Re: Evening Safety Dance
Dec 30, 2021, 11:41
Re: Evening Safety Dance Dec 30, 2021, 11:41
Dec 30, 2021, 11:41
MoreLuckThanSkill wrote on Dec 30, 2021, 11:04:
Burrito of Peace wrote on Dec 29, 2021, 19:58:
Passwords alone are insufficient security, no matter where you store them. 2FA is barely sufficient for most things if that 2FA is based on randomized codes sent by SMS.

My setup is to use a USB key via passthrough plus password in a sanitized, sandboxed environment for critical tasks. Naturally, neither the host nor the guest OS are Windows based.

What does this mean exactly, for most websites, banking etc. ? I have several websites I have to use for work or banking, and they only have an option for Password plus Phone SMS; only one website even has an option for Password + 'Secure' Phone App, which I just have to hope is valid, since it's not like I personally vetted each of those few App options or anything, or that those apps won't get hacked in the future without anybody knowing.

I know you basically run IT for one company, so I guess you mean you setup your own USB key(homebrew application or commercial program/device?) setup there, but a lot of places don't even give those kinds of options, as far as I can tell.

That said, I do all my banking or job work online via a Linux box and the above, but a lot of those decisions are really out of the end user's control.

It probably bores you guys to tears to talk any sort of 'work' topic on a game website of old farts, but it seems like hacking is only going to get worse as time goes on, and I'd like to not get online robbed anytime soon.

*EDIT* Quick google: like these hardware devices? Bringing back Dongles?

Further googling: Apparently some banks such as Evil Bank of America have that dongle option, but as I said, the vast majority of sites I have don't seem to support it, although I guess I need to start asking around.

*EDIT 2* Okay, multiple pages deep, some financial institutions do seem to have at least Password + My Proprietary Phone App, or Corporate Security App, as options. Sigh, now to read up on each one of these fucking apps.

Apps are better, as long as they aren't an hidden euphemism for "2FA via SMS"
Examples, Google/Paypal both use Authenticator apps, rotating numerical pins that nobody can ever hack
Meanwhile my bank uses chip-tan meaning I have a card reader at home for my own card, that generates a PIN completely aside from anything that could be hacked and once I use it is gone after 10 minutes.

Point is, lot of ways to make yourself more secure.
Least secure is definitely SMS since the messages are cached in the background traffic on cell towers, and anyone with a 50$ device can read them out in realtime. They are plaintext.
Avatar 54727
Dec 29, 19:58Dec 29 19:58
Dec 30, 07:02Dec 30 07:02
Dec 30, 17:23Dec 30 17:23
Dec 30, 18:40Dec 30 18:40
Dec 30, 18:53Dec 30 18:53
Dec 30, 21:29Dec 30 21:29
Dec 30, 21:34Dec 30 21:34
Dec 30, 21:51Dec 30 21:51
Dec 30, 21:56Dec 30 21:56
Dec 30, 11:04Dec 30 11:04
Dec 30, 11:41Dec 30 11:41
  Re: Evening Safety Dance
Dec 30, 11:16Dec 30 11:16
Dec 30, 13:28Dec 30 13:28