Join Early Retirement Today
Reply
 
Thread Tools Display Modes
Old 12-30-2020, 07:52 PM   #61
Recycles dryer sheets
G8tr's Avatar
 
Join Date: Apr 2014
Posts: 197
I've been in cyber security for the past 15 years, double that if you count hobbyist use of rudimentary antivirus tools (anyone remember F-PROT?). However, I'm not a cyber security professional; rather I've been more on the policy and standards side during my time in the industry. The evolution of cyber security technology has been significant since the early days, but the weakest link has always been in the chair (hence the acronym PICNIC - problem in chair, not in computer aka an id10t error). These days, that weakest link is in lower tiers of the supply chain, particularly if the supplier is located overseas.
G8tr is offline   Reply With Quote
Join the #1 Early Retirement and Financial Independence Forum Today - It's Totally Free!

Are you planning to be financially independent as early as possible so you can live life on your own terms? Discuss successful investing strategies, asset allocation models, tax strategies and other related topics in our online forum community. Our members range from young folks just starting their journey to financial independence, military retirees and even multimillionaires. No matter where you fit in you'll find that Early-Retirement.org is a great community to join. Best of all it's totally FREE!

You are currently viewing our boards as a guest so you have limited access to our community. Please take the time to register and you will gain a lot of great new features including; the ability to participate in discussions, network with our members, see fewer ads, upload photographs, create a retirement blog, send private messages and so much, much more!

Old 12-31-2020, 06:49 AM   #62
Thinks s/he gets paid by the post
 
Join Date: Jan 2017
Posts: 2,643
Quote:
Originally Posted by target2019 View Post
If you measure potential threats, the risk is at least doubled when you use online access. See below. Of course the picture is much more complicated.
Very much more complicated. I've yet to hear any specifics as to how on-line transactions increase my risk. Like, what exactly constitutes the "threat" hypothesized in the diagram?

Of course a lot depends on the person. If you create weak passwords, share them with others, post them or save them somewhere obvious, then another individual may take advantage of you. But that's not what this thread is about. We're talking back-end hacks, which you have no control over.

I'll also add that at the individual level, it's far more likely that someone will simply provide their account information to a phone scammer. Which of course would have nothing to do with whether or not they made legitimate online transactions.

Quote:
Originally Posted by G8tr View Post
I've been in cyber security for the past 15 years, double that if you count hobbyist use of rudimentary antivirus tools (anyone remember F-PROT?). However, I'm not a cyber security professional; rather I've been more on the policy and standards side during my time in the industry. The evolution of cyber security technology has been significant since the early days, but the weakest link has always been in the chair (hence the acronym PICNIC - problem in chair, not in computer aka an id10t error). These days, that weakest link is in lower tiers of the supply chain, particularly if the supplier is located overseas.
Yes, I remember F-PROT. And I've done first-, second- and third-level user support. You'll get no argument from me about the damage a clueless user can inflict.

But again, we're talking big picture. Assuming I'm not handing out my information to scammers, the risk isn't coming from MY chair. Maybe some low-level employee at the financial institution or one of their contractors, but that's not something *I* have control over. Nor is it something that *I* will be held accountable for. If it's their mistake, they will take the loss. Anything short of that would undermine our entire financial system.

I remain unconvinced that I'm increasing my risk by using online transactions.
CaptTom is offline   Reply With Quote
Old 12-31-2020, 08:12 AM   #63
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
target2019's Avatar
 
Join Date: Dec 2008
Location: On a hill in the Pine Barrens
Posts: 9,685
Quote:
Originally Posted by target2019 View Post
If you measure potential threats, the risk is at least doubled when you use online access. See below. Of course the picture is much more complicated.
Quote:
Originally Posted by CaptTom View Post
Very much more complicated. I've yet to hear any specifics as to how on-line transactions increase my risk. Like, what exactly constitutes the "threat" hypothesized in the diagram?

Of course a lot depends on the person. If you create weak passwords, share them with others, post them or save them somewhere obvious, then another individual may take advantage of you. But that's not what this thread is about. We're talking back-end hacks, which you have no control over.

I'll also add that at the individual level, it's far more likely that someone will simply provide their account information to a phone scammer. Which of course would have nothing to do with whether or not they made legitimate online transactions.



Yes, I remember F-PROT. And I've done first-, second- and third-level user support. You'll get no argument from me about the damage a clueless user can inflict.

But again, we're talking big picture. Assuming I'm not handing out my information to scammers, the risk isn't coming from MY chair. Maybe some low-level employee at the financial institution or one of their contractors, but that's not something *I* have control over. Nor is it something that *I* will be held accountable for. If it's their mistake, they will take the loss. Anything short of that would undermine our entire financial system.

I remain unconvinced that I'm increasing my risk by using online transactions.
In the diagram in previous post TA stands for Threat Actor. The TA has an ever-improving toolbox which targets the vulnerabilities in a given system. If you need specifics, all known vulnerabilities can be searched at this site:
https://www.cvedetails.com/

That answers your comment which I've bolded and underlined in your reply. BTW you do have control over back-end hacks by hardening your system and using secure practices so that a TA can't ride your connection into the secure enclave. This doesn't eliminate all threats, but I think most will agree that hardening your own system mitigates some threats, and means less potential work for institution security.

G8tr can address your comments to him.
target2019 is online now   Reply With Quote
Exclamation
Old 12-31-2020, 08:48 AM   #64
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
target2019's Avatar
 
Join Date: Dec 2008
Location: On a hill in the Pine Barrens
Posts: 9,685
Exclamation

Quote:
Originally Posted by smihaila View Post
What part didn't you understand from the previous post? The hackers DO have the "master key" - while not in the form of an encryption key, it is the access itself to the back-end systems. They got administrator-level access, namely they could open a database containing your account balance info and subtract money from your super precious account. While it may be true that - if proper data security and privacy was put in place - sensitive info like credit card numbers, SSN number, passwords, DOB etc are encrypted, once is inside the system, one can still do damage.
It's always nice to get a proper explanation of what someone has posted. I wasn't able to find a source that confimed SolarWinds master key had been stolen. Of course it would be a juicy target, but nothing proven yet as best I can tell. Of course I'm just a bystander reading technical reports, and have no special sources to tell me otherwise.

In any event, you can be sure the real masterkey has been changed.
https://www.makeuseof.com/microsoft-...s-cyberattack/

Quote:
Originally Posted by smihaila View Post
Bollocks! As is one would call M$ Windows 10 a "secure OS" :-)
I did not call Windows 10 a secure OS. I did say that it is safer and more secure than Windows 7. Please don't misquote.

Quote:
Originally Posted by smihaila View Post
Bollocks 2nd time. I, for one, do not wish to give the keys to my house to the "Mr. Password Manager" - no matter how much auditing and open source "transparency" he's showing to me.
It's clear to me that you hold some convictions most here don't subscribe to. Let me end my last post to you in this way. 15 years of working in defense, having access to secure systems, and writing documentation about such leaves me very comfortable with using a password manager. When DS purchased 1Password for famly use, I went with it. Who could argue with someone with a security degree, Cisco-certified, and over 10 years experience as security engineer with 2 worldwide companies?

I don't write this to convince you of anything, but wanted to respond one last time to make some clear points.
target2019 is online now   Reply With Quote
Old 12-31-2020, 03:10 PM   #65
Moderator
sengsational's Avatar
 
Join Date: Oct 2010
Posts: 10,656
Quote:
Originally Posted by target2019 View Post
If you measure potential threats, the risk is at least doubled when you use online access. See below. Of course the picture is much more complicated.
The implication in the diagram is that by opening a web account with a business, you expand the attack surface. I think that is true, because now the computer used to access the web account can be a vector.

I found myself imagining the diagram without the account owner computer used to access the web account, and thinking how much better that would be. Then I realized it wasn't quite that easy because an additional risk appears: If the true account owner doesn't initiate the web account, then a threat actor could initiate the web account.

Probably the safest would be to initiate the web account with long random passwords, and don't save the passwords, and never log on. And of course put nonsense also in the backup mechanism (my first grade teacher's name was "Smith", I kid you not). This presumes the bar is equally high for resetting web access as initiating web access (my experience varies).

Because most of us enjoy the convenience of accessing our accounts over the web, nobody likes to hear that they could be "safer" if they did not enabled web access, but I think there is some truth to it.
sengsational is offline   Reply With Quote
Old 12-31-2020, 03:54 PM   #66
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
JoeWras's Avatar
 
Join Date: Sep 2012
Posts: 11,701
Quote:
Originally Posted by sengsational View Post
Because most of us enjoy the convenience of accessing our accounts over the web, nobody likes to hear that they could be "safer" if they did not enabled web access, but I think there is some truth to it.
It probably is slightly better, especially today. But I don't think it was safer 10 years ago. Back then, it was way too easy to open an on-line access to your account with a little knowledge. It was safer to have done it yourself and denied the hacker the opportunity.

It seems like some precautions have been taken to avoid this kind of hack? I hope?

DW opened up her on-line Social Security account access for this reason and then buried it.

10 years ago, I was busy getting on-line access to my father's accounts so I could manage his affairs. It was shockingly easy. I really hope it is harder today.
__________________
Retired Class of 2018


JoeWras is offline   Reply With Quote
Reply


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Internet Data Breach imoldernu Other topics 4 12-12-2018 01:22 PM
Uber Paid $100K Ransom and Hid 57-Million User Data Breach For Over a Year audreyh1 Other topics 11 11-23-2017 09:38 AM
What are the ultimate data breach solutions? flintnational Other topics 5 09-21-2017 09:35 AM
OPM data breach – what should you do? Tadpole FIRE and Money 31 12-11-2015 09:11 AM

» Quick Links

 
All times are GMT -6. The time now is 11:47 AM.
 
Powered by vBulletin® Version 3.8.8 Beta 1
Copyright ©2000 - 2024, vBulletin Solutions, Inc.