Follow

Sure "github", ill click on your link, this is obviously not a phishing attempt /s

Looking further, if you click on one of the links below, like the security link, it will bring to you to the official github security page.

Then, if you fill in anything for a name and password, like shown below, it will just forward you to githubs own homepage (were you can notice that your still not logged in)

Show thread

@blacklight447 Isolate yourself in some VM and click it? See what it does?

@blacklight447 One way to prevent this kind of phishing site is by using a hardware security key. Authenticator-based OTP would fail, but not security key

@ewon_c ofcourse a hardware key would be better, on issue with those though is that they are easy to use, and hard to make backups from, so you have to consider what would be a more likely scenario: someone losing access by losong their key, or someone being tricked into filling in both their totp and password codes?

@blacklight447 indeed, real life scenarios are much nastier. One thing I found is that most sites offer OTP as an backup even if security key is enabled. My understanding is that you should use a security key if you can (to prevent phishing), if you cannot or lose it, you can still use OTP

Sign in to participate in the conversation
Mastodon 🔐 privacytools.io

Fast, secure and up-to-date instance. PrivacyTools provides knowledge and tools to protect your privacy against global mass surveillance.

Website: privacytools.io
Matrix Chat: chat.privacytools.io
Support us on OpenCollective, many contributions are tax deductible!