Security and privacy Q&A

Today’s WSJ article (paywall) on supposedly rising cases of iPhone + passcode theft, by simply watching/filming the user type the passcode, and then stealing the phone.

Takeaway message: this allows thieves to turn off Find My iPhone and get into banking apps on the phone. Scary (and obvious) stuff, haven’t given this much thought after being somewhat paranoid about hiding my passcode entry in the iPhone 3G days. These days I typically use FaceID, but good to keep in mind that being a bit protective of the PIN is a good idea.

One particularly sad story is from a lady who lost tons of photos and more because the thief enabled the recovery key option after the device theft, supposedly meaning she is really locked out of her account permanently. I guess I need to read up on this stuff!

This kind of stuff doesn’t make me feel any better about password managers. I mean… I deleted my LastPass account over a year ago, but you still wonder, how much of that info was still on their servers.

3 Likes

I have mixed feelings on passwords managers.

On one hand, I can see the appeal both personally, because I have an oversized plethora of them such that I struggle remembering which service has what userid and password. Not to mention that because of that plethora, it seems like I’m perpetually having to update/maintain them. So a single sign in appeals to the simplicity seeker in me.

Adn on the corporate side, because the majority of users are frankly bed/lax at managing teh same info, having a single sign on where IT can enforce genuinely secure policies at least on the surface anyway, looks like a no brainer.

But the core problems with them are two. One is that essentially password managers create a single point of failure again which any business owner that’s been doing it for more than 10 minutes knows that single points of failure are something to be actively avoided.

Two is that they represent a huge potentially very productive and obvious attack vector and thus a natural target. And when you combine that with the reality that security vulnerabilities are still very much a whack-a-mole situation still.

So, for me the TLDR is that my company uses a combination of password manager for all but the most critical systems and with those most critical we also use a multifactor authentication system including the use of physical secure keys (which even those can be hacked).

And for personal use, I do the same, splitting things like access to here or my hulu account to a password manager while siloing any and all financial stuff to its own unique system.

1 Like

Right? It’s the world’s most delicious honeypot that only gets more delicious over time. Smart move keeping your banking info off password managers (i.e. don’t save them into the Chrome/Edge password manager). Downside: now a keylogger can intercept the passwords on your machine. Then again, if a keylogger makes it onto your system, all is lost anyway.

Side note, I still cannot believe that top US banks are not required to at least offer 2FA using authenticator apps. Scary stuff.

1 Like

By the way just to show the level of at least perceived difficulty with for example 2FA; I was attending a security conference a few months after Google started implementing it for their own services and one of the Google engineers said that in the first month they widely implemented it, “how do I turn off 2 factor authentication in Google” was in the top five searches and even multiple months after was still in the top 100.

1 Like

2FA can still be a showstopper if you’re outside of cellular coverage. :anger:

1 Like

Yes I am frequently painfully aware :face_with_peeking_eye:

Like sitting on a plane trying to use PayPal to buy wifi… sigh. Not as much an issue these days with free messaging thankfully.

I’ve had days when I had cellular but there was congestion somewhere along the line and Google’s 2FA failed to reach me so I had them send another… Then another… And I finally get one but it’s expired because it was an earlier one and then I’m completely confused as to which one I should try to use when they start coming in all at once. So I let it sit for a while and try again. All over again! :angry:

Then I hear about them snickering because the ignorant rubes in flyover country want to turn off 2FA… while they sit in the lap of luxurious saturated multi-gigabit connectivity. Shades of Marie Antoinette. “Let them eat cake.” :roll_eyes:

2 Likes

Not to quibble, but about Marie:

For many years, Paris had a law requiring every bakery to carry “the peasant’s bread” in sufficient quantities every day at a low fixed price. Any day the bakery ran out, it was required to sell cake to the people at the same fixed price as the bread - hence the saying. The quote might better be attributed to Marie’s mother-in-law, which admittedly does nothing to mitigate Marie’s profligacy.

4 Likes

So basically the only hope is to disconnect entirely from the internet?

That’s why my accounting and billing software is not online. It is becomming a problem though, as I would like to update to a newer version of Quickbooks but they seem to all be in the clouds.

1 Like

Thanks, I never heard that one. I am aware of the general feeling that Marie Antoinette never said that and that it was probably from before her time, as the Britannica article has it.

So apologies to Marie, who was likely innocent of the quote. I meant it in the sense of folklore going back long before her time (possibly into prehistory, as long as there have been rulers and peasants):

“As it happens, folklore scholars have found similar tales in other parts of the world, although the details differ from one version to another. In a tale collected in 16th-century Germany, for instance, a noblewoman wonders why the hungry poor don’t simply eat Krosem (a sweet bread). Essentially, stories of rulers or aristocrats oblivious to their privileges are popular and widespread legends.”

Sorry for the derail. These things fascinate me.

1 Like

No worries. Me too.

Not to mention if you end your contract. As I did, hoping to move over to Rakuten Mobile (yeah, I know, should have waited until it was confirmed) and now there are sites I can’t get into because I no longer receive 2FA text messages with a six digit code that is valid for five minutes.

1 Like

Also, it has become an accepted part of modern vernacular so even if it might not be technically correct. it is a statement everybody understands. Just like Eve, Adam and the apple. The Bible says it was the “fruit of the tree”.

1 Like

I really agree with her on most of this. This and/or the forcing of you to accept their proffered often intrusive cookies before they will allow you to read the story is a sure fire way to get me to click away or close the window.

I get that it’s revenue generation thing, but it’s not an option I support, they need to find another way.

I don’t want to log in to your website - The Verge

EDIT: and I will admit it is also often a cost/benefit calculation for me. In other words, give me more compelling reasons other than “Apple’s Huge Mistake…”

Hobson’s Choice: Want to see my clickbait? Give me your data or let me scrape it

1 Like

The thing is, given current browser finger-printing technologies, it’s not like it’s that hard to match up a user/machine/IP address

2 Likes

This is something that is long overdue IMHO. However, I have huge concerns about how this will actually turn in to law as at least so far government has been terrible in actually executing on this type of thing.

And I expect the software industry and it’s associated lobbyists are already fighting parts of it in a full scale campaign

President Joe Biden’s new cybersecurity plan would crack down on ‘insecure’ software - The Verge

1 Like