- A jetlagged Troy Hunt accidentally clicked a link and logged into an account only to realise he had been phished.
- Despite reacting quickly, attackers were able to export a mailing list for Hunt’s personal blog.
- Hunt has detailed the attack and warned his subscribers in a timely fashion.
Solving the “being human” part of security will probably never happen, which is why you’re encouraged to do stuff like use 2FA, different passwords, service isolation and stuff like that.
Anyone and everyone can be fooled at some point, best to try and limit the damage.
Exactly. Put as many obstacles as possible into the path of scammers, and give yourself as many chances as possible to stop said scammers, and all without making services too annoying to use.
MFA + password manager seems to work well.
I just never click links in email.
I clicked one once by accident when trying to select it. You can be as diligent as you want you still will slip up from time to time
Should have put the safety on. You need some trigger discipline.
Never point an email at something you’re not willing to click.
If you use a password manager it won’t fill credentials because it will be the wrong domain
FIDO2 and security keys are the closest things we have to a solution. Unfortunately far too few companies support them. It would have saved him here because each credential only works with the proper URL for it.