech anyway, they use whitelist and banning everyone that dont use that because they cant guarantee untrusted "third party"
>The card information will be known to the viewers by using RFID (radio-frequency identification) technology for the very first time at the WSOP. Each card has a microchip embedded in it that has no impact on the cards or play, but with a specially-outfitted poker table, can send an encrypted signal to decipher the card’s rank and suit. The WSOP has used this technology during the 2012-13 WSOP Circuit season with success, and it is found throughout European poker events as well.
There are a lot of dedicated anti-detect browsers, you can search for that term or fingerprint switcher, multi-accounting browsers, etc. Many of them are based on Chromium.
In my experience they're generally detectable by mismatches in various attributes compared to the "real" browser whose user agent they are spoofing (though of course, the ground truth of adversarial detection is always hard to know for sure).
The author, Dan, is at FusionAuth, so that might be a good place to start.
I work for Stytch (another CIAM provider) on the fraud and security side and we do these too. I'd say you see credential stuffing defenses integrated into the auth provider rather than standalone rate limiting because so much of the relevant context is tied up in the auth side.
And, all the error messages end up being bad, as is the case for many security things. For our own features like Intelligent Rate Limiting https://stytch.com/docs/fraud/guides/device-fingerprinting/d... it's usually a bad idea to tell a user "You hit the limit, come back in an hour or contact support" because it gives an attacker information on how to improve. And we regularly see probing behavior where an attacker is trying to find the edges of a defense before starting a full-scale attack.
On the side topic of error messages - if you've ever seen "If your account exists, the password has been reset" that's another useless error message because "No account exists with that email" enables account enumeration.
It's a problem even on the company side. If the people responsible for marketing are judged on vanity metrics, they'll assume a conversion problem is later in the funnel. And even for venture-backed startups, I feel there is an incentive to turn a blind eye to bot signups since it juices numbers for investors who aren't paying attention.
That's interesting - I had seen some news articles reporting that some Chinese pig butchering scammers were encouraging others to target foreigners only, and exclude the mainland Chinese. Like this one: https://globalinitiative.net/analysis/chinas-acquiescence-to...
It's reminiscent of stories about Russian malware doing nothing on machines with Cyrillic keyboard layouts.
Yep, but notice how that article is about Kokang in Myanmar as well.
Cambodia continues to have scam centers targeting Putonghua speakers (including PRC nationals), but there hasn't been a similar crackdown on such activities due to Chinese pressure.
The crackdown in Kokang happened after China flipped to supporting the Tatmadaw against the Northern Alliance [0] and India began peeling historically India-aligned members of the alliance like the KIA and the Arakan Army back into Indian orbit [1].
P.S. Circa 2 years ago, a large portion of Chinese in SF Chinatown became Kokang and Cambodian Chinese. Bamar, Kuki-Zo, and Kachin Myanmarese primarily reside in Daly City, Ingleside/Outer Mission, and Oakland/East Bay.
SF has a lot of Asian and Latiné subcultures and communities - it's kind of insane how underdocumented it is under the guise of "Asian" and "Latino"
This dance of insincerity infuriates me as a concept. Imagine how utterly exhausting it would be if every social interaction was characterized by so much wasted time pretending.
Agreed. Every now and then I search the name of my employer on Reddit, which pulls up a bunch of plausible looking comments that recommend a variety of tools. Then if you look at the comment closely, it doesn't make any sense. And if you look at the account, they only makes comments that mention an assortment of companies + one specific one that they're really shilling.
There's a variety of these marketing spambots on Reddit, and I'm sure like the toupee effect, there are more subtle ones that I'm not noticing. I think this is existential in the long run for Reddit as a platform, but maybe the owners/employees are happy to milk all the value out and walk away from the husk.
Unless you mean to say I should set up 2FA for my CSS theme variable helper website?
Passkeys and OAuth/social login are great, but everyone has an email. And I don't think any mainstream site supports only passkey as an auth method (and no other way).
reply