Products > Test Equipment
Ebay SCAMS?
<< < (8/12) > >>
AVGresponding:

--- Quote from: bd139 on August 15, 2022, 06:35:50 pm ---
--- Quote from: AVGresponding on August 15, 2022, 06:25:48 pm ---
Your SIM might be safe from some NK rando, but how about the person in the shop you bought the phone from? Or when you have it repaired? It might be rare but it's not unknown. Being a pauper and buying the cheapest phone in the range probably protects me from such, but I certainly never take it for granted.
Also ISTR you have a low opinion of the security on Android phones in general (not related to SIM cloning I know, but still a possible route to overconfidence re 2FA?)...

--- End quote ---

You're not wrong. This is why I use a physical hardware key. Also because my risk profile is huge and may result in court if I fuck up :)

The main thing we have here is not to have perfect security but a defence against common problems. If it's 99.9% effective, which basic SMS 2FA is, that reduces the risk for the majority of users and the risk to the business and the costs of handling claims etc.

As for Android, the problem is that you can root an Android intentionally or otherwise without too much of an issue. At that point the hardware assurance is gone which means anything on the device could read or generate 2FA tokens.

--- End quote ---

Yes! I certainly don't lose any sleep over it though. And I believe my particular flavour of Android phone has the ability to shred its contents either remotely or by failure to input the correct PIN x number of times.
I do miss the simplicity of the UI on the older Samsung phones though.
bd139:

--- Quote from: AVGresponding on August 15, 2022, 06:43:10 pm ---Yes! I certainly don't lose any sleep over it though. And I believe my particular flavour of Android phone has the ability to shred its contents either remotely or by failure to input the correct PIN x number of times.
I do miss the simplicity of the UI on the older Samsung phones though.

--- End quote ---

Yeah that's a reasonable configuration to set up.

To note my ex-father-in-law was ripped off for £10k because Halifax didn't have 2FA on their online banking and he accidentally got a keylogger malware downloading porn. They gave it back but realistically all customers pay for that outcome. 2FA would have saved him.
jpanhalt:
@bdi39
Re: Second factor

This is the EU regulation I found here:https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32015L2366&from=EN
Paragraph 96 includes the following:

--- Quote ---Those measures typically include encryption systems based on personal devices of
the payer, including card readers or mobile phones, or provided to the payer by its account servicing payment
service provider via a different channel, such as by SMS or email.
--- End quote ---

So, it appears email is accepted.  My gripe is the requirement of a mobile phone per se, not the need for a different channel.  A landline should also suffice and satisfy the need for a second channel.
bd139:
Email is a weak and stupid idea. I'm not sure why they included that. Don't use it.

Think of these vectors:

1. Your email credentials are compromised. You reused the same credentials for your online banking. Owned.
2. Your email credentials are compromised. You did not reuse the same credentials but the highjacker resets your online banking password and confirms via email. Owned.
3. Your computer has a keylogger installed on it. They now have access to all of your factors.

You need a separate physical device. The mobile phone is the best one we have out there.

I'm not sure what your objection is with respect to a mobile phone.

A landline is possible. eBay and Amazon AWS both can use land lines for validation. But it's less secure than a physical device.

Edit: point though on usability... some security is better than none or too much:

jpanhalt:

--- Quote from: bd139 on August 15, 2022, 08:46:46 pm ---I'm not sure what your objection is with respect to a mobile phone.

--- End quote ---

I don't have one and don't intend to get one.  It would be a waste of money.  I refuse to use one while driving or in any public place.  I don't want to be tracked like an animal.

As for the landline, yes, that is my preferred method.  Maybe I was unclear on that.  Every other financial with which I deal (including at least 7 very large ones) uses landline authentication.  PayPal is the sole exception I know of to date.
Navigation
Message Index
Next page
Previous page
There was an error while thanking
Thanking...

Go to full version
Powered by SMFPacks Advanced Attachments Uploader Mod