upvote

points

by Tharre3 hours ago |
comments
upvoteby tadfisher2 hours ago|
next
[-]
> He then walks them through "updating" their app, effectively going through the "new device" workflow - except the new device is the same as the old one, just with the backdoored app.

This is where the scheme breaks down: the new passkey credential can never be associated with the legitimate RP. The attacker will not be able to use the credential to sign in to the legitimate app/site and steal money.

The attacker controls the fake/backdoored app, but they do not control the signing key which is ultimately used to associate app <-> domain <-> passkey, and they do not control the system credentials service which checks this association. You don't even need attestation to prevent this scenario.

reply
upvoteby Tharre1 hours ago|
parent|
[-]
> do not control the signing key which is ultimately used to associate app <-> domain <-> passkey, and they do not control the system credentials service which checks this association.

You're assuming the attacker must go through the credential manager and the backing hardware, but that is only the case with attestation. Without it, the attacker can simply generate their own passkey in software, because the backend on the banks side would have no way of telling where the passkey came from.

reply
upvoteby tadfisher1 hours ago|
parent|
[-]
How did the service authenticate the user in order to create the new credential within the attacker-controlled app?
reply
upvoteby Tharre1 hours ago|
parent|
[-]
With banks, typically a combination of your account number, pin and some confirmation code sent via email or SMS. And of course unregistering your previous device. Not sure where you're going with this though?
reply
upvoteby tadfisher29 minutes ago|
parent|
[-]
I am just pointing out that you are essentially saying passkeys can be phished because banks can allow phishable credentials to bypass passkeys.
reply
upvoteby microtonal2 hours ago|
prev|
[-]
I understand how passkeys work. You don't need the legitimate app's credentials, we're talking about phishing attacks, you're trying to bring the victim to giving you access/control to their account without them realizing that that's what is happening.

That doesn't work, because the scammer's app will be signed with a different key, so the relying party ID is different and the secure element (or whatever hardware backing you use), refuses to do the challenge-response.

reply