Can fake phising sites mimic the QR code?

Todas as discussões > Fóruns Steam > Steam Discussions > Detalhes do tópico

Bakim The Looter 25 fev. 2024 às 12:02

Let's say i want to log in into a third party site via the QR code. If i can login with the QR code is that proof it is a legit site and not some phising site that will steal your info?

< >

A mostrar 1-15 de 37 comentários

Eagle_of_Fire 25 fev. 2024 às 14:06

The only thing a QR code does is provide whichever object you are scanning with an internet link.

Yes, scammers can definitely send you places you would not want to go to. Once you are sent where ever on the net malicious software can be installed almost instantaneously without you noticing.

rawWwRrr 25 fev. 2024 às 14:15

QR code is there for convenience. It is not more secure than entering in a code.

cinedine 25 fev. 2024 às 14:55

Originalmente postado por Zorgλ:
Let's say i want to log in into a third party site via the QR code. If i can login with the QR code is that proof it is a legit site and not some phising site that will steal your info?

Do not login via third party sites. Ever. At all.
Only log into Steam via steampowered.com or steamcommunity.com - preferably via bookmarks in your browser. Any site that is actually using Steam's OpenId will receive your account upon request and not ask you to login again.

And yes, they can simply pass the QR code they got from their login attempt, meaning you will confirm *their* login.

D. Flame 25 fev. 2024 às 16:34

Yes, using QR codes is notoriously risky, and they should be avoided as much as possible.

Qbert ⭐ 25 fev. 2024 às 17:04

QR is an easy way to login in the steam client...

I wouldnt use it on websites at all.

Phising websites are using the QR too

BloodShed 25 fev. 2024 às 22:49

Originalmente postado por cinedine:
Originalmente postado por Zorgλ:
Let's say i want to log in into a third party site via the QR code. If i can login with the QR code is that proof it is a legit site and not some phising site that will steal your info?

Do not login via third party sites. Ever. At all.
Only log into Steam via steampowered.com or steamcommunity.com - preferably via bookmarks in your browser. Any site that is actually using Steam's OpenId will receive your account upon request and not ask you to login again.

And yes, they can simply pass the QR code they got from their login attempt, meaning you will confirm *their* login.

Which is why you double check the login location BEFORE confirming.

Pscht 25 fev. 2024 às 22:57

"Fake phishing sites" as opposed to "real phishing sites"?

_veleron 26 fev. 2024 às 0:12

Originalmente postado por Qbert ⭐:
Phising websites are using the QR too

And what do they do with it?
Steam reads this QR, understands that it's not a legitimate steam partner link and does nothing.
Then what?

Eagle_of_Fire 26 fev. 2024 às 0:25

Originalmente postado por _veleron:
Originalmente postado por Qbert ⭐:
Phising websites are using the QR too
And what do they do with it?
Steam reads this QR, understands that it's not a legitimate steam partner link and does nothing.
Then what?

What make you think that Steam in an intermediary step in any of this?

_veleron 26 fev. 2024 às 0:27

Originalmente postado por Eagle_of_Fire:
What make you think that Steam in an intermediary step in any of this?

If it's the steam authenticator app that does the reading and processing of the code...
If it's not, then what's the point. QR is just a link then.

Última alteração por _veleron; 26 fev. 2024 às 0:30

#10

Eagle_of_Fire 26 fev. 2024 às 0:29

Originalmente postado por _veleron:
Originalmente postado por Eagle_of_Fire:
What make you think that Steam in an intermediary step in any of this?
If it's the steam authenticator app that does the reading and processing of the code...

We are obviously not talking about the same thing here. Beside, have you never heard of scams artists who just obfuscate the link and still make you believe everything has happened as normal?

Steam itself has nothing to do with all of this. What is going to happen is that you get malware on whatever device you use and they then use gathered information to steal your data/login info/accounts etc.

I'm not trying to fear monger here. I'm just answering OP question.

#11

_veleron 26 fev. 2024 às 0:31

Originalmente postado por Eagle_of_Fire:
I'm not trying to fear monger here. I'm just answering OP question.

My understanding is that the OP asked about the built-in authenticator functionality. Anything else just wouldn't make any sense.

#12

Eagle_of_Fire 26 fev. 2024 às 0:32

Originalmente postado por _veleron:
Originalmente postado por Eagle_of_Fire:
I'm not trying to fear monger here. I'm just answering OP question.
My understanding is that the OP asked about the built-in authenticator functionality. Anything else just wouldn't make any sense.

The answer is still the same. Yes, code can be "mimiked"...

#13

cinedine 26 fev. 2024 às 0:34

Originalmente postado por _veleron:
Originalmente postado por Qbert ⭐:
Phising websites are using the QR too
And what do they do with it?
Steam reads this QR, understands that it's not a legitimate steam partner link and does nothing.
Then what?

What "Steam partner link"?
When you log into Steam from a new "device", you get an option to do so with a QR code. You can simply take this picture, put it on your phishing site and have the owner confirm the login. You are loging into Steam itself, not some partner site. Or rather *they* log into Steam with your account data.

QR code login is for convenience, not security.
It is functionally the same as any other OTP method and this prone to phishing.

It is not the same as masking a link to a phishing site behind the code, which is another attack vector.

Última alteração por cinedine; 26 fev. 2024 às 0:43

#14