|
fins posted:Uk gov kinda secfuck: When setting up for 2FA for filing tax returns to HMRC, the instructions tell you to open an app store and search for "authenticator app". No specific one, just any authenticator app; their dev docs specify that its an oauth 2 token that's required. that's pretty cooked. by comparison here in AU it's kinda the opposite: a few years ago they centralised several federal gov services (ATO, Centrelink, Medicare, etc.) into a single portal called myGov. then not long after they introduced MFA support with a dedicated TOTP app: https://play.google.com/store/apps/details?id=au.gov.dhs.centrelink.mygovauthenticator (it's the only one that works with the portal). however the app has no recovery code mechanism which they stress repeatedly with warnings like "IF YOU LOSE YOUR PHONE YOU ARE hosed AND HAVE TO GO TO A PHYSICAL DHS (DEPT OF HUMAN SERVICES) OFFICE TO UNFUCK YOUR poo poo". if you want to switch phones you have to disable MFA on your myGov account and then re-enable it with the app on your new phone. so yeah, more secure but quite aggressive (hopefully not so much that it scares people off from setting it up). i think they also do MFA via SMS but gently caress that. edit: gently caress me this is like my third snipe within an hour edit2: lmao just saw the reviews of the app on the play store, 2.2 outta 5 Pile Of Garbage fucked around with this message at 11:27 on Jan 23, 2020 |
#
?
Jan 23, 2020 11:24
|
|
|
|
| # ? Apr 26, 2024 13:02 |
|
|
fins posted:Uk gov kinda secfuck: When setting up for 2FA for filing tax returns to HMRC, the instructions tell you to open an app store and search for "authenticator app". No specific one, just any authenticator app; their dev docs specify that its an oauth 2 token that's required. that's unfortunately stupidly common: "search for [very generic description]" rather than the actual name of the thing they want you to use
|
|
#
?
Jan 23, 2020 13:57
|
|
|
dregan posted:santander tried that with me, but they never trained their voice recognition on northern irish accents lol like this but diff. accent https://www.youtube.com/watch?v=MNuFcIRlwdc
|
|
#
?
Jan 23, 2020 14:42
|
|
|
dregan posted:five minutes of disappointing a computer do not have sex with computer
|
|
#
?
Jan 23, 2020 15:07
|
|
|
dregan posted:santander tried that with me, but they never trained their voice recognition on northern irish accents i'm now imagining o'brien yelling at the enterprise's computer over and over again and it's real good
|
|
#
?
Jan 23, 2020 15:44
|
|
|
mystes posted:Companies such as advertisers buy people's transaction data from credit card companies, although I don't know if delayed somewhat or includes exact amounts? If it's detailed enough it could be a lot easier to obtain from the companies that buy it rather than directly from the banks. I know this is an old post but: - the data is individual transaction level, with exact amounts and time and the description as it appears on your cc statement (minus anything an "ml" model can determine is pii) - the anonymisation sucks and in any case the transactions are correlated by account, so some number of individuals are easy to identify. Similarly you can work out what the bank even though they are meant to be undisclosed - it includes debits so in some cases you can work out employer and salary as well as where they shop - I'm not sure it's the cc companies selling it mostly, as far as I know it's apps and account integrations, although I heard a rumor that some the card providers were selling it so who knows - somewhere between 1 and 10% of the us population are in these datasets, there are multiple providers and there's no way bits of the data haven't leaked multiple times
|
|
#
?
Jan 23, 2020 15:46
|
|
|
Chris Knight posted:that's unfortunately stupidly common: "search for [very generic description]" rather than the actual name of the thing they want you to use this is partly why push MFA is more secure than TOTP: less risk of installing/using the wrong app that fucks with your phone and/or gives a third-party access to the generated pins. the dumb middle-ground is garbo corps making their own provisioned TOTP apps that are approved server-side (Symantec VIP comes to mind).
|
|
#
?
Jan 23, 2020 15:48
|
|
|
If you wanted to run a targeted cold open blackmail scheme the card transaction data would be 100% the easiest way to do it at medium scale.
|
|
#
?
Jan 23, 2020 15:49
|
|
|
Pile Of Garbage posted:this is partly why push MFA is more secure than TOTP: less risk of installing/using the wrong app that fucks with your phone and/or gives a third-party access to the generated pins. the dumb middle-ground is garbo corps making their own provisioned TOTP apps that are approved server-side (Symantec VIP comes to mind). we could just have authenticator apps built in to the phone the same way the dialer is or w/e so nobody has to get a critical security thing from the app store at random i mean then you'd wind up having to use the LG Totally Secure TOTP App or w/e if you don't buy an iphone or goog-favorite phone but that's kinda a lateral move I guess
|
|
#
?
Jan 23, 2020 15:59
|
|
|
pointsofdata posted:If you wanted to run a targeted cold open blackmail scheme the card transaction data would be 100% the easiest way to do it at medium scale. It's also trivial to phish people's actual banking/CC credentials over the phone by pretending to be from the bank's fraud department and reading some of their old transactions to them. I've had a relatively cautious client get hit like this.
|
|
#
?
Jan 23, 2020 15:59
|
|
|
infernal machines posted:It's also trivial to phish people's actual banking/CC credentials over the phone by pretending to be from the bank's fraud department and reading some of their old transactions to them. I've had a relatively cautious client get hit like this. It's something which you assume is private but really isn't! At least lots of people know that their phones are tracking their location.
|
|
#
?
Jan 23, 2020 16:12
|
|
|
if I was bezos I'd be getting so, so, many dongs shipped to bin salman right now
|
|
#
?
Jan 23, 2020 16:19
|
|
|
Powerful Two-Hander posted:if I was bezos I'd be getting so, so, many dongs shipped to bin salman right now every barrel of oil we buy from saudi arabia shall be returned filled with lube
|
|
#
?
Jan 23, 2020 17:00
|
|
|
Powerful Two-Hander posted:if I was bezos I'd be getting so, so, many dongs shipped to bin salman right now Amazon® DongStrike™
|
|
#
?
Jan 23, 2020 17:28
|
|
|
rods from god
|
|
#
?
Jan 23, 2020 17:32
|
|
|
Shame Boy posted:we could just have authenticator apps built in to the phone the same way the dialer is or w/e so nobody has to get a critical security thing from the app store at random Microsoft authenticator is the only auth app anyone should use
|
|
#
?
Jan 23, 2020 18:41
|
|
|
Shaggar posted:Microsoft authenticator is the only auth app anyone should use Even better, Microsoft Authenticator is 100% compatible with the Google Authenticator.
|
|
#
?
Jan 23, 2020 18:46
|
|
|
does the google authenticator support push notification auth? we use the ms one at work and I just use it as a otp generator for everything as well so I've never actually touched the google one
|
|
#
?
Jan 23, 2020 18:49
|
|
|
they do not.
|
|
#
?
Jan 23, 2020 18:53
|
|
|
microsoft authenticator backs up your tokens to icloud which misses the point of 2FA
|
|
#
?
Jan 23, 2020 18:53
|
|
|
pseudorandom name posted:microsoft authenticator backs up your tokens to icloud which misses the point of 2FA well, I assume the backup db is encrypted, but it's still silly on android it just backs up to a personal ms account
|
|
#
?
Jan 23, 2020 18:56
|
|
|
The Fool posted:well, I assume the backup db is encrypted, but it's still silly So does the iOS version.
|
|
#
?
Jan 23, 2020 19:04
|
|
|
The ios version backs up to icloud.
|
|
#
?
Jan 23, 2020 19:07
|
|
|
pseudorandom name posted:microsoft authenticator backs up your tokens to icloud which misses the point of 2FA nah totp’s big win is that the credential expires and isn’t shared between services (since each service generates their own secret)
|
|
#
?
Jan 23, 2020 19:30
|
|
|
Shaggar posted:Microsoft authenticator is the only auth app anyone should use I use it but is there a reason it doesn't support qr codes?
|
|
#
?
Jan 23, 2020 19:30
|
|
|
Jenny Agutter posted:I use it but is there a reason it doesn't support qr codes? But it does
|
|
#
?
Jan 23, 2020 19:41
|
|
|
Cocoa Crispies posted:nah if you can make copies of the thing that generates the codes it stops being something you have and becomes something you know, pretty much just another password, so it's not really 2FA since it's not a second factor whether or not this actually matters in practice, who knows
|
|
#
?
Jan 23, 2020 19:57
|
|
|
ratbert90 posted:Even better, Microsoft Authenticator is 100% compatible with the Google Authenticator. goog auth is just totp which Microsoft auth supports but Microsoft auth also supports push which is superior.
|
|
#
?
Jan 23, 2020 19:59
|
|
|
Jenny Agutter posted:I use it but is there a reason it doesn't support qr codes? it definitely does
|
|
#
?
Jan 23, 2020 20:00
|
|
|
Shaggar posted:goog auth is just totp which Microsoft auth supports but Microsoft auth also supports push which is superior. I do like push. It's quite convenient.
|
|
#
?
Jan 23, 2020 20:01
|
|
|
Shame Boy posted:if you can make copies of the thing that generates the codes it stops being something you have and becomes something you know, pretty much just another password, so it's not really 2FA since it's not a second factor if you can’t make a back up copy, the problem is “something you have” turns in to “something nobody has” I’d wager that totp gets hosed up by people losing the secret way more than their secret falling into malicious hands
|
|
#
?
Jan 23, 2020 20:29
|
|
|
push it to the limit
|
|
#
?
Jan 23, 2020 20:37
|
|
|
mycrimes.mp4 https://www.youtube.com/watch?v=qk2jeE1LOn8
|
|
#
?
Jan 23, 2020 20:37
|
|
|
Cocoa Crispies posted:if you can’t make a back up copy, the problem is “something you have” turns in to “something nobody has” in conclusion, security is a land of contrasts
|
|
#
?
Jan 23, 2020 20:38
|
|
|
The Dialectics of SecFuck.
|
|
#
?
Jan 23, 2020 20:43
|
|
|
Cocoa Crispies posted:if you can’t make a back up copy, the problem is “something you have” turns in to “something nobody has” you can back up iphones locally with encryption through itunes sync, is that an option on android?
|
|
#
?
Jan 23, 2020 21:19
|
|
|
ratbert90 posted:I do like push. It's quite convenient. do you have authentication in your house?
|
|
#
?
Jan 23, 2020 21:56
|
|
|
haveblue posted:you can back up iphones locally with encryption through itunes sync, is that an option on android? more people post in this thread than take local encrypted iPhone backups
|
|
#
?
Jan 23, 2020 22:30
|
|
|
check all your totp codes into github, problem solved
|
|
#
?
Jan 23, 2020 23:07
|
|
|
|
| # ? Apr 26, 2024 13:02 |
|
|
HasMyOTPbeenOwned.com Oh my god, all my codes are in this dump!
|
|
#
?
Jan 23, 2020 23:09
|
|
