Author Topic: 2FA and security is about to get way worse....  (Read 1732 times)

0 Members and 1 Guest are viewing this topic.

Offline Leslieann

  • * Elevated Elder
  • Thread Starter
  • Posts: 4327
2FA and security is about to get way worse....
« on: Thu, 05 May 2022, 23:10:45 »
So Apple, Google and Microsoft want to get rid of passwords, their plan is to now use your phone as a passphrase instead.
Just like 2FA, you would go to Google (or Apple or MS) and use your username, then it sends a text message to your phone to verify it's you with no password needed at all.

Let's try an experiment here, follow along, you lost your phone or it was stolen. Need I say more?  Yes there would be ways back in, with... a password. Remember the whole point of 2FA was to have a secondary device authenticate you on top of a password (first authentication), this knocks that right out because it eliminates the first authentication check, so what happens if you're accessing a site with your phone. Or someone steals your phone and uses it to access a site?

Your phone should never be your key for anything, it's an expensive highly visible device that people steal ALL. THE. TIME.
When your key is valuable for other reasons you're just encouraging people to steal it.  This sort of scenarios is precisely why we went to passwords instead of keycards, it can't be stolen, works anywhere, it's convenient and easily revoked or changed. Like 2FA on most sites, this is not about security, it's loss of privacy and being sold as ease of use. Don't fall for it.


Side note, 2FA has serious issues as well.
Don't you find it odd that almost everyone doing 2FA insists on using your phone for 2FA, why not an email or a phrase or even pictures. Even when you're on your phone they use the phone for 2FA instead of email making it 1FA. Almost none of this is about security, if it was, more thought would be put into it and they would be forcing it on you everywhere and certainly not using your phone to do it.

P.S.
Don't get me wrong, passwords have their problems but they are solvable problems, that's kind of the point.
Novelkeys NK65AE w/62g Zilents/39g springs
More
62g Zilents/lubed/Novelkeys 39g springs, HK Gaming Thick PBT caps, Netdot Gen10 magnetic cable, pic
| Filco MJ2 L.E. Vortex Case, Jailhouse Blues, heavily customized
More
Vortex case squared up/blasted finish removed/custom feet/paint/winkey blockoff plate, HID Liberator, stainless steel universal plate, 3d printed adapters, Type C, Netdot Gen10 magnetic cable, foam sound dampened, HK Gaming Thick PBT caps (o-ringed), Cherry Jailhouse Blues w/lubed/clipped Cherry light springs, 40g actuation
| GMMK TKL
More
w/ Kailh Purple Pros/lubed/Novelkeys 39g springs, HK Gaming Thick PBT caps, Netdot Gen10 Magnetic cable
| PF65 3d printed 65% w/LCD and hot swap
More
Box Jades, Interchangeable trim, mini lcd, QMK, underglow, HK Gaming Thick PBT caps, O-rings, Netdot Gen10 magnetic cable, in progress link
| Magicforce 68
More
MF68 pcb, Outemu Blues, in progress
| YMDK75 Jail Housed Gateron Blues
More
J-spacers, YMDK Thick PBT, O-rings, SIP sockets
| KBT Race S L.E.
More
Ergo Clears, custom WASD caps
| Das Pro
More
Costar model with browns
| GH60
More
Cherry Blacks, custom 3d printed case
| Logitech Illumininated | IBM Model M (x2)
Definitive Omron Guide.


Offline Leslieann

  • * Elevated Elder
  • Thread Starter
  • Posts: 4327
Re: 2FA and security is about to get way worse....
« Reply #2 on: Fri, 06 May 2022, 00:51:12 »
Refuse to use it, if possible.

I can't believe this is even proposed but it doesn't surprise me, hopefully people will see through it and kill it just like the Google cookie scam. Unfortunately with all 3 on board and not just Google I'm not going to get my hopes up.

For all the "find my phone" and shut down systems in place, phones are still regularly being stolen and cops do nothing, even when you know exactly where it is. That needs to change before this should even be considered. I fear it's going to take a few high level phones to be stolen before this dies.
« Last Edit: Fri, 06 May 2022, 00:57:49 by Leslieann »
Novelkeys NK65AE w/62g Zilents/39g springs
More
62g Zilents/lubed/Novelkeys 39g springs, HK Gaming Thick PBT caps, Netdot Gen10 magnetic cable, pic
| Filco MJ2 L.E. Vortex Case, Jailhouse Blues, heavily customized
More
Vortex case squared up/blasted finish removed/custom feet/paint/winkey blockoff plate, HID Liberator, stainless steel universal plate, 3d printed adapters, Type C, Netdot Gen10 magnetic cable, foam sound dampened, HK Gaming Thick PBT caps (o-ringed), Cherry Jailhouse Blues w/lubed/clipped Cherry light springs, 40g actuation
| GMMK TKL
More
w/ Kailh Purple Pros/lubed/Novelkeys 39g springs, HK Gaming Thick PBT caps, Netdot Gen10 Magnetic cable
| PF65 3d printed 65% w/LCD and hot swap
More
Box Jades, Interchangeable trim, mini lcd, QMK, underglow, HK Gaming Thick PBT caps, O-rings, Netdot Gen10 magnetic cable, in progress link
| Magicforce 68
More
MF68 pcb, Outemu Blues, in progress
| YMDK75 Jail Housed Gateron Blues
More
J-spacers, YMDK Thick PBT, O-rings, SIP sockets
| KBT Race S L.E.
More
Ergo Clears, custom WASD caps
| Das Pro
More
Costar model with browns
| GH60
More
Cherry Blacks, custom 3d printed case
| Logitech Illumininated | IBM Model M (x2)
Definitive Omron Guide.

Offline Coreda

  • Posts: 769
Re: 2FA and security is about to get way worse....
« Reply #3 on: Fri, 06 May 2022, 04:42:30 »
I preemptively enabled TOTP (time-based one-time password) some places since I know they'll eventually want a phone for 2FA if I didn't, likely with some excuse of 'we don't recognize this device please give us your phone number' (as though that makes any sense from a security PoV if the statement is accurate).

Online suicidal_orange

  • * Global Moderator
  • Posts: 4732
  • Location: England
Re: 2FA and security is about to get way worse....
« Reply #4 on: Fri, 06 May 2022, 05:52:59 »
There is an option B - go back to dumbphones.  As long as you delete any 2FA texts the thief (if they even bother to steal a dumbphone) wont know where your accounts are so wont know where to start to access them.  No more remembering to charge your phone every day, no more smashed screens, no need for baggy pockets/huge bags and you might even recognise a friend when you walk down the street if you aren't looking at their facebook page at the time.
120/100g linear Zealio R1  
GMK Hyperfuse
'Split everything' perfection  
MX Clear
SA Hack'd by Geeks     
EasyAVR mod

Offline fohat.digs

  • * Elevated Elder
  • Posts: 6375
  • Location: 35°55'N, 83°53'W
  • weird funny old guy
Re: 2FA and security is about to get way worse....
« Reply #5 on: Fri, 06 May 2022, 08:01:26 »

lost your phone or it was stolen. Need I say more?


go back to dumbphones.

And is your phone always in your pocket or on the desk when you go to work on the computer?

I sometimes long for olden times, when a battery charge lasted for days and a phone could probably survive multiple drops onto concrete.

The biggest thing that I have gotten used to is always having a nice camera in my pocket, along with some games and reading material.

and off-topic - My biggest gripe with a phone being a flat thin rectangle is the horrid "ergonomics" of it. Somehow the geometry of my cheekbone is such that most of the "smart" phones have a "hang up" area that matches it and I find calls ending while I am in the middle of them ....
Neoreactionarism is a pseudo-intellectual fascist movement that Musk and Peter Thiel have embraced.  One ideological plank to neoreactionarism is that the "liberal” media is in cahoots with — wait for it — American intelligence agencies and other political establishments to thwart the rule of the enlightened technocrat.  It is only the rise of a superior technocratic class who will crush the establishment and their middle managers and bring about true freedom to human beings.  And it looks like Musk is trying to bring about this political Nirvana at Twitter.
- Merlin1963 2022-11-19

Offline Findecanor

  • Posts: 4958
  • Location: Koriko
Re: 2FA and security is about to get way worse....
« Reply #6 on: Fri, 06 May 2022, 08:26:22 »
There is an option B - go back to dumbphones.
What do you mean "go back" ? ;)

I got my first smartphone in Nov '20, but I never got a SIM card. I have only used it as a camera.
The user experience of it was even worse than what I had expected, despite being "stock Android" which the writers on phone review sites say would be the best.

What I'm afraid of is that I will be forced to start using it for 2FA and other crap, only because that will be the only option.

The biggest thing that I have gotten used to is always having a nice camera in my pocket, along with some games and reading material.
I used to carry a compact camera - with optical zoom, and a tablet. Each providing a better user experience for its use-case than a smartphone. And they cost less together than my "smartphone" did.

However, I'm afraid that they don't make good tablets any more.
Man must shape his tools lest they shape him
-- Arthur Miller

Offline Leslieann

  • * Elevated Elder
  • Thread Starter
  • Posts: 4327
Re: 2FA and security is about to get way worse....
« Reply #7 on: Fri, 06 May 2022, 09:45:11 »
And is your phone always in your pocket or on the desk when you go to work on the computer?
You missed the point.

With this system:
If you access Google from your laptop you need your phone to act as a password.
If you access Google/MS/Apple from your phone you do NOT need a password at all.
How is that secure?

Why is the phone (easily stolen) trusted for everything, but not the laptop, desktop, game console, etc...



Doesn't matter where the phone sits...
So I log into Windows, need to interact with the phone.
Open browser, log into Google, need to interact with the phone
Go to check bank account, need to interact with the phone
Go to Facebook, you guessed it, need to interact with the phone
Twitter, company backend, VPN, shopping cart, Amazon....
Go to lunch, come back, start all over again...  How many times am I going to have to interact with my phone every day just to get work done?

But cookies!
There's no passwords and no 2fa, either this needs to be done regularly or you have to admit this was never about security, and if this makes security worse, what was the point of pushing 2FA? Unless 2FA was never about security but getting you comfortable with using your phone as your key and giving up more privacy.
Novelkeys NK65AE w/62g Zilents/39g springs
More
62g Zilents/lubed/Novelkeys 39g springs, HK Gaming Thick PBT caps, Netdot Gen10 magnetic cable, pic
| Filco MJ2 L.E. Vortex Case, Jailhouse Blues, heavily customized
More
Vortex case squared up/blasted finish removed/custom feet/paint/winkey blockoff plate, HID Liberator, stainless steel universal plate, 3d printed adapters, Type C, Netdot Gen10 magnetic cable, foam sound dampened, HK Gaming Thick PBT caps (o-ringed), Cherry Jailhouse Blues w/lubed/clipped Cherry light springs, 40g actuation
| GMMK TKL
More
w/ Kailh Purple Pros/lubed/Novelkeys 39g springs, HK Gaming Thick PBT caps, Netdot Gen10 Magnetic cable
| PF65 3d printed 65% w/LCD and hot swap
More
Box Jades, Interchangeable trim, mini lcd, QMK, underglow, HK Gaming Thick PBT caps, O-rings, Netdot Gen10 magnetic cable, in progress link
| Magicforce 68
More
MF68 pcb, Outemu Blues, in progress
| YMDK75 Jail Housed Gateron Blues
More
J-spacers, YMDK Thick PBT, O-rings, SIP sockets
| KBT Race S L.E.
More
Ergo Clears, custom WASD caps
| Das Pro
More
Costar model with browns
| GH60
More
Cherry Blacks, custom 3d printed case
| Logitech Illumininated | IBM Model M (x2)
Definitive Omron Guide.

Online suicidal_orange

  • * Global Moderator
  • Posts: 4732
  • Location: England
Re: 2FA and security is about to get way worse....
« Reply #8 on: Fri, 06 May 2022, 09:59:59 »
Actually read the announcement, reads more like cementing the triopoly than anything else.  I'm unclear whether the phone validates the user's face against its own stored image or if the phone uploads your face to the remote account holder meaning stealing and changing the face attached to the phone doesn't work.

Either way I'm not putting my face in my phone, if I have to live in a cave and keep people in call centres in jobs to buy stuff so be it.
120/100g linear Zealio R1  
GMK Hyperfuse
'Split everything' perfection  
MX Clear
SA Hack'd by Geeks     
EasyAVR mod

Offline fohat.digs

  • * Elevated Elder
  • Posts: 6375
  • Location: 35°55'N, 83°53'W
  • weird funny old guy
Re: 2FA and security is about to get way worse....
« Reply #9 on: Fri, 06 May 2022, 10:46:51 »

You missed the point.

Doesn't matter where the phone sits


I think you missed my point. What if the phone is in the kitchen or if one of my friends or kids is using it?
Neoreactionarism is a pseudo-intellectual fascist movement that Musk and Peter Thiel have embraced.  One ideological plank to neoreactionarism is that the "liberal” media is in cahoots with — wait for it — American intelligence agencies and other political establishments to thwart the rule of the enlightened technocrat.  It is only the rise of a superior technocratic class who will crush the establishment and their middle managers and bring about true freedom to human beings.  And it looks like Musk is trying to bring about this political Nirvana at Twitter.
- Merlin1963 2022-11-19

Offline Findecanor

  • Posts: 4958
  • Location: Koriko
Re: 2FA and security is about to get way worse....
« Reply #10 on: Fri, 06 May 2022, 14:59:31 »
Both of you are speaking beside one-another; both of you making valid, and different points.

They have in common though that they point out that the FIDO consortium wants phones to be personal devices that are only used by a single individual.
For a lot of people, they are, but for a phone being used for its original purpose, there is absolutely no reason why it should be.
Man must shape his tools lest they shape him
-- Arthur Miller

Offline Leslieann

  • * Elevated Elder
  • Thread Starter
  • Posts: 4327
Re: 2FA and security is about to get way worse....
« Reply #11 on: Fri, 06 May 2022, 18:56:03 »
Yep, I think same frame of mind, I just misunderstood what Fohat was pointing out.  :thumb:
Novelkeys NK65AE w/62g Zilents/39g springs
More
62g Zilents/lubed/Novelkeys 39g springs, HK Gaming Thick PBT caps, Netdot Gen10 magnetic cable, pic
| Filco MJ2 L.E. Vortex Case, Jailhouse Blues, heavily customized
More
Vortex case squared up/blasted finish removed/custom feet/paint/winkey blockoff plate, HID Liberator, stainless steel universal plate, 3d printed adapters, Type C, Netdot Gen10 magnetic cable, foam sound dampened, HK Gaming Thick PBT caps (o-ringed), Cherry Jailhouse Blues w/lubed/clipped Cherry light springs, 40g actuation
| GMMK TKL
More
w/ Kailh Purple Pros/lubed/Novelkeys 39g springs, HK Gaming Thick PBT caps, Netdot Gen10 Magnetic cable
| PF65 3d printed 65% w/LCD and hot swap
More
Box Jades, Interchangeable trim, mini lcd, QMK, underglow, HK Gaming Thick PBT caps, O-rings, Netdot Gen10 magnetic cable, in progress link
| Magicforce 68
More
MF68 pcb, Outemu Blues, in progress
| YMDK75 Jail Housed Gateron Blues
More
J-spacers, YMDK Thick PBT, O-rings, SIP sockets
| KBT Race S L.E.
More
Ergo Clears, custom WASD caps
| Das Pro
More
Costar model with browns
| GH60
More
Cherry Blacks, custom 3d printed case
| Logitech Illumininated | IBM Model M (x2)
Definitive Omron Guide.

Offline Stupidface

  • Posts: 96
  • Location: You can't be there where I am
  • Looks like I picked the wrong week to joinGeekhack
Re: 2FA and security is about to get way worse....
« Reply #12 on: Sat, 07 May 2022, 03:43:51 »
Don't you find it odd that almost everyone doing 2FA insists on using your phone for 2FA, why not an email or a phrase or even pictures.

Perhaps I am in the minority, but I tend to view most of these exciting new "innovations" in terms of their data-mining potential for the corporations that aggressively push them, so I don't find it odd at all.  As you rightly point out, they could simply use an email address of my choosing for 2FA, but that would cramp their style somewhat in the data mining realm, wouldn't it?

Nothing would please these berks more than tying anything I want to do online into a phone number.  It makes their data mining efforts that much easier, so they're all for it.

I wouldn't mind the data mining quite so much if Apple, Google, etc. would simply stop being so dishonest about what they do and why, this latest silliness being merely one example in a long line of many.  I am fascinated that it never seems to occur to these plonkers that their near-daily demonstrations of untrustworthiness give all but the doziest consumers little reason to go along with their schemes.

I do not believe a word they say without 2FA, first.


« Last Edit: Sat, 07 May 2022, 06:20:37 by Stupidface »

Offline Stupidface

  • Posts: 96
  • Location: You can't be there where I am
  • Looks like I picked the wrong week to joinGeekhack
Re: 2FA and security is about to get way worse....
« Reply #13 on: Sat, 07 May 2022, 05:08:05 »
I'm unclear whether the phone validates the user's face against its own stored image or if the phone uploads your face to the remote account holder meaning stealing and changing the face attached to the phone doesn't work.

I am unclear as to what exact steps these corporations are offering to take (if any) to lock up my biometric data in a meaningful way were I foolish enough to hand it over in the first place.  I cannot help but notice that a fair number of punters have already had their personal data stolen and see no reason my own data wouldn't disappear right along with theirs should someone take it into their head to do it.

Either way I'm not putting my face in my phone, if I have to live in a cave and keep people in call centres in jobs to buy stuff so be it.

I have no intention of taking part in this latest ghastly scheme, either.  Having seen the way they managed (if managed is the word) the data they have already been entrusted with, the prospect of giving these corporate sorts even more holds little appeal.



Offline Leslieann

  • * Elevated Elder
  • Thread Starter
  • Posts: 4327
Re: 2FA and security is about to get way worse....
« Reply #14 on: Sat, 07 May 2022, 11:47:23 »
I am unclear as to what exact steps these corporations are offering to take (if any) to lock up my biometric data in a meaningful way were I foolish enough to hand it over in the first place.

They aren't, they buy hacking insurance.
Yep, that's a thing.

It's cheaper than tackling the real problems and being pro-active. The law in most cases says "within reason", it's intentionally vague because one size doesn't fit all but that also means companies are allowed to decide for themselves what's reasonable. The bare minimum, which is what most opt for, is ridiculously minimal.

No one takes I.T. seriously until it bites them on the a$$, it's the same thing with backups.
Novelkeys NK65AE w/62g Zilents/39g springs
More
62g Zilents/lubed/Novelkeys 39g springs, HK Gaming Thick PBT caps, Netdot Gen10 magnetic cable, pic
| Filco MJ2 L.E. Vortex Case, Jailhouse Blues, heavily customized
More
Vortex case squared up/blasted finish removed/custom feet/paint/winkey blockoff plate, HID Liberator, stainless steel universal plate, 3d printed adapters, Type C, Netdot Gen10 magnetic cable, foam sound dampened, HK Gaming Thick PBT caps (o-ringed), Cherry Jailhouse Blues w/lubed/clipped Cherry light springs, 40g actuation
| GMMK TKL
More
w/ Kailh Purple Pros/lubed/Novelkeys 39g springs, HK Gaming Thick PBT caps, Netdot Gen10 Magnetic cable
| PF65 3d printed 65% w/LCD and hot swap
More
Box Jades, Interchangeable trim, mini lcd, QMK, underglow, HK Gaming Thick PBT caps, O-rings, Netdot Gen10 magnetic cable, in progress link
| Magicforce 68
More
MF68 pcb, Outemu Blues, in progress
| YMDK75 Jail Housed Gateron Blues
More
J-spacers, YMDK Thick PBT, O-rings, SIP sockets
| KBT Race S L.E.
More
Ergo Clears, custom WASD caps
| Das Pro
More
Costar model with browns
| GH60
More
Cherry Blacks, custom 3d printed case
| Logitech Illumininated | IBM Model M (x2)
Definitive Omron Guide.

Offline yui

  • Posts: 1080
  • Location: 127.0.0.1 (in azerty)
Re: 2FA and security is about to get way worse....
« Reply #15 on: Sat, 07 May 2022, 15:30:56 »
So Apple, Google and Microsoft want to get rid of passwords, their plan is to now use your phone as a passphrase instead.
Just like 2FA, you would go to Google (or Apple or MS) and use your username, then it sends a text message to your phone to verify it's you with no password needed at all.

Let's try an experiment here, follow along, you lost your phone or it was stolen. Need I say more?  Yes there would be ways back in, with... a password. Remember the whole point of 2FA was to have a secondary device authenticate you on top of a password (first authentication), this knocks that right out because it eliminates the first authentication check, so what happens if you're accessing a site with your phone. Or someone steals your phone and uses it to access a site?

Your phone should never be your key for anything, it's an expensive highly visible device that people steal ALL. THE. TIME.
When your key is valuable for other reasons you're just encouraging people to steal it.  This sort of scenarios is precisely why we went to passwords instead of keycards, it can't be stolen, works anywhere, it's convenient and easily revoked or changed. Like 2FA on most sites, this is not about security, it's loss of privacy and being sold as ease of use. Don't fall for it.
well yeah that sounds like something a marketing guy or a shareholder would think of as the future of security... i do not think any tech worth anything would have had this idea and not thought about the fact that it is going back to square 1 or even square 0...
Side note, 2FA has serious issues as well.
Don't you find it odd that almost everyone doing 2FA insists on using your phone for 2FA, why not an email or a phrase or even pictures. Even when you're on your phone they use the phone for 2FA instead of email making it 1FA. Almost none of this is about security, if it was, more thought would be put into it and they would be forcing it on you everywhere and certainly not using your phone to do it.

P.S.
Don't get me wrong, passwords have their problems but they are solvable problems, that's kind of the point.
and everyone uses their phones because it is practical, you already have one and it is inherently 100% compatible, i have tried using smartcard and U2F as 2nd factor and it is a pain to setup and widely inconsistent when it comes to support. the smartcard was a non starter because, well, nothing supports it without deep customization, and the U2F key was not that far either, tried to use it on Windows 10 only to discover that Windows 10 is only U2F compliant to its own key and a few other models but not the one i bought and that it did require to activate bitlocker and having a TPM2.0 to use to login... when it comes to bank most still have not understood that limiting your password to 6 digit typed on a screen keyboard with randomized order was not a security feature but a security flaw so 2FA with the phone is already a huge step forward for them, i should try to set up my u2f keys for my google account on linux maybe, but that would lock me out of Windows fully, and also be a pain with my current phone with its dead usb...
vi vi vi - the roman number of the beast (Plan9 fortune)

Offline Leslieann

  • * Elevated Elder
  • Thread Starter
  • Posts: 4327
Re: 2FA and security is about to get way worse....
« Reply #16 on: Sat, 07 May 2022, 19:08:34 »
and everyone uses their phones because it is practical, you already have one and it is inherently 100% compatible,

Phone as a 2fa is fine, so long as it's ONLY used as the 2nd or primary auth, not both which is what they're now selling it as.

They went full circle.
Novelkeys NK65AE w/62g Zilents/39g springs
More
62g Zilents/lubed/Novelkeys 39g springs, HK Gaming Thick PBT caps, Netdot Gen10 magnetic cable, pic
| Filco MJ2 L.E. Vortex Case, Jailhouse Blues, heavily customized
More
Vortex case squared up/blasted finish removed/custom feet/paint/winkey blockoff plate, HID Liberator, stainless steel universal plate, 3d printed adapters, Type C, Netdot Gen10 magnetic cable, foam sound dampened, HK Gaming Thick PBT caps (o-ringed), Cherry Jailhouse Blues w/lubed/clipped Cherry light springs, 40g actuation
| GMMK TKL
More
w/ Kailh Purple Pros/lubed/Novelkeys 39g springs, HK Gaming Thick PBT caps, Netdot Gen10 Magnetic cable
| PF65 3d printed 65% w/LCD and hot swap
More
Box Jades, Interchangeable trim, mini lcd, QMK, underglow, HK Gaming Thick PBT caps, O-rings, Netdot Gen10 magnetic cable, in progress link
| Magicforce 68
More
MF68 pcb, Outemu Blues, in progress
| YMDK75 Jail Housed Gateron Blues
More
J-spacers, YMDK Thick PBT, O-rings, SIP sockets
| KBT Race S L.E.
More
Ergo Clears, custom WASD caps
| Das Pro
More
Costar model with browns
| GH60
More
Cherry Blacks, custom 3d printed case
| Logitech Illumininated | IBM Model M (x2)
Definitive Omron Guide.

Offline chyros

  • a.k.a. Thomas
  • * Esteemed Elder
  • Posts: 3438
  • Location: The Netherlands
  • Hello and welcome.
Re: 2FA and security is about to get way worse....
« Reply #17 on: Sun, 08 May 2022, 05:40:37 »
I've got a whole bunch of apps/accounts/programs at the university and even the stupidest ones use 2FA. Even things that only give access to basically public knowledge are behind 2FA.

However, the requisition system — the one where you have to change passwords EVERY MONTH and where the university is now conducting an investigation as to whether the amount of permissions I have in it is not conducive to fraud — is not. I mean, not that I'm complaining, because I hate 2FA, but that sounds bass ackwards. 
Check my keyboard video reviews:


Offline Stupidface

  • Posts: 96
  • Location: You can't be there where I am
  • Looks like I picked the wrong week to joinGeekhack
Re: 2FA and security is about to get way worse....
« Reply #18 on: Mon, 09 May 2022, 04:21:53 »
They aren't, they buy hacking insurance.
Yep, that's a thing.

I was hitherto unaware such a thing existed; thank you for mentioning it.  Having now become acquainted with the term, I am alarmed that the data breach phenomenon is now so prevalent hacking insurance has become a thing.

Of course, it is possible this might turn out to be a positive development.  Insurance companies do not enjoy paying claims, hence the development of groups like Underwriters Laboratories that set standards and improved things (i.e. gave manufacturers standards that helped to make products safer and less likely to explode, choke infants, etc.).

Having said that:

It's cheaper than tackling the real problems and being pro-active. The law in most cases says "within reason", it's intentionally vague because one size doesn't fit all but that also means companies are allowed to decide for themselves what's reasonable. The bare minimum, which is what most opt for, is ridiculously minimal.

I suspect you are right and the actuality is that things like hacking insurance are merely an effort to lend a veneer of dignity to an ungodly mess.  Companies being seen to carry hacking insurance is one thing, the insurance firms actually paying off on claims quite another.

Along those same lines, it would be interesting if companies like Apple have "helped" (or are about to help) legislators write laws that assign caps on what damages consumers will be awarded in the event of a data breach.

No one takes I.T. seriously until it bites them on the a$$, it's the same thing with backups.

Well, there is taking things seriously and then there is being forced to take things seriously (like backups).

When I first heard about the 2017 Equifax data breach, I really did think something meaningful would emerge from it.  "What", I wondered, "will the penalty be for those responsible?  A trip before the firing squad?  Stint in a Bolivian prison?  One-way ticket to Tierra del Fuego, perhaps?" 

Needless to say, I did not have to wait long to find out and the penalty turned out to be more of a punchline than any sort of meaningful penalty.  I haven't really kept up since then, so it is possible that the Americans have become quite serious about penalising corporations that do not secure their date in the half-decade since that happened.

My understanding of the FAANGs and companies that handle large amount of data like them is that, once you reach a market cap of US$1 billion, you may do whatever you wish.  They do not appear to have any real incentive to keep sensitive personal information secure because they can simply buy off any legislators ambitious enough to want to rein them in with legislation or, failing that, they can simply hire lobbyists that will "help" write such legislation.

I think I would take the 2FA business a lot more seriously if I were the one allowed to choose the second authenticated factor.  The fact that corporations, not consumers, are the ones doing the choosing tells me everything I need to know.

The only real hope I hold out for change in this affair is for a widely-known authority on security (e.g. Bruce Schneier) to raise such a fuss that Apple, Google and Microsoft simply cannot ignore it.  To my mind, bad publicity is about the only thing left these firms will respond to (and then only half the time).





Offline fohat.digs

  • * Elevated Elder
  • Posts: 6375
  • Location: 35°55'N, 83°53'W
  • weird funny old guy
Re: 2FA and security is about to get way worse....
« Reply #20 on: Mon, 09 May 2022, 08:54:54 »

"What", I wondered, "will the penalty be for those responsible?


Our "justice system" generally behaves as if "white collar crime" hardly exists at all.

Solution : Easy. Remove white collar criminals from the law-making and law-enforcing systems.

Neoreactionarism is a pseudo-intellectual fascist movement that Musk and Peter Thiel have embraced.  One ideological plank to neoreactionarism is that the "liberal” media is in cahoots with — wait for it — American intelligence agencies and other political establishments to thwart the rule of the enlightened technocrat.  It is only the rise of a superior technocratic class who will crush the establishment and their middle managers and bring about true freedom to human beings.  And it looks like Musk is trying to bring about this political Nirvana at Twitter.
- Merlin1963 2022-11-19

Offline Leslieann

  • * Elevated Elder
  • Thread Starter
  • Posts: 4327
Re: 2FA and security is about to get way worse....
« Reply #21 on: Mon, 09 May 2022, 11:11:04 »
Can anyone buy hacking insurance or only corporations ?
I would imagine pretty much anyone can, but is it worth it?

You can easily get a decent backup system for a few hundred bucks or even online backup for a few bucks per month.
Novelkeys NK65AE w/62g Zilents/39g springs
More
62g Zilents/lubed/Novelkeys 39g springs, HK Gaming Thick PBT caps, Netdot Gen10 magnetic cable, pic
| Filco MJ2 L.E. Vortex Case, Jailhouse Blues, heavily customized
More
Vortex case squared up/blasted finish removed/custom feet/paint/winkey blockoff plate, HID Liberator, stainless steel universal plate, 3d printed adapters, Type C, Netdot Gen10 magnetic cable, foam sound dampened, HK Gaming Thick PBT caps (o-ringed), Cherry Jailhouse Blues w/lubed/clipped Cherry light springs, 40g actuation
| GMMK TKL
More
w/ Kailh Purple Pros/lubed/Novelkeys 39g springs, HK Gaming Thick PBT caps, Netdot Gen10 Magnetic cable
| PF65 3d printed 65% w/LCD and hot swap
More
Box Jades, Interchangeable trim, mini lcd, QMK, underglow, HK Gaming Thick PBT caps, O-rings, Netdot Gen10 magnetic cable, in progress link
| Magicforce 68
More
MF68 pcb, Outemu Blues, in progress
| YMDK75 Jail Housed Gateron Blues
More
J-spacers, YMDK Thick PBT, O-rings, SIP sockets
| KBT Race S L.E.
More
Ergo Clears, custom WASD caps
| Das Pro
More
Costar model with browns
| GH60
More
Cherry Blacks, custom 3d printed case
| Logitech Illumininated | IBM Model M (x2)
Definitive Omron Guide.

Offline Leslieann

  • * Elevated Elder
  • Thread Starter
  • Posts: 4327
Novelkeys NK65AE w/62g Zilents/39g springs
More
62g Zilents/lubed/Novelkeys 39g springs, HK Gaming Thick PBT caps, Netdot Gen10 magnetic cable, pic
| Filco MJ2 L.E. Vortex Case, Jailhouse Blues, heavily customized
More
Vortex case squared up/blasted finish removed/custom feet/paint/winkey blockoff plate, HID Liberator, stainless steel universal plate, 3d printed adapters, Type C, Netdot Gen10 magnetic cable, foam sound dampened, HK Gaming Thick PBT caps (o-ringed), Cherry Jailhouse Blues w/lubed/clipped Cherry light springs, 40g actuation
| GMMK TKL
More
w/ Kailh Purple Pros/lubed/Novelkeys 39g springs, HK Gaming Thick PBT caps, Netdot Gen10 Magnetic cable
| PF65 3d printed 65% w/LCD and hot swap
More
Box Jades, Interchangeable trim, mini lcd, QMK, underglow, HK Gaming Thick PBT caps, O-rings, Netdot Gen10 magnetic cable, in progress link
| Magicforce 68
More
MF68 pcb, Outemu Blues, in progress
| YMDK75 Jail Housed Gateron Blues
More
J-spacers, YMDK Thick PBT, O-rings, SIP sockets
| KBT Race S L.E.
More
Ergo Clears, custom WASD caps
| Das Pro
More
Costar model with browns
| GH60
More
Cherry Blacks, custom 3d printed case
| Logitech Illumininated | IBM Model M (x2)
Definitive Omron Guide.