Yet Another Cycling Forum
General Category => The Knowledge => Ctrl-Alt-Del => Topic started by: meddyg on 29 November, 2023, 08:32:33 pm
-
I'm just a retired GP with a Mac and a fone.
I use LastPass and presumably share some passwords with Apple fone - keychain .
I was busy renewing Home insurance with SAGA & went with them because they offer personal identity theft
protection and 'online safety support service.'
'Er, so what I am I getting with this - does it mean if someone hacks my bank account and empties it you cover that?'
'Well, then you'd have to contact your bank.'
'OK where in the policy does it say what I'm getting?'
Turns out service is outsourced to RAC Legal protection (but not till policy renewal- mid December).
Apparently it's with AmTrust Europe presently- who don't publish their fone number !
So succinct quest for boffins; if I'd like to get an honest assessment of my online security, who can do this for me?
Don't mind paying .
-
'online safety support service'
TBH it sounds like "Oh, I know" in a Sybil Fawlty voice.
-
My non-boffin response is that I don't bother – but I stay away from dodgy websites, don't download or torrent pirated stuff or random software applications, and resist the urge to click links in emails (I am, indeed, a paragon of internet virtue). The most common security issues seem to be social, people calling and offering to help you a problem they've detected or phishing. My eminent misanthropy is protection enough and frankly if someone has taken over my webcam and filmed me doing some personal exercises they're welcome to the video and if it's that good I'm signing up for Onlyfans and they can subscribe.
-
The most common security issues seem to be social, people calling and offering to help you a problem they've detected or phishing.
The other big one seems to be 'not understanding the difference between web content, advertising and operating system UI elements', and I'm really not sure how you can instil that level of computer literacy in someone who has managed to achieve a non-trivial online existence without acquiring it. Running a minority OS might help in principle, but the sort of person who's going to 'click to remove ads' on a random website isn't likely to get appropriately suspicious at a Windows-style dialog box popping up on their Mac.
Also, if this were a sane world, it would be the bank who would be insuring themselves against being defrauded, rather than shifting the blame and responsibility to their customers.
-
the trouble is, everyone has a different view of the risks they feel are appropriate. Really, it isn't likely worth an individual paying for an assessment.
Here are some things you can do:
On the security side:
Sort out your passwords. Don't reuse passwords across sites, especially for sensitive stuff.
Most sites that take security seriously provide Two Factor Authentication, implement it, try to avoid the text option and use an authenticator app
Don't click on links in mail if you can possibly help it even if you think the source is trusted.
On the info side:
Search and read about common exploits, inform yourself of what they are and how people are duped into fraud
Use google? Take their security checkup (search Google Security Check) and take their advice
Oh, and for anyone using google chrome? Update immediately, there's a new and nasty Day zero vulnerability that needs fixing (Three dots->Help->About Google Chrome)
-
Use a Credit Card for online transactions of any significant value.
Don't click on Facebook ads EVER (DAMHIKT)
If something looks cheap, it's probably a scam.
If an offer puts time pressure on you, it's almost definitely a scam.
If an offer is very cheap and very urgent - it's certainly a scam.
If someone calls you, be wary. Ask if you can call them back, check the number.
Not exhaustive!
-
So.
You want to improve your online security. Ready?
Buy a fire safe (assuming you don't already have one). You can get one that is data rated for 30+ minutes for about 100 quid.
Keep it somewhere safe, but not obvious. Don't keep it in the primary bedroom. Or anything obviously a study.
Next up. For everything you can, enable two factor authentication, if at all possible choose the authenticator app option. I use Google authenticator, ms also make one, there are others. When you do any system set up properly should give you some emergency codes. Usually a set of ten. Now. Write these down. On an index card, label the site they are for. And out them in an envelope in your fire safe.
Take regilar backups into an external disk. Keep this disconnected when ever you're not actively using it. Keep the disk in the fire safe. If you can. Have 3. Do backups every 2 weeks. Rotate. Do not leave them plugged in. Mac makes this easy with time machine.
Next up, in your email. Never ever ever ever, and I can't stress this enough. Click a link in an email. An external org that my employer uses sent me an email using a "secure messaging platform" it just comes through as "an account has been created for you on <website>." And a link. I marked it as phishing and ignored it. I got a call on Tuesday from an unknown number. They said I had a phone appointment with them, and they sent me a message about it. Guess what that website was. I said I was unwilling to talk to someone I'm not expecting on an unknown number. They said my employer would still be billed. I said I don't care. I later explained this all to my boss. He completely supports this action. An appointment has been made in person instead. The problem is there is absolutely no way to tell if I was being phished, or it was genuine. You have to be paranoid. Click nothing.
When it comes to online payments. Use PayPal where ever you can. If you can't use PayPal and have to use a credit card. Consider getting a separate card with a limit of say 200 quid. So that worse case if your card details are stolen, the most you lose is 200 quid, and hopefully only while your bank fucks about to work out what is going on.
Did I mention don't click links in emails? Same for texts. Or instant messaging.
You got a parcel tracking link sent from someone? Take the tracking number only, and paste that into the courier website.
Never open attachments.
Assume everyone is trying to scam you. Assume everything is phishing, and assume every attachment is malware.
And you'll still likely get hit at some point. But that's what the backups are for.
Don't open attachments. Don't click links. Make backups. Use 2fa. Have backup emergency codes for your 2fa offline in a firesafe. Keep your backups in there.
Oh, and finally. Use a password manager. Write the password for that down. Put it in a sealed envelope in your safe.
The question should not be "am I being paranoid?". It's "am I being paranoid enough?"
J
-
When it comes to online payments. Use PayPal where ever you can. If you can't use PayPal and have to use a credit card. Consider getting a separate card with a limit of say 200 quid. So that worse case if your card details are stolen, the most you lose is 200 quid, and hopefully only while your bank fucks about to work out what is going on.
Better to use your Credit Card (in the UK at least) as that at least ensures people are afforded protection from the Consumer Credit Act. If you pay via PayPal, even using a Credit Card, you lose that protection. The CCA protects the transfer of the funds to the intermediary (in this case PayPal) but not the transfer of funds from the intermediary to the seller/scammer.
The safe is a good idea. And good points about offline backups with, with almost in-effect, point in time recovery.
I would recommend using an off-line password manager (Keepass FTW). I'd also recommend using the Keepass TOTP plugin for second/third/multi factor authentication. Then ensure the Keepass database is backed up to multiple memory sticks and shoved into the safe. There have been too many compromises involving on-line password services. The company I work for have recently had the joy of cycling all the passwords stored with one of the popular providers of this service owing to a breach at their end.
I would also recommend keeping anything that a hacker might want access too away from a smart phone. Especially, Android phones. I know this is inconvenient ... but really, it depends on your risk profile and exactly what risks you want to mitigate. Personally, I find doing a lot of things on a smart phone cumbersome and difficult. And I manage my finances with a spreadsheet, so it's not a big deal for me to use the computer when I want to log into the bank.
-
When it comes to online payments. Use PayPal where ever you can. If you can't use PayPal and have to use a credit card. Consider getting a separate card with a limit of say 200 quid. So that worse case if your card details are stolen, the most you lose is 200 quid, and hopefully only while your bank fucks about to work out what is going on.
Better to use your Credit Card (in the UK at least) as that at least ensures people are afforded protection from the Consumer Credit Act. If you pay via PayPal, even using a Credit Card, you lose that protection. The CCA protects the transfer of the funds to the intermediary (in this case PayPal) but not the transfer of funds from the intermediary to the seller/scammer.
Now that is really useful to know. Didn't realise that. Then definitely the card with the small credit limit then.
J
-
/me wonders how much use a credit card with a limit of £200 would be for some, or more, of his typical online purchases. The words “teapot” and “chocolate” spring effortlessly to mind.
-
What you really need is a card with a small credit limit and a card with a big credit limit. Or possibly a card with a programmable credit limit, if such things exist and don't require some stupid app to control them.
I have a wise.com account, which is useful for performing transactions with ABROAD. One of the features is being able to generate virtual debit cards, which you can then kill off at the end of your business relationship with Dodgy Dave's Previously-Owned TQT Emporium, or whatever.
-
Any thoughts on physical security keys, like Google Titan and others of that ilk?
-
I have a wise.com account, which is useful for performing transactions with ABROAD. One of the features is being able to generate virtual debit cards, which you can then kill off at the end of your business relationship with Dodgy Dave's Previously-Owned TQT Emporium, or whatever.
Sounds clever...
-
Any thoughts on physical security keys, like Google Titan and others of that ilk?
My propensity for losing and misplacing objects has always deterred me from using them. If they could be used with things that actually mattered (bank, gov.uk) and those services let me configure two (one to use and one to keep securely in case of emergency) then I'd be more inclined to try one.
They are probably of value for people who are self-hosting and can configure their devices, SSH, Nextcloud etc.. to make use of them.
I think if you are doing all the right things already (good habits, password manager, updates, device hygiene) then they are probably a good additional step for services that can be configured to use them as an additional factor of authentication.
-
I have a yubikey on my keys. I have yubikeys (plural) for work. I don't keep the two together. Any system that allows you to setup a yubikey should allow you to setup a second second factor, for which the emergency codes written down in your firesafe are the backup. Many systems allow more than one yubikey.
Big fan of yubikeys, wish more systems supported them.
J
-
/me wonders how much use a credit card with a limit of £200 would be for some, or more, of his typical online purchases. The words “teapot” and “chocolate” spring effortlessly to mind.
Well pick what ever number you need. My last few online purchases have all been under 20 euro, so a 200 limit would be fine. Many cards allow you to change the limit with relative easy, so you can set it to a higher amount when needed.
Some banks support One time use cards too. Which are a great idea.
J
-
I have a wise.com account, which is useful for performing transactions with ABROAD. One of the features is being able to generate virtual debit cards, which you can then kill off at the end of your business relationship with Dodgy Dave's Previously-Owned TQT Emporium, or whatever.
Sounds clever...
I seem to remember years ago there was a card (Egg?) that created a unique card number for each transaction. I guess people didn't take to it, because of the faff of having to use the site each time, wise.com sounds the nearest to it
ETA, Actually Revolut seems to be a better fit, Klarna as well, but that is tainted by the brand in my view.
-
/me wonders how much use a credit card with a limit of £200 would be for some, or more, of his typical online purchases. The words “teapot” and “chocolate” spring effortlessly to mind.
Well pick what ever number you need. My last few online purchases have all been under 20 euro, so a 200 limit would be fine. Many cards allow you to change the limit with relative easy, so you can set it to a higher amount when needed.
Some banks support One time use cards too. Which are a great idea.
J
On the one hand you have easy-to-set limits, prepaid cards, one-time cards, etc. These are by and large debit cards. They can protect you against your card details getting out into the wild.
On the other, there are credit cards with the CCA protection against a problem with the purchase you have made.
It's generally difficult to vary limits on a credit card, mainly because it's credit and regulated as such. If you know of any that allow instant regular changes or one-time virtual cards, I (and by the sounds of it several here) would be interested to know where to get one.
-
I'm not sure there's that much threat from a credit limit, any significant transactions in volume or frequency will trip the anomalous transactions trigger. Manipulating the limit would open the door to other exploitation pathways.
As said, when it comes to this kind of thing, think through your risks, what can you afford to lose, and how exposed are you to various threats? The only really important data I have is photographs which are, of course irreplaceable so as such get backed up all over the place. The few other important documents and list of passwords live in an encrypted volume that is also heavily backed up. As default, you should invoke whatever security settings your computer lets you (Macs have FileVault as default).
-
On the security side:
Sort out your passwords. Don't reuse passwords across sites, especially for sensitive stuff.
Most sites that take security seriously provide Two Factor Authentication, implement it, try to avoid the text option and use an authenticator app...
On the info side:
Search and read about common exploits, inform yourself of what they are and how people are duped into fraud...
This is good. I'd add...
Keep your system security patched. (Security updates on your operating system.)
Use unique passwords. Do not reuse passwords.
Do not store passwords unencrypted on an internet-connected device.
And like Afasoas, I don't, and wouldn't, store personal info on an Android smartphone.
-
On the security side:
Sort out your passwords. Don't reuse passwords across sites, especially for sensitive stuff.
Most sites that take security seriously provide Two Factor Authentication, implement it, try to avoid the text option and use an authenticator app...
On the info side:
Search and read about common exploits, inform yourself of what they are and how people are duped into fraud...
This is good. I'd add...
Keep your system security patched. (Security updates on your operating system.)
Use unique passwords. Do not reuse passwords.
Do not store passwords unencrypted on an internet-connected device.
And like Afasoas, I don't, and wouldn't, store personal info on an Android smartphone.
Interesting. I'd store _access_ to personal data on an Android smartphone (ie banking apps etc) as long as the phone and the app were secured by biometrics. I'm not sure if that's any better tbh.
-
Interesting. I'd store _access_ to personal data on an Android smartphone (ie banking apps etc) as long as the phone and the app were secured by biometrics. I'm not sure if that's any better tbh.
I would be the opposite. Biometrics as a single factor are an awful idea. I can have two people hold you down while I apply your finger to a sensor. Or hold your face to a camera.
Not to mention that in many jurisdictions a court order is needed to get you to give up a password, the same is not true if a biometric.
Have it as a second factor sure, but do not rely on it as your only means if authentication for any devices
J
-
I can change a password, if it gets compromised.
I can't change the resolved hash of my thumbprint.
Also, with android phones ... I think the biggest threat is the malware in the Google Play app store. I don't know whether efforts in more recent times to clean up this mess have born out any success.
-
In short. Throw your computer away and buy a pencil and notepad, but, unless your handwriting is as bad as mine - the OP is a medic, nuff sed?, make sure you learn one of the less common shorthand notations so people can't read what you've written HTH. :)
-
But careful what surface you write on, cos then someone might come along and impression the paper underneath where you wrote...
J
-
As ever, measure your risk and the value of what you could lose. If you're overseeing a mountain of personal data or are secret agent, you may want to ramp it up. If you've got £200 in your bank account and the dodgiest thing on your hard drive is a 3-second animated porn gif featuring an elf, well, that's between you and your god.
-
Or fired a laser at your window and picked up the sounds from your writing and decoded it. This of course isn’t new spy technology been around a while, but mostly for listening in to conversations.
-
Interesting. I'd store _access_ to personal data on an Android smartphone (ie banking apps etc) as long as the phone and the app were secured by biometrics. I'm not sure if that's any better tbh.
I would be the opposite. Biometrics as a single factor are an awful idea. I can have two people hold you down while I apply your finger to a sensor. Or hold your face to a camera.
Not to mention that in many jurisdictions a court order is needed to get you to give up a password, the same is not true if a biometric.
Have it as a second factor sure, but do not rely on it as your only means if authentication for any devices
J
Yes, I get that someone could force me to unlock my phone, but I don't keep anything important on my phone. I do have access to banking apps and credit card apps but my thought is that you can't withdraw cash using a phone so you'd need to make an electronic transfer which is more traceable than a normal street mugging. In a face to face confrontation I'd give up the phone and any money as a matter of course. My understanding is that remotely hacking a biometric authentication is non-trivial.
I regard cyber-security as being a way to stop people ripping you off rather than defeating Her Majesty's Plod. If the Hot Fuzz are after you - all your data is going to be compromised eventually. Switching off your phone to force them to bring a court order isn't going to achieve much apart from a long(er) wait in the cell. Of course, if you have annoyed a three letter agency then you'll probably never know that your data has been compromised until you wake up on a plane...
-
Yes, I get that someone could force me to unlock my phone, but I don't keep anything important on my phone. I do have access to banking apps and credit card apps but my thought is that you can't withdraw cash using a phone so you'd need to make an electronic transfer which is more traceable than a normal street mugging. In a face to face confrontation I'd give up the phone and any money as a matter of course. My understanding is that remotely hacking a biometric authentication is non-trivial.
I regard cyber-security as being a way to stop people ripping you off rather than defeating Her Majesty's Plod. If the Hot Fuzz are after you - all your data is going to be compromised eventually. Switching off your phone to force them to bring a court order isn't going to achieve much apart from a long(er) wait in the cell. Of course, if you have annoyed a three letter agency then you'll probably never know that your data has been compromised until you wake up on a plane...
Quite. This is a classic example of "your threat model is not my threat model"
I wish android allowed you to setup a duress code...
J
-
I wish android allowed you to setup a duress code...
J
Don't Google staff wear chinos and polo shirts like all other techies?
:)
-
As I'm binging Alias at the moment, I consider my main threat model to be an alluring secret agent in a wig.
-
Yes, I get that someone could force me to unlock my phone, but I don't keep anything important on my phone. I do have access to banking apps and credit card apps but my thought is that you can't withdraw cash using a phone so you'd need to make an electronic transfer which is more traceable than a normal street mugging. In a face to face confrontation I'd give up the phone and any money as a matter of course. My understanding is that remotely hacking a biometric authentication is non-trivial.
I regard cyber-security as being a way to stop people ripping you off rather than defeating Her Majesty's Plod. If the Hot Fuzz are after you - all your data is going to be compromised eventually. Switching off your phone to force them to bring a court order isn't going to achieve much apart from a long(er) wait in the cell. Of course, if you have annoyed a three letter agency then you'll probably never know that your data has been compromised until you wake up on a plane...
Quite. This is a classic example of "your threat model is not my threat model"
I wish android allowed you to setup a duress code...
J
ah yes, like https://en.wikipedia.org/wiki/EncroChat (https://en.wikipedia.org/wiki/EncroChat)
Good idea, possibly unpopular with Gubmints.
-
Just eat some crisps and the finger print biometric won’t work. Anti mugging measures.
-
When it comes to online payments. Use PayPal where ever you can. If you can't use PayPal and have to use a credit card. Consider getting a separate card with a limit of say 200 quid. So that worse case if your card details are stolen, the most you lose is 200 quid, and hopefully only while your bank fucks about to work out what is going on.
Better to use your Credit Card (in the UK at least) as that at least ensures people are afforded protection from the Consumer Credit Act. If you pay via PayPal, even using a Credit Card, you lose that protection. The CCA protects the transfer of the funds to the intermediary (in this case PayPal) but not the transfer of funds from the intermediary to the seller/scammer.
Alternatively Apple Pay/google pay when available. They still protect your card details, but transactions are covered by the CCA (As long as the card in your wallet is a credit card)
-
Interesting. I'd store _access_ to personal data on an Android smartphone (ie banking apps etc) as long as the phone and the app were secured by biometrics. I'm not sure if that's any better tbh.
I would be the opposite. Biometrics as a single factor are an awful idea. I can have two people hold you down while I apply your finger to a sensor. Or hold your face to a camera.
Not to mention that in many jurisdictions a court order is needed to get you to give up a password, the same is not true if a biometric.
Have it as a second factor sure, but do not rely on it as your only means if authentication for any devices
J
If I am being held down and forced to give access to devices by people of dodgy repute, the related weakness of biometrics is not my main concern. They are going to get access regardless.
-
They can steal your face..
(https://www.theregister.com/AMP/2024/02/15/cybercriminals_stealing_face_id/)
-
Interesting. I'd store _access_ to personal data on an Android smartphone (ie banking apps etc) as long as the phone and the app were secured by biometrics. I'm not sure if that's any better tbh.
I would be the opposite. Biometrics as a single factor are an awful idea. I can have two people hold you down while I apply your finger to a sensor. Or hold your face to a camera.
Not to mention that in many jurisdictions a court order is needed to get you to give up a password, the same is not true if a biometric.
Have it as a second factor sure, but do not rely on it as your only means if authentication for any devices
J
If you are in the situation where two people can physically control you, give up and give them all your money. Doesn't matter what security you have, they can physically coerce you into circumventing it.
I think paypal is decently secure, and you can turn on two factor these days.
Monzo can be configured to request confirmation via app before online payments go through.
All of this is more secure than cash, which can be dropped, pick-pocketed, lost when your bag is stolen, or forcibly taken from you.
The big risks are, IMO, phishing or malware, and account hacking. For example, if someone got my Amazon username and password, they could order quite a bit of stuff before I noticed. It is a bit similar to having a card stolen in the past (when my house in york was burgled, the burglers immediately filled several cars with fuel).
-
If you are in the situation where two people can physically control you, give up and give them all your money. Doesn't matter what security you have, they can physically coerce you into circumventing it.
ob.XKCD https://xkcd.com/538/ (https://xkcd.com/538/)
(https://imgs.xkcd.com/comics/security.png)
-
Not to mention that in many jurisdictions a court order is needed to get you to give up a password, the same is not true if a biometric.
If you are in the situation where two people can physically control you, give up and give them all your money. Doesn't matter what security you have, they can physically coerce you into circumventing it.
That assumes the people trying to access your stuff are in it to steel money. The more important line IMHO, of my mail is the one about the court order requirement to give up a passport.
We've all seen the "if you've done nothing wrong, you've nothing to hide" is a very movable goal post. The rules can change very very fast (see roe v wade impact in the US). You might not have done anything wrong today. But that might not be the same in 6 months.
Having any cop who wants to hold up your phone to your face while you sit there cuffed is a terrifying prospect.
J
-
https://jd-solicitors.co.uk/can-the-police-make-me-unlock-my-phone/
I'm not sure how hard they'd have to try to sidestep them, but there are laws in place.