Cybersecurity for proles

[ian]

As ever, measure your risk and the value of what you could lose. If you're overseeing a mountain of personal data or are secret agent, you may want to ramp it up. If you've got £200 in your bank account and the dodgiest thing on your hard drive is a 3-second animated porn gif featuring an elf, well, that's between you and your god.

[Lightning Phil]

Or fired a laser at your window and picked up the sounds from your writing and decoded it.  This of course isn’t new spy technology been around a while, but mostly for listening in to conversations.

[Morat]

Interesting. I'd store _access_ to personal data on an Android smartphone (ie banking apps etc) as long as the phone and the app were secured by biometrics. I'm not sure if that's any better tbh.

I would be the opposite. Biometrics as a single factor are an awful idea. I can have two people hold you down while I apply your finger to a sensor. Or hold your face to a camera.

Not to mention that in many jurisdictions a court order is needed to get you to give up a password, the same is not true if a biometric.

Have it as a second factor sure, but do not rely on it as your only means if authentication for any devices

J

Yes, I get that someone could force me to unlock my phone, but I don't keep anything important on my phone. I do have access to banking apps and credit card apps but my thought is that you can't withdraw cash using a phone so you'd need to make an electronic transfer which is more traceable than a normal street mugging. In a face to face confrontation I'd give up the phone and any money as a matter of course. My understanding is that remotely hacking a biometric authentication is non-trivial.

I regard cyber-security as being a  way to stop people ripping you off rather than defeating Her Majesty's Plod. If the Hot Fuzz are after you - all your data is going to be compromised eventually. Switching off your phone to force them to bring a court order isn't going to achieve much apart from a long(er) wait in the cell. Of course, if you have annoyed a three letter agency then you'll probably never know that your data has been compromised until you wake up on a plane...

[quixoticgeek]

Yes, I get that someone could force me to unlock my phone, but I don't keep anything important on my phone. I do have access to banking apps and credit card apps but my thought is that you can't withdraw cash using a phone so you'd need to make an electronic transfer which is more traceable than a normal street mugging. In a face to face confrontation I'd give up the phone and any money as a matter of course. My understanding is that remotely hacking a biometric authentication is non-trivial.

I regard cyber-security as being a  way to stop people ripping you off rather than defeating Her Majesty's Plod. If the Hot Fuzz are after you - all your data is going to be compromised eventually. Switching off your phone to force them to bring a court order isn't going to achieve much apart from a long(er) wait in the cell. Of course, if you have annoyed a three letter agency then you'll probably never know that your data has been compromised until you wake up on a plane...

Quite. This is a classic example of "your threat model is not my threat model"

I wish android allowed you to setup a duress code...

J

[Cudzoziemiec]

I wish android allowed you to setup a duress code...

J

Don't Google staff wear chinos and polo shirts like all other techies?



 

[ian]

As I'm binging Alias at the moment, I consider my main threat model to be an alluring secret agent in a wig.

[Morat]

Yes, I get that someone could force me to unlock my phone, but I don't keep anything important on my phone. I do have access to banking apps and credit card apps but my thought is that you can't withdraw cash using a phone so you'd need to make an electronic transfer which is more traceable than a normal street mugging. In a face to face confrontation I'd give up the phone and any money as a matter of course. My understanding is that remotely hacking a biometric authentication is non-trivial.

I regard cyber-security as being a  way to stop people ripping you off rather than defeating Her Majesty's Plod. If the Hot Fuzz are after you - all your data is going to be compromised eventually. Switching off your phone to force them to bring a court order isn't going to achieve much apart from a long(er) wait in the cell. Of course, if you have annoyed a three letter agency then you'll probably never know that your data has been compromised until you wake up on a plane...

Quite. This is a classic example of "your threat model is not my threat model"

I wish android allowed you to setup a duress code...

J

ah yes, like https://en.wikipedia.org/wiki/EncroChat
Good idea, possibly unpopular with Gubmints.

[Lightning Phil]

Just eat some crisps and the finger print biometric won’t work. Anti mugging measures.

[tonycollinet]

When it comes to online payments. Use PayPal where ever you can. If you can't use PayPal and have to use a credit card. Consider getting a separate card with a limit of say 200 quid. So that worse case if your card details are stolen, the most you lose is 200 quid, and hopefully only while your bank fucks about to work out what is going on.

Better to use your Credit Card (in the UK at least) as that at least ensures people are afforded protection from the Consumer Credit Act. If you pay via PayPal, even using a Credit Card, you lose that protection. The CCA protects the transfer of the funds to the intermediary (in this case PayPal) but not the transfer of funds from the intermediary to the seller/scammer.

Alternatively Apple Pay/google pay when available. They still protect your card details, but transactions are covered by the CCA (As long as the card in your wallet is a credit card)

[tonycollinet]

Interesting. I'd store _access_ to personal data on an Android smartphone (ie banking apps etc) as long as the phone and the app were secured by biometrics. I'm not sure if that's any better tbh.

I would be the opposite. Biometrics as a single factor are an awful idea. I can have two people hold you down while I apply your finger to a sensor. Or hold your face to a camera.

Not to mention that in many jurisdictions a court order is needed to get you to give up a password, the same is not true if a biometric.

Have it as a second factor sure, but do not rely on it as your only means if authentication for any devices

J

If I am being held down and forced to give access to devices by people of dodgy repute, the related weakness of biometrics is not my main concern. They are going to get access regardless.

[Asterix, the former Gaul.]

They can steal your face..

[mrcharly-YHT]

Interesting. I'd store _access_ to personal data on an Android smartphone (ie banking apps etc) as long as the phone and the app were secured by biometrics. I'm not sure if that's any better tbh.

I would be the opposite. Biometrics as a single factor are an awful idea. I can have two people hold you down while I apply your finger to a sensor. Or hold your face to a camera.

Not to mention that in many jurisdictions a court order is needed to get you to give up a password, the same is not true if a biometric.

Have it as a second factor sure, but do not rely on it as your only means if authentication for any devices

J

If you are in the situation where two people can physically control you, give up and give them all your money. Doesn't matter what security you have, they can physically coerce you into circumventing it.

I think paypal is decently secure, and you can turn on two factor these days.

Monzo can be configured to request confirmation via app before online payments go through.

All of this is more secure than cash, which can be dropped, pick-pocketed, lost when your bag is stolen, or forcibly taken from you.

The big risks are, IMO, phishing or malware, and account hacking. For example, if someone got my Amazon username and password, they could order quite a bit of stuff before I noticed. It is a bit similar to having a card stolen in the past (when my house in york was burgled, the burglers immediately filled several cars with fuel).

[MattH]

If you are in the situation where two people can physically control you, give up and give them all your money. Doesn't matter what security you have, they can physically coerce you into circumventing it.

ob.XKCD https://xkcd.com/538/

[quixoticgeek]

Not to mention that in many jurisdictions a court order is needed to get you to give up a password, the same is not true if a biometric.

If you are in the situation where two people can physically control you, give up and give them all your money. Doesn't matter what security you have, they can physically coerce you into circumventing it.

That assumes the people trying to access your stuff are in it to steel money. The more important line IMHO, of my mail is the one about the court order requirement to give up a passport.

We've all seen the "if you've done nothing wrong, you've nothing to hide" is a very movable goal post. The rules can change very very fast (see roe v wade impact in the US). You might not have done anything wrong today. But that might not be the same in 6 months.

Having any cop who wants to hold up your phone to your face while you sit there cuffed is a terrifying prospect.

J

[Morat]

https://jd-solicitors.co.uk/can-the-police-make-me-unlock-my-phone/

I'm not sure how hard they'd have to try to sidestep them, but there are laws in place.