|
lmao https://twitter.com/MalwareTechBlog/status/1370523943572926464 when all you've got is problems, what's one more?
|
#
?
Mar 13, 2021 15:38
|
|
|
|
| # ? Apr 24, 2024 02:48 |
|
|
i found some terrible teenageposting of mine on hacker usenet a while ago and it was very embarrassing
|
|
#
?
Mar 13, 2021 19:06
|
|
|
Kazinsal posted:
most people can't, so that's why Javascript is popular
|
|
#
?
Mar 13, 2021 21:59
|
|
|
but at least its pretty
|
|
#
?
Mar 13, 2021 23:16
|
|
|
Achmed Jones posted:i found some terrible teenageposting of mine on hacker usenet a while ago and it was very embarrassing Almost all my teenage embarrassing posts were on a long gone torrent site. Yahaa.org, oh the memories.
|
|
#
?
Mar 15, 2021 09:59
|
|
|
All mine were on a thankfully vanished forum RP.
|
|
#
?
Mar 15, 2021 18:49
|
|
|
Most of mine are locked away behind forums search.
|
|
#
?
Mar 15, 2021 19:10
|
|
|
Surely the trick is to have no shame?
|
|
#
?
Mar 15, 2021 20:28
|
|
|
oh boy https://twitter.com/jason_koebler/status/1371516006133293056
|
|
#
?
Mar 15, 2021 20:38
|
|
|
this is using the same technique as a sim hijack - namely that MNOs have to respond to any number portability request quickly and they’re not penalized for not checking signatures or anything so they will just put anything through. in this case it’s an SMS rerouting request the problem is the law, or at least the implementing regulations, itself is what is being exploited so it’s difficult to fix
|
|
#
?
Mar 15, 2021 20:44
|
|
|
Law enforcement has also been known to take advantage of this to simply buy SMS reroutes (or the resulting take) because it's perfectly legal and doesn't require a warrant or anything crazy like that.
|
|
#
?
Mar 15, 2021 22:17
|
|
|
small secfuck: selling stolen emails/passwords and using stripe for payment processing medium secfuck: getting the site seized by the FBI big secfuck: feebs forgetting to renew the domain, someone snatching it out from under them, creating a new email to reset the stripe password and dump the buyer info https://krebsonsecurity.com/2021/03/weleakinfo-leaked-customer-payment-info/
|
|
#
?
Mar 16, 2021 00:13
|
|
|
Buff Hardback posted:small secfuck: selling stolen emails/passwords and using stripe for payment processing holy loly
|
|
#
?
Mar 16, 2021 01:47
|
|
|
Powerful Two-Hander posted:gently caress you cisco your software is garbage This was the most important rule I learned when I worked at Cisco.
|
|
#
?
Mar 16, 2021 01:55
|
|
|
jesus christ it's already hard enough for the elderly to do their banking / investment management. I don't see a path to non sms mfa in finance we have to loving fix sms.
|
|
#
?
Mar 16, 2021 02:41
|
|
|
Authenticator apps for all! Sooner rather than later, too.
|
|
#
?
Mar 16, 2021 02:43
|
|
|
Potato Salad posted:jesus christ for something as important as a bank or investment account, can't they just mail an OTP token?
|
|
#
?
Mar 16, 2021 02:52
|
|
|
app with push auth instead of sms is actually really easy to use! when I log in to any number of sites my phone gets a yes/no pop up, which is WAY easier than sms
|
|
#
?
Mar 16, 2021 03:22
|
|
|
But that requires a smartphone and to setup the appropriate Authenticator app. This is at least two bridges too far for a significant chunk of users.
|
|
#
?
Mar 16, 2021 03:51
|
|
|
Varkk posted:But that requires a smartphone and to setup the appropriate Authenticator app. This is at least two bridges too far for a significant chunk of users. the auth app part is easy, make it part of new customer onboarding with the bank, do a massive outreach to your current customer base etc etc. Its human problem, and those can be managed the lack of smartphone, even if banks started handing them out free, is a bigger obstacle, after having tried to sell someone in their 60s on a smartphone
|
|
#
?
Mar 16, 2021 04:09
|
|
|
we allow phone call auth for people without smartphones or who dont want to install microsoft authenticator. no sms tho.
|
|
#
?
Mar 16, 2021 04:20
|
|
|
Shaggar posted:we allow phone call auth for people without smartphones or who dont want to install microsoft authenticator. no sms tho. You only allow Microsoft Authenticator?  Not the usual 'code refreshes every 30 seconds' types?(I admit to being opinionated. I just am not a fan of Microsoft Auth because it needs a connection, as opposed to connectionless ones like Google Authenticator and anything that uses that same method).
|
|
#
?
Mar 16, 2021 05:38
|
|
|
Dylan16807 posted:for something as important as a bank or investment account, can't they just mail an OTP token? They can, and have! You can see by the prevalence of OTP options for banking how well that worked out.
|
|
#
?
Mar 16, 2021 06:47
|
|
|
Quackles posted:You only allow Microsoft Authenticator? look who youre replying to
|
|
#
?
Mar 16, 2021 07:02
|
|
|
Quackles posted:You only allow Microsoft Authenticator? the problem with the code approach is getting granny to enter it before it expires have you ever watched a geriatric try and enter one of those codes? you are lucky if they do it in under 2 minutes
|
|
#
?
Mar 16, 2021 07:51
|
|
|
the problem there is, at the core, the geriatrics. we live in a golden age of accessible virtual reality. nursing homes should come equipped with cheap VR kits for each resident. give them their own 1950s-flavoured VRChat server and let them do crossword puzzles, work on classic cars, have brunch at diners, and hold biweekly cross burnings in that 16 hours a day
|
|
#
?
Mar 16, 2021 08:42
|
|
|
the problem is more that techlords working at google or wherever change the interface every update and if you don’t already know what you’re doing then you never will
|
|
#
?
Mar 16, 2021 09:03
|
|
|
Quackles posted:You only allow Microsoft Authenticator? we've never had any issues with the ms authenticator, do you mean there might be an issue if you have no wireless internet and no phone signal but need to log in? we also have phone call auth as a fallback but obviously if you have no phone signal that's of no use either. needing to log into AD but not having a connection on your phone is honestly something that's never occurred to me.
|
|
#
?
Mar 16, 2021 09:53
|
|
|
Wild EEPROM posted:the problem is more that techlords working at google or wherever change the interface every update and if you don’t already know what you’re doing then you never will This really is the root of the problem. If Google could go more than two months without chasing whatever twee bullshit is currently the fad, if Apple wouldn't redesign the "minimalist" wheel every iOS release, if Facebook wouldn't gently caress with their interface to try to force adoption of whatever copycat feature they are pushing this month... maybe people could learn.
|
|
#
?
Mar 16, 2021 13:49
|
|
|
duo mobile is great, i have 4 or 5 duo-specific 2FA accounts configured, it is even nicer after getting an apple watch and being able to just hit 'approve' on the watch without having to even pick up my phone (even duo-2FA access to 'sudo' on a cluster, which i thought was really neat) i also use duo mobile for plain 30second expiry TOTP because why install something else
|
|
#
?
Mar 16, 2021 14:12
|
|
|
Startup thought: A specialist sales & support company that puts really comfy iRacing sim rigs in nursing homes preloaded with BEAMng Drive and all of them stream to twitch 24/7
|
|
#
?
Mar 16, 2021 14:39
|
|
|
i really want my bank to allow TOTP 2FA as something i can opt in to instead of sms verification, nothing so extreme as github with "if you lose your totp key and recovery codes, your account is permanently inaccessible", maybe losing key + recovery codes means having to physically go to the bank and show ID to have that reset so probably also not really feasible for credit cards with no physical locations spread across the country like amex or (at least in my area) citi
|
|
#
?
Mar 16, 2021 14:44
|
|
|
Volmarias posted:They can, and have! You can see by the prevalence of OTP options for banking how well that worked out. it is harder to log into my world of warcraft account than it is to log into my loving bank account where my life savings are
|
|
#
?
Mar 16, 2021 16:03
|
|
|
Lysidas posted:i really want my bank to allow TOTP 2FA as something i can opt in to instead of sms verification, nothing so extreme as github with "if you lose your totp key and recovery codes, your account is permanently inaccessible", maybe losing key + recovery codes means having to physically go to the bank and show ID to have that reset the trick with that is there’s already a regulatory solution. If you get actually properly hacked and money moved, you call your bank and tell them and they sort it out. there is no institutional need for stronger security because it’s handled at a regulatory level
|
|
#
?
Mar 16, 2021 16:22
|
|
|
flakeloaf posted:it is harder to log into my world of warcraft account than it is to log into my loving bank account where my life savings are my credit union used to have abysmal security (max length password of like, 10 characters, alphanumeric only, poo poo like that) and then a couple years ago revamped it to be merely bad baby steps 
|
|
#
?
Mar 16, 2021 16:44
|
|
|
Quackles posted:You only allow Microsoft Authenticator? imagine using a google app for something as important as 2fa, lol its wild that some accounts let you set up an authenticator app, but the recovery process for losing your authenticator is via sms. ubisoft does this, and i encountered another one recently but can't remember what it was
|
|
#
?
Mar 16, 2021 17:06
|
|
|
Shifty Pony posted:This really is the root of the problem. If Google could go more than two months without chasing whatever twee bullshit is currently the fad, if Apple wouldn't redesign the "minimalist" wheel every iOS release, if Facebook wouldn't gently caress with their interface to try to force adoption of whatever copycat feature they are pushing this month... maybe people could learn. Woah hold up, how will VPs have a rationale for promotion / transfer if they don't shake everything up? What will the designers even do all day??? Will no one think of the upper managers?! flakeloaf posted:it is harder to log into my world of warcraft account than it is to log into my loving bank account where my life savings are Your bank cannot tell you to, quote, "git gud," and it also allows you to handle an incident far more directly than blizzard ever would. Your bank has a physical presence where you can make a scene, flecks of spittle flying everywhere, as you scream about your extremely secure password of "lmao1234" being guessed and your SMS based token getting intercepted. There are also far more olds and incompetents who will still need to use your bank, while blizzard is more than ok with not holding these people's hands.
|
|
#
?
Mar 16, 2021 17:17
|
|
|
Volmarias posted:Your bank cannot tell you to, quote, "git gud," 
|
|
#
?
Mar 16, 2021 17:22
|
|
|
flakeloaf posted:it is harder to log into my world of warcraft account than it is to log into my loving bank account where my life savings are sounds like you need to store more of your net worth in purple swords
|
|
#
?
Mar 16, 2021 17:22
|
|
|
|
| # ? Apr 24, 2024 02:48 |
|
|
Who needs to steal a SMS token for your bank when everyone you've ever written a check to has all the details needed to make an ACH withdrawal from your account.
|
|
#
?
Mar 16, 2021 17:33
|
|