EP40 2021: Phishing is Solved?

Guests

• Elie Bursztein, security, anti-abuse and privacy researcher @ Google
• Kurt Thomas, security, anti-abuse and privacy researcher @ Google

Topics:

• Can we say that "Multi-Factor Authentication - if done well - fixes phishing for good" or is this too much to say?
• What are the realistic and seen-in-the-wild bypasses for MFA as a protection?
• How do you think these controls fare vs top tier attackers (clearly, they work vs commodity threats)?
• What do we know about burden vs value of MFA today?
• What can we realistically do to increase MFA/2FA adoption to the 90%s?
• Can we share anything about what we're seeing as industry benchmarks on MFA adoption so far?
• We've seen a lot of ugly debates over the value of SMS as MFA, what is your research-based take on this?

Resources:

• Google Titan Security Key
• "Malicious Documents Emerging Trends: A Gmail Perspective" (RSA 2020)
• "New research: How effective is basic account hygiene at preventing hijacking"
• "New Research: Lessons from Password Checkup in action"
• "New research reveals who's targeted by email attacks"
• "New research: Understanding the root cause of account takeover"
• ""Why wouldn't someone think of democracy as a target?": Security practices & challenges of people involved with U.S. political campaigns"
• "Tales from the Trenches: Using AI for Gmail Security" (ep28)