patrick.net

They did that to me, and plus they used my phone then to hack my bank account.

It was more than them just knowing my Phone number. I mean we do have Transgender American hating freaks working at these companies. Their job is to sit in front of a Customer Service computer screen, that has all of your information on it. I laugh when companies like Visa gets hacked, and they try to make it sound like Boris just got lucky typing in the right password and username at the first try.

Boris buys user names an passwords from under appreciated employees.

I use Microsoft Authenticator. It’s an app. Is that safer or not really?

Fortwaynemobile says

I use Microsoft Authenticator. It’s an app. Is that safer or not really?

Yes it is a security +1. It's one of the many forms of "2 factor authentication", and they're a very good thing to use when available.

But, security is rarely so simple.

The point Patrick is making is that your phone number is used universally across all banking and internet sites for identity purposes, in particular to serve "forgot my password" requests. It's sad how many ppl can be hacked if they gain control of your phone # as described. Once they have the phone #, they likely can get into your email, and with both of those...they can likely get most other stuff.

But, 2 factor auth has a chance of surviving that type of attack. If they steal your physical phone, then they will have access to your auth app (assuming no lock screen, or they crack you pin / fingerprint / face id etc...) and can utterly rob you blind. Do not lose you phone.

But, if they just steal your phone number and load it into their phone, they would need to gain access to your MS Auth account. They might be able to do this though via going to your email, and doing forgot password via phone # route. If they get control of your email, they may then be able to install MS auth since you likely have it tied to your phone # and email.

This isn't easy stuff to do, but it's very possible for a skilled hacker. If they knew you had....say 1+ million in your online accounts...you might get a skilled hacker who feels their time is justified targeting you specifically. It may make sense from a time vs reward perspective to maybe spending weeks all day every day targeting you.

Personally, It's time for me to make some security upgrades. I have too many links like spoken above. I will be moving to a dedicated home laptop when my online banking is done, and never anywhere else. And, I will pay attention to email account cross linking as mentioned above too. My "browse the intertubez" computer, which I also tend to install various 3rd party software, will never be used for banking or sensitive things. My dedicated near-bare operating system will be used for banking. I haven't decided if I will use a password manager for banking. If I do, it will be linked to a different account vs my normal password manager.

Hircus says

I will be moving to a dedicated home laptop when my online banking is done, and never anywhere else.

That's the same for me.

Also, I only have my old 'dumb' phone for any sort of verification code via text.

My smart phone is never used for registration of any kind.

What Hircus said. I fucking hate it, but I'm resigned to the fate that the government has my face anyway (Drivers license, FOID card, passport, etc). So I use two step authorization on EVERY typed in password that allows me too with the randomly generated code every 30 seconds or whatever it is. I then use the iPhone face ID for those accounts on my phone.

Basically, you'd have to physically have my face AND phone to ever hack into any of my important accounts. If that were to happen I'd likely be dead and have no feelings over money being stolen from me anyway. If I lost my phone, they could crack my passcode to open it, but they still wouldn't be able to access the sensitive accounts because they'd need my face. So even a lost phone is no issue for me.

All this still won't stop someone from getting your card number and expiration date. Hence, per a recent thread, you should always use credit or cash and never debit.

Rin says

Hircus says

I will be moving to a dedicated home laptop when my online banking is done, and never anywhere else.

That's the same for me.

Also, I only have my old 'dumb' phone for any sort of verification code via text.

My smart phone is never used for registration of any kind.

That's a good idea, thanks for sharing that.

I don't supply a cellphone number for additional verification, it's always my email. I'm guessing if I don't have the number as an option, the company is less likely to use it for a reset request.

2FA in my opinion is lazy security for people who don't want to create complex passwords, and update them regularly.

Also, use a VPN.

Right now, I'm in "Dallas TX", though I've never visited the place.

I love how I'm boinking hoes in Montreal while in New York City.

NuttBoxer says

I don't supply a cellphone number for additional verification, it's always my email.

How is your email secured besides password? Not saying one is better than the other, but isn't email as vulnerable or more so than a phone? I could give out my email address and password here and not one person would be able to access it (no I'm not going to actually do this). I presume you're using some authenticator or 2FA for the email?

Either way, getting a text to reset a password or to be able to log in is retarded. So I agree. I also can't stand giving out my phone number. It almost always results in bullshit solicitors and businesses calling me for money.

NuttBoxer says

2FA in my opinion is lazy security for people who don't want to create complex passwords, and update them regularly.

It may not be bulletproof, but 2FA is a solid improvement in many realistic scenarios and use cases over just using a password.

A strong password can be stolen 100% remotely. The password doesn't change, and so it can be reused minutes or days later.

To break 2FA you usually need either physical device access (which rules out most of the world), or you need to steal other passwords + have a combination of circumstances / knowledge, and time window. It's provably more difficult. It dramatically shrinks the pool of potential people who could hack you, and the ways that they could hack you.

I still have a RSA security dongle for my E*Trade account, but I'm assuming they'll force me over to texting once the battery runs out. I admit to being paranoid like Nuttboxer. Sure 2FA is awesome, but it is the bean counter manager that is they enemy in this scheme when they decide "Hey, since we have their cellphone number, why don't we cut labor costs and do password resets that way as well".

Hackers have to hack the bank to get to my $4.00.

Do you seriously expect us to believe that? You must be rounding up.

How can they hack bank accounts like this? You need to answer a bazillion security questions. Sure maybe they get twatter or gulag access but you should never connect social media to any purchasing power or bank accounts/money.

mell says

How can they hack back accounts like this? You need to answer a bazillion security questions.

It's not always easy. But, those security questions aren't always high quality either. In fact, many of them are easy to guess after a bit of research and process of elimination. Some websites don't give many choices, and force you to pick 3 questions, ensuring at least 1 of them will be some public knowledge question like "what city were you born in?".

I want to start lying on those questions (eg, say I was born in Nigeria), but it's a book keeping nightmare because there's many different questions, and keeping my lies straight is challenging.

Hircus says

mell says

How can they hack back accounts like this? You need to answer a bazillion security questions.

It's not always easy. But, those security questions aren't always high quality either. In fact, many of them are easy to guess after a bit of research and process of elimination. Some websites don't give many choices, and force you to pick 3 questions, ensuring at least 1 of them will be some public knowledge question like "what city were you born in?".

I want to start lying on those questions (eg, say I was born in Nigeria), but it's a book keeping nightmare because there's many different questions, and keeping my lies straight is challenging.

Yeah I can see that but it's still hard. Banks ask for your account number or card number as well. last for digits of social, DOB, etc. Do not use social media apps and if you must never link them to any financial power or apps. Actually lying on some of those security questions is a great idea.

Oh shit, this is pretty scary.

What do people think about using a Chromebook as their banking terminal?

One of the things I've been thinking about these "security questions" is that they make us less safe sometimes. Their public knowledge nature, and the fact that questions tend to be reused on many sites makes them function like a weak password. If you can recover your account via answering those questions, then the answers to the questions are functionally very similar to a username and password.

But, people tend to tell the truth on those questions, and they tend to use the same answer on all sites.

From what I've seen, coders don't usually treat them like passwords, and so the answers get stored in the site's database using plain text, opposed to how passwords are usually stored in hashed form (so theres no way to decrypt it even if stolen). If a hacker hacks "marthas-basketweaving.com", obtaining all accounts and their secret question answer, they have a chance of those secret question answers working on other sites. Or, like mentioned above, an employee writes info down from their screen and uses / sells it.

Makes me think the safe approach is to lie, but use a unique lie for each site, or at least for the high security sites. I don't think password managers really support this yet, so it's inconvenient.

Hircus says

One of the things I've been thinking about these "security questions" is that they make us less safe sometimes. Their public knowledge nature, and the fact that questions tend to be reused on many sites makes them function like a weak password. If you can recover your account via answering those questions, then the answers to the questions are functionally very similar to a username and password.

But, people tend to tell the truth on those questions, and they tend to use the same answer on all sites.

From what I've seen, coders don't usually treat them like passwords, and so the answers get stored in the site's database using plain text, opposed to how passwords are usually stored in hashed form (so theres no way to decrypt it even if stolen). If a hacker hacks "marthas-basketweaving.com", obtaining all accounts and their secret question answer, they have a chance of those secret question answers working on other sites. Or, like mentioned above, an employee writes info d...

I usually modify the truthful answers so even if guessed right it's not the exact phrase. Who's your favorite childhood friend should not be "Nick" but "NickTheDick" or so. These modifications can easily be remembered but are close to impossible to guess.

mell says

Who's your favorite childhood friend should not be "Nick" but "NickTheDick" or so.

Actually, in my case, Nick was in fact, a dick.

And thus, is more true than just plain Nick.

WookieMan says

How is your email secured besides password?

That's the biggest security measure, and mine is long, and updated yearly. I also use it almost exclusively through Tor and VPN. My provider is my next line of defense. Protonmail encrypts everything on their end. But the main point is a sim card isn't going to unlock my email account.

Hircus says

A strong password can be stolen 100% remotely. The password doesn't change, and so it can be reused minutes or days later.

How can the password be stolen? Remember the comparison is a new sim, and low level employees(not much security there). Also, did you not see where I said passwords should be updated? In a good security model they definitely change.

Hircus says

To break 2FA you usually need either physical device access (which rules out most of the world)

Did you not read the article? Your entire response is based on very selective reading...

mell says

How can they hack bank accounts like this?

Where does it say that they can? Resetting my bank password was by FAR the most difficult.

cool options:
https://lifehacker.com/prevent-sim-swapping-hackers-from-stealing-your-phone-n-1838149833

"T-Mobile has a security option called “NOPORT,” which mandates that porting your number to a new SIM or provider requires a photo ID check, which needs to take place in person at a store. That takes phone- and chat-based ruses off the table. According to the same report, Sprint also has a high-security designation called “Security Plus,” which must also be requested via customer service."