This is the best commentary on a real-life social engineering hack I've seen. Whats really interesting is how he was able to be undetected mostly, because services like linkedin only had an optional requirement for forcing all devices to re-login when a password was changed, and that the hacked individual wasn't using 2FA on her email.
Agree this is excellent, and demonstrates how straightforward phishing really is. 2FA wouldn't save you here either, as that can easily be phished at the same time (except for U2F tokens).
The "point" of U2F instead of HOTP/TOTP is that the code you send to evilhacker.com can't be used on google.com - so getting a usable token by phishing is impossible. HOTP/TOTP are flawed in that you can send the generated code to evilhacker.com and they can use it to log in to google.com with you being none the wiser.
Sort of - the point of u2f is challenge-response on the key, which is tied to the URI or https session, which makes it impossible to phish without a browser exploit
You ask for the token as well and login with it at the same time.
It'll trip you up later if it asks again (e.g. When changing a password or setting up mail forwarding) but your session cookie will be valid for quite some time.
As I read the part about LinkedIn not mandatorily logging out all your devices, all I could think was that it wouldn't make a difference, because who actually engages with LinkedIn often enough to expect to remain logged in?
Maybe I'm assuming too much that other people are like me, but I interact with Facebook as many times per day as I do per year with LinkedIn.
Naturally, of course there are. But the whole article was written about hacking a typical internet user, and my point was that the percentage of people who a) have the LinkedIn app installed on their phone and b) actually open it with any regularity is small enough not to be representative of a typical internet user.
