Here's a particularly interesting bit:
> Rao said he had previously set up two-factor authentication to access his account, and Bagheri said she’s certain her Robinhood password is unique from all others, including her email. Neither believed they had been duped by phishing scams or malware. Both said they use the same email for Robinhood and other accounts, and that only Robinhood has been affected.
Usually, these situations can be at least partially blamed on credential stuffing, but claims such as these warrant further investigation. Credential stuffing isn't supposed to work if 2FA is properly configured, and phishing shouldn't work if something like TOTP is implemented correctly--although it quite often isn't.
> and phishing shouldn't work if something like TOTP is implemented correctly
TOTP codes can be phished. Hardware-based 2FA is a different matter, but SMS and TOTP 2FA doesn't fully protect against phishing.
Only for high value targets right? Takes some work to spoof.
No. phising sms/totp tokens works the same as normal phising. You need U2F to protect against phising.
The complex attack you are probably thinking of is sim swapping which is a bit different than phising.
TOTP gets a little tricky when it comes to phishing, but only because most phishing attacks that target casual users (rather than spear phishing attacks) aren't capable of logging in immediately. Naturally, that would change if enough people started using TOTP, but for now, TOTP is enough to avoid becoming low-hanging fruit.
Of course, if you're a high-value target or work for a company that's likely to be targeted by spear-phishing campaigns, you should be using FIDO2. (Don't target U2F, as there are newer, backward-compatible specifications.)