
Show HN: Phishar – Security Expert in Your Pocket - Coxa
https://www.phishar.com/
======
helb
How does it cope with non-ASCII characters and various fonts? Suppose you had
"ɡoogle.com" instead of "gooble.com" in that demo video (the first "g" is not
a regular "g", but " U+0261 LATIN SMALL LETTER SCRIPT G")… Browsers tend to
show IDN names in the "xn--…" punycode format, but not always.

[https://en.wikipedia.org/wiki/IDN_homograph_attack](https://en.wikipedia.org/wiki/IDN_homograph_attack)

[https://unicode.org/cldr/utility/confusables.jsp?a=google&r=...](https://unicode.org/cldr/utility/confusables.jsp?a=google&r=None)

[https://ma.ttias.be/show-idn-punycode-firefox-avoid-
phishing...](https://ma.ttias.be/show-idn-punycode-firefox-avoid-phishing-
urls/)

------
ivosluganovic
Thanks for posting!

While this might be common knowledge on this forum (is it?!), many users are
unaware that even having 2FA does not protect them against credential theft
via phishing. Such attacks are growing rapidly given recent exploit kits for
OTP-based 2FA that are publicly available on Github
([https://github.com/drk1wi/Modlishka](https://github.com/drk1wi/Modlishka)).

PhishAR prevents such attacks by requiring that the visited domain and SSL are
first checked by the user's app and only then revealing the OTP.

Any feedback would be very helpful. We are aiming at enterprise users where
getting everyone to use FIDO U2F might be harder to achieve, but 2FA is
mandatory (e.g. due to GDPR).

What do you think? Let us know if you would be happy testing the app once we
get it a bit more polished.

