audreyh1
Give me a museum and I'll fill it. (Picasso) Give me a forum ...
This is a must be a miscommunication. It’s company employees who have been phished, but they aren’t necessarily the customers whose data is stolen in a breech.
Another day, another notice of data breach
- Thread starter JoeWras
- Start date
Koolau
Give me a museum and I'll fill it. (Picasso) Give me a forum ...
I"m sure a lot of individual issues are caused by individuals being phished. But the major data breaches are due to poor security/follow through by the big companies with all our data.
100%? No way.
100%? No way.
Koolau
Give me a museum and I'll fill it. (Picasso) Give me a forum ...
Oh, and I forgot to mention. If anyone really believed "it's impossible to prevent", they would not give data to ANYONE - if it can't be prevented. YMMV
jollystomper
Give me a museum and I'll fill it. (Picasso) Give me a forum ...
- Joined
- Apr 16, 2012
- Messages
- 6,216
I use this recommended site to check on where my email addresses have been exposed in a data breach: Have I Been Pwned: Check if your email has been compromised in a data breach
It also provides you with the ability to search a password, to see if that password has been exposed in a breach.
As others have said, you have to assume your data is out there, and take steps to minimize your risk (passwords/passphrases, password manager, 2 factor authentication, etc.). You can also try to opt out of as many of the data collection sites as possible. Kim Komando, a good resource for many things digital, has this article about opting out of sites: Simple Opt Out can help stop your personal data from being shared
That article points to this website, which has opt-out instructions, web links and/or phone numbers for many sites: Deep links to opt-out of data sharing by 100+ companies – Simple Opt Out
It also provides you with the ability to search a password, to see if that password has been exposed in a breach.
As others have said, you have to assume your data is out there, and take steps to minimize your risk (passwords/passphrases, password manager, 2 factor authentication, etc.). You can also try to opt out of as many of the data collection sites as possible. Kim Komando, a good resource for many things digital, has this article about opting out of sites: Simple Opt Out can help stop your personal data from being shared
That article points to this website, which has opt-out instructions, web links and/or phone numbers for many sites: Deep links to opt-out of data sharing by 100+ companies – Simple Opt Out
OP
OP
JoeWras
Give me a museum and I'll fill it. (Picasso) Give me a forum ...
- Joined
- Sep 18, 2012
- Messages
- 11,738
Point is people are weak. And unfortunately, that includes people with significant privileges.
....
I'm on a forum of retirees and current employees for megacorp. Recently, megacorp sent a fake phish mail test, and way too many people clicked it. They were bitching about feeling tricked . I say, good for megacorp.
How were they tricked? Well, the fake email came from the health insurance carrier and had a title like, "You dropped your coverage "
People fast clicked that. But it was all fake, just a test. Imagine how easy it is for the bad guys to know which insurance company covers megacrop. Not hard at all. An easy phish title to get people to click... and enter credentials. Yikes!
....
I'm on a forum of retirees and current employees for megacorp. Recently, megacorp sent a fake phish mail test, and way too many people clicked it. They were bitching about feeling tricked . I say, good for megacorp.
How were they tricked? Well, the fake email came from the health insurance carrier and had a title like, "You dropped your coverage "
People fast clicked that. But it was all fake, just a test. Imagine how easy it is for the bad guys to know which insurance company covers megacrop. Not hard at all. An easy phish title to get people to click... and enter credentials. Yikes!
Last edited:
- Joined
- Nov 17, 2015
- Messages
- 14,046
I worked in a security-adjacent hi tech area. We knew that phishing tests were happening. My colleagues - IT Directors and above - would fail these phishing tests with embarrassing frequency. I mean if you know to be on the lookout and you are supposedly a leader in the biz, the average person can be forgiven in the wild.
Koolau
Give me a museum and I'll fill it. (Picasso) Give me a forum ...
Yeah, security needs to be developed with the known fact that people are gullible, uneducated, greedy and foolish. They'll click on anything so build security with that in mind. So once you're phished, the phished data should be more difficult to use if security is appropriate. YMMV
Teacher Terry
Give me a museum and I'll fill it. (Picasso) Give me a forum ...
- Joined
- Jun 17, 2014
- Messages
- 7,138
It depends what plan you buy. I bought the plan where they reimburse your losses up to a large amount, do all the work to restore your identity, have lawyers on staff, etc. The cheapest plan is worthless as far as I am concerned.
Be careful with that. All it means is that somewhere in the world, amid the millions of compromised accounts, one of them happened to use that password. It doesn't mean anyone knows that password is somehow associated with your account at some specific institution.
- Joined
- Oct 13, 2010
- Messages
- 10,787
Companies must make compromises between convenience and security. Convenience with how data is stored and accessed. It's not an easy problem to solve, as we all keep seeing with the preponderance of breaches. It's an age-old problem that's akin to physical security. You have a door and a lock and they use lock picks and battering rams. There are thicker doors and more complicated locks if what you're trying to secure is worth more to the bad guys. Standard human cat and mouse game. The breach letters don't phase me; it's the world we live in.
- Joined
- Oct 13, 2010
- Messages
- 10,787
I'll agree, but add something that might be important, and will probably be part of a solution..
People are (the) weak (link), easy to phish.
So they're led to a fake logon and their password is compromised.
The weak link is really the password. Not having a password would address most of the problem, but not many people understand how things could be secure without a password. But with public key encryption technology and an agreed-upon protocol, the site I'm attempting to access could give me a challenge where only I could generate the appropriate response. And the authentication "stuff" on the server could be handed to the hackers, and it would do them no good. This isn't theory... it's working. The principles are not in question. It's simply not adopted because there's no consensus on the details of the implementation, and of course the cost to change.
Relying on "something I have" instead of "something I know" is good in theory.
But as someone who's known to lose things, and, especially, have them fall overboard, I find the implementation problematic. A good example (of a poor practice) is the way a lot of web sites have implemented two-factor authentication which depends on me having my cell phone with me. You can imagine how screwed I was when I dropped mine in the ocean, in a remote location, and couldn't access any 2FA-secured web sites.
Some implementations don't allow you to enter multiple phone numbers and/or e-mail addresses, so that you can't use a backup device like another phone, an IP-based phone number or whatever.
All of these problems can be solved. It's the implementation which is often botched. One bank I use only allows one e-mail address for 2FA confirmation codes. But their web site puts up a page forcing me to select that e-mail address from a list of one, then click a button, to proceed. And this is a big bank. Obviously they outsource their web design to the lowest bidder. No wonder we still have so many problems with authentication.
Chuckanut
Give me a museum and I'll fill it. (Picasso) Give me a forum ...
Congress should be looking at why our laws give these organizations a pass when they allow bad guys to literally spend months in their computer systems, stealing confidential information we have given them.
- Joined
- Oct 13, 2010
- Messages
- 10,787
Absolutely true that implementation is everything. You need a reliable "get out of jail free" card that obviously can't fall in the the wrong hands. One of the big problems with the convergence on a solution is that some for-profit company wants to be in the middle of it. And they're not 100% focused on security...They all want to know who you are. But that's a separate problem. So knowing you're the same person as before isn't enough for them, but it's enough for security. They don't want you to be able to be more than one person, because that's bad for the control they want to have. That's the reason they all want your (somewhat unique to a person) cell phone number, and it's also the reason the problem is lingering.
As crazy as it may seem, maybe the best solution requires going back to paper. At least that was the solution for the open source project I worked on.
In the scenario you mentioned where the phone had gone swimming (which I think we talked about before), the solution would have been 1) get a new phone, 2) install some open source (trusted) software, 3) unfold the paper you kept folded in your wallet, 4) scan the QR code from the paper, 5) enter your sufficiently long pass phrase (a hash of which is used by the software and never hits storage), and 6) you're back in business with any site that implemented the protocol. As long as there's no key logger, all that's secure. The QR code alone isn't enough. The pass phrase alone isn't enough. The two allow the authenticator to operate. The implementation I worked on required that every time you wanted to authenticate, you enter a subset of your pass phrase, and every now and then, it made you enter the whole pass phrase, so you had to keep remembering it. And if you forgot your pass phrase anyway, then you'd go back to the physical folder you saved on the day you originally set up your identity and use that special "the day I installed" paper. The way the set-up worked is if you didn't write down your pass phrase and then key-in your pass phrase from the paper, the install didn't work. In other words, the implementation forced the user to not take any shortcuts that would risk getting locked out. This solution had no third party involvement. There was nobody to call if you blew it, but nobody had to be trusted. As long as the pair (paper plus pass phrase) remained secret and they didn't crack the TPM on the device, then the hackers could know literally everything else and not get anywhere.
OP
OP
JoeWras
Give me a museum and I'll fill it. (Picasso) Give me a forum ...
- Joined
- Sep 18, 2012
- Messages
- 11,738
Paper is underrated. The problem is that we've learned "writing stuff down on paper is BAADD!"
Not always true, if done right.
Not always true, if done right.
- Joined
- Oct 13, 2010
- Messages
- 10,787
Rarely a problem with in the realm we're talking about. The corporate bozos were worried Johnny would rifle through Danny's desk and log on as him, and see how much more he was making than him. In a non-office environment, paper is good.
Qs Laptop
Thinks s/he gets paid by the post
- Joined
- Mar 11, 2018
- Messages
- 3,595
This sounds a lot like how 1Password operates. But if you lose that piece of paper with the lengthy pass phrase on it, or you can't remember those 16 characters/digits, you are truly screwed.
- Joined
- Oct 13, 2010
- Messages
- 10,787
Yes, the idea of a local vault probably is the same on a lot of these "trust no one" security products. If there is someone or some entity you have to trust, then they have something to steal and, as noted, probably will get hacked eventually.
United Healthcare CEO testified the breach was caused by UHC not using multifactor authentication! A simple security measure. Unbelievable.
"UnitedHealth data breach caused by lack of multifactor authentication, CEO says. Hackers breached the computer system of a UnitedHealth Group subsidiary and released ransomware after stealing someone's password, CEO Andrew Witty testified Wednesday on Capitol Hill.May 1, 2024"
www.cbsnews.com
"UnitedHealth data breach caused by lack of multifactor authentication, CEO says. Hackers breached the computer system of a UnitedHealth Group subsidiary and released ransomware after stealing someone's password, CEO Andrew Witty testified Wednesday on Capitol Hill.May 1, 2024"
UnitedHealth data breach caused by lack of multifactor authentication, CEO says
UnitedHealth CEO Andrew Witty told lawmakers that its subsidiary Change Healthcare didn't have multifactor authentification.
www.cbsnews.com
jollystomper
Give me a museum and I'll fill it. (Picasso) Give me a forum ...
- Joined
- Apr 16, 2012
- Messages
- 6,216
Not all sites encrypt passwords, or they may use a weak encryption algorithm. A data breach can provide a link between an email address and a password. Too many people still use the same email address+password for many different accounts
In addition, one way the hackers operate is to test passwords against compromised email addresses. They are counting on the above mentioned fact about people using the same email address+password for many different accounts. So they try against an email site, or a site that has a weak signin, or one that has had a data breach (meaning likely there is a way to bypass the normal security) that does not have 2FA and allows many password attempts. If one should happen to work, they will then test that email and password combination against financial sites. So it is still very much worth it to use a unique, un-compromised password.
Last edited:
Markola
Thinks s/he gets paid by the post
I’m hearing about companies using blockchain technology to create ways to verify your identity online, a sort of encrypted “digital fingerprint” for all of your online surfing and use. In a few years, hopefully, scammers won’t be able to use your stolen data.
