Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Oh good find, the link going through Mailgun as a redirect is a recent regression. We have a PR to fix that going live soon.

That said, our security team and I agree there is no security issue here. Mailgun already can see the text of the emails we send.



How is there no security issue here? Email is not secure and it's even less so when you are sending it via a 3rd party. If this were a photo site or something that would not be a big deal but we're talking about a bank. SMS is not much better. Like somebody said elsewhere in the thread, you should allow people to opt out of insecure third-factor verifications since they are just an annoyance and are ultimately security theater.


The emails in question are a third factor, not a magic login link.

Even if they were, almost all email goes through third parties which are trusted implicitly. That's not great, but email is the only federated system in existence capable of implementing this type of decentralized login at scale.

Maybe someday we'll be able to use something like Matrix, Fediverse OAuth, or ATProto OAuth instead, but those are all a ways off.


It's not security theater. He explained above how this is used to defeat a specific phishing attack that they've actually seen in the wild. There are other, different threat vectors (e.g. compromise of the mail server) that it doesn't prevent. But that doesn't make it theater. as it does provide other value.


What does it stop? You already did a 2FA at this point. If an attacker has my 2FA he most likely already has my email so the 'value' being provided is at the cost of more complexity for the user. If this adds value then why not also do an SMS as well to be really, really sure that the user is legit? That would add even more value.

And again, I wasn't saying that you can't do all of this nonsense, but users who see it as nonsense should be able to turn it off.


Again, see the post by MaxGabriel at https://news.ycombinator.com/item?id=42629109 where he explains how this measure actually defeated that particular pihishing/MITM attack.

The attack wasn't that the attacker has my second factor, the attack was that the attacker tricked me into verifying a single login/transaction using my two factors, on their behalf.

They probably judged that the inconvenience of the verification email affects few enough users that it is worth it. Most users don't switch IP addresses very often. And those that do, probably don't all clear their cookies after every session.

Adding SMS in addition to email would be obviously useless, as you point out.


Why would the attacker having your Mercury TOTP mean they most likely have access to your email?


Because my TOTPs are all stored in the same device and in my imaginary scenario they have that.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: