Does 2-FA REALLY prevent phishing attacks?

Say for some odd reason you end up on a phishing site pretending to be AlphaBay. Now say they have configured their server to create a session with AlphaBay once you connect with them, so that the captcha they show you is the same one that AlphaBay generates, and you send the result through them to AlphaBay. Now they have your password, but you are left with PGP authentication. But all they have to do is send you what they are fetching from AlphaBay, and send it to you, so that AlphaBay receives your authenticated message, and now this malicious site has your session. Say you continue to use this site and happen to input your PIN, now this malicious site can just withdraw all your coins. I don't see how 2-FA is really doing anything here. Can someone help me out? It seems to just create the illusion of protection, or making it only slightly harder for phishing sites to steal your money.


Comments


[1 Points] honestlyimeanreally:

AlphaBay sends you an encrypted message with your public key, though.

Phishing site doesn't have your public key(?)


[1 Points] CalifornicationGreat:

You're right, it wont. But that's not what 2fa prevents. 2fa prevents someone from hacking into your account. Say they some how figure out your password through a password cracker. Well they won't be able to then Crack your pgp private key which is necessary to log in when 2fa is enabled. The user, however, still has to do their part and not enter a phishing site, which is easily prevented by checking through various means that one has the correct onion url.

You pretty much answered your own question indirectly with your opening sentence.


[1 Points] squirrel42:

I have taken both 2-FA and 4-FA, never been phished on either. 5/5 would do again.


[1 Points] GrandWizardsLair:

If the attacker has set up a proxy which links to AB with wget or curl (Unix commands which are beyond the Wiz's paygrade), they may be able to bypass your 2FA setup by allowing you to sign on via their proxy, then hijacking your session. ATGWUI this attack has been seen in the wild a couple times but it is pretty rare and requires a good bit of hacking skill.

What is more common are sites which mimic the look and feel of the AlphaBay login screen but which return a 404 or 403 when you press "Enter." These phishing sites steal your login/password combo. If you don't have 2FA installed that is all they need to gain access to their account. If you do, that login and password is useless. They will get to the 2FA screen and be unable to decrypt it since they don't have your private key.

tl/dr; 2FA will save you against the most prevalent phishing attacks. There are a few rare attacks which may be able to circumvent 2FA protections -- and you can guard against these by bookmarking your URLs and/or getting them only from trusted sources like the Darknetmarkets superlist, DNM Avengers, etc.


[0 Points] None:

[removed]


[0 Points] spacetimed:

Yes, 2FA will save your ass against phishing as long as the password you accidentally gave to them is not used on any other markets/services where 2FA is used. This is of course implying that they only got the username/password and did not somehow get your key pair.