How does 2FA prevent phishing?

Why is the following impossible (or even difficult):

  1. I am duped by a phishing link and enter my login info
  2. The phishing site enters my login info to the real site (where I have 2FA enabled) and copies the encryption challenge while I sit waiting for the web page to load
  3. The phishing site presents the encryption challenge to me and I decrypt it
  4. The phishing site now enters the decrypted token and has access to my account

Is that why all the markets have Captchas? Seems like a committed phisher could just sit at his computer and do this manually when someone falls for the fake link.

This hasn't happened to me, I'm just wondering why we put so much stock in 2FA.


Comments


[1 Points] young_k:

/r/DarkNetMarketsNoobs


[3 Points] noseybast:

Per victim a phisher makes on average 0, the reason it can be mildly lucrative is due to the number of people who fall for it, no-one is going to sit there all day phishing, they may as well use their time to signup for benefits.


[2 Points] TheRealDealMarket:

2FA is only good in case someone obtained your password in a different way.


[1 Points] somanyclips:

adding another factor makes it harder to do


[1 Points] MDMangel:

PGP keeps the boogey men away. Trust me, it hasn't gotten me yet. What does it hurt just to check under the bed .


[1 Points] NightSymphony:

unless someone is dumb enough not to notice the site is asking for pin at login all of a sudden, the phisher would have to wait until they entered their pin# if they even enter it at all when being subjected to a MitM cloner phishing link. Then they would have to sit around and wait for them to hopefully log back in another time through the cloner and intercept the 2fa verification token and log in as them, redirect the phished person to the real URL and quickly change the password before they try and login again. Much easier to phish non 2FA users for information. Just have to wait until they enter their pin for an order through your cloner. Then all you gotta do is monitor the newest deposit address on the site, wait for a deposit to be made and get in and withdraw before they notice. mutlisig and 2FA negate these attempts significantly. Especially Multisig. Phisher can't withdraw from a 2of3 multisig deposit address even if they somehow obtained your bitcoin address private key for your bitcoin address public key used in the generation of the deposit address.


[1 Points] freeelchapo:

no dude youll get phished anyway clicking on all those good phishing links like we do


[1 Points] Axaq:

It's just an added layer of protection and doesn't just protect against phishing, but could also prevent someone from extorting you to get access to the account.

Script kiddies who think they can make a quick buck from these simple phishing pages usually don't have the knowledge to adequately manage to hijack your cookies and access anything in your account directly over HTTP. Due to the lack of JavaScript they really can't do much such as return the encrypted message in any other way, even if they did to directly use when they login to your account I believe most markets (or they should) generate a new string each time for 2-FA.


[1 Points] Litico:

Yeah you're completely right. We shouldn't put too much faith in it.
However, the difficulty 2-FA adds is typically enough of a deterrent to keep people from being phished. And as most people opt not to use it, phishers program their sites to not worry about the few with 2-FA enabled.

Think about it, if you're smart enough to be concerned about 2-FA you're probably smart enough to find some signed links out there and avoid being phished. Why program for it?


[1 Points] chantra666:

I thought with 2FA enabled, phishers wont be able to use your acc as long they dont have your private key? i mean you login, and then need to encrypt a pgp-message with your key. as long as you dont send your key to them phishers you dont have to worry. or am i wrong?


[1 Points] Bbmcisrightyoufools:

Nothing can prevent a skilled enough phisher. The only thing preventing this attack is the fact that phishers are generally skiddies following a tutorial they saw on HF and people with the knowledge to pull off more advanced attacks generally aren't desperate enough to phish people


[1 Points] None:

Bookmark the triple checked correct URL then bookmark and never enter other than said bookmark.Obviously 2fa is an absolutely crucial extra that takes very little time. I cant see why this is all so difficult?


[0 Points] Mmmmmmmmtoast:

It's because most phishing sites don't work like that, using the man-in-the-middle method. 2FA will protect you from most sites.