How real is cyber risk?

Have a question about your personal investments? No matter how simple or complex, you can ask it here.
User avatar
damjam
Posts: 942
Joined: Thu Mar 25, 2010 7:46 am

Re: How real is cyber risk?

Post by damjam » Sat Sep 15, 2018 7:27 am

tadamsmar wrote:
Sat Sep 15, 2018 7:08 am
damjam wrote:
Fri Sep 14, 2018 6:36 pm
tadamsmar wrote:
Fri Sep 14, 2018 5:19 pm
For Vanguard and other brokerage and mutual fund companies there is no federal regulation if you are hacked. Some firms offer a policy. Here is Vanguard policy about your responsibilities:

https://personal.vanguard.com/us/help/S ... ontent.jsp
I found this requirement from Vanguard interesting:
Don't store your password or answers to security questions on the computer or device you use to access your Vanguard accounts.
I suppose they don't intend us to use password managers then?
If you follow the informational links from the fraud pledge page, get to a page that says that you are not supposed to store your password unencrypted on your computer:

https://investor.vanguard.com/security/credentials

I guess that means encrypted is OK. But, interpreting the fraud pledge has always been a guessing game!

The pledge used to imply that not sharing your password was one of your responsibilities required for the reimbursement guarantee. Now it just states that all shared-password transactions are considered to be authorized by you. A good clarification for the many clients that share passwords with their spouses.
Thank you tadamsmar

From Vanguard:
Your vanguard.com password should be:

Reasonably complex and, preferably, at least 8 characters long.
Different from your passwords on other websites.
Changed on a regular basis.

Your vanguard.com password should not be:

Written down, stored unencrypted on your computer or mobile device, or shared with anyone.
.
.
.
I feel better now.

annielouise
Posts: 343
Joined: Wed May 14, 2008 4:11 pm

Re: How real is cyber risk?

Post by annielouise » Sat Sep 15, 2018 8:57 am

I consider one of the biggest risks is via customer service either in person or over the phone. When possible, I do voice verification or code words/ pins for accounts. In theory, no one can get a new SIM card from my carrier without knowing my code word is "waterfall" (obviously, not my actual code word). For credit cards and banks, they can't call and change address/phone number/ etc without knowing the code word for that account.

3-20Characters
Posts: 85
Joined: Tue Jun 19, 2018 2:20 pm

Re: How real is cyber risk?

Post by 3-20Characters » Sat Sep 15, 2018 9:21 am

Is a google voice number safer than sms to your phone? Maybe, maybe not. The thing about hijacking your cell phone number is that it’s hard to do on a mass scale so it’s less attractive to thieves from a purely cost/benefit analysis. If you’re a famous journalist, spy or politician yes, I’d be very concerned but the risk of someone trying to hijack some random person’s phone number seems like a stretch. There is an sms intercept hack on android phones I’ve read about. Not sure how prevalent it is. Haven’t read anything about an iPhone hack but I’m not following the subject closely.

Google voice is a web based account (like email) which is linked to your google account. It is subject to dictionary attack—like any other web based platform. Ah! You say. I have 2FA protection. Well, ok. But you have that for your vanguard account as well.

Security keys, Time-based One-Time Passwords, etc, may be better options but they are not widely adopted or understood by your average internet user so they lag and what’s worse, providers may offer workarounds to them to keep people from locking themselves out of accounts—so they can lose their effectiveness.

For personal cyber security 2FA is a must on all important accounts. Rather than worry which is best, use what you can. Password manger is a huge plus in my book because of behavioral issues. Without it, your passwords will not be as strong and you will likely start to repeat them. It’s the same basic idea of AA. Being 100% stocks may not force you sell in a crash if you still have your job/income but you may sell anyway. Therefore, a sleep well at night AA is recommended for behavioral reasons.

I certainly hope people aren’t storing their passwords in excel spreadsheets or word documents. That’s very 1990s. Paper in a safe? Well, ok but if you have to keep pulling that out and updating it (see behavioral issues above). I suppose you could come up with some creative system. Using an encryption app with a personal code scheme might work ok but it’s more complicated than a password manager and less useful. With a password manager, you can store things like door codes, PIN numbers, and other things.

My black swan fear is system wide cyber risk. It’s entirely plausible IMO, that we wake up one morning to the news that a major bank has been hacked and all accounts read $0.00. Even if accounts can be fully restored, the hit to the trust of our systems (all systems) could be so devastating as to cause a major economic crisis. We’re in a new time with new rules and nobody really knows how it will play out.

tibbitts
Posts: 8047
Joined: Tue Feb 27, 2007 6:50 pm

Re: How real is cyber risk?

Post by tibbitts » Sat Sep 15, 2018 9:24 am

Vulcan wrote:
Fri Sep 14, 2018 1:21 pm
The best way to mitigate the risk associated with phones/SIM cards is not to use cell phone numbers for 2FA.

Use Google Voice instead. Text messages come into your Google Account that is in turn protected by 2FA.

No excuses.
I have had several institutions somehow detect Google Voice numbers and refuse to use them for authentication. I don't know how/why, so I switched to alternate methods for those accounts.

User avatar
oldcomputerguy
Posts: 3435
Joined: Sun Nov 22, 2015 6:50 am
Location: In the middle of five acres of woods

Re: How real is cyber risk?

Post by oldcomputerguy » Sat Sep 15, 2018 9:28 am

Vulcan wrote:
Fri Sep 14, 2018 4:05 pm
For GMail you would use Authenticator app for 2FA.
Nothing gets sent anywhere.
Google Mail can also be secured with a Yubikey. I have Yubikey as primary 2FA on my Gmail with Authenticator as secondary.
It’s taken me a lot of years, but I’ve come around to this: If you’re dumb, surround yourself with smart people. And if you’re smart, surround yourself with smart people who disagree with you.

Coato
Posts: 118
Joined: Wed Oct 21, 2015 4:34 pm

Re: How real is cyber risk?

Post by Coato » Sat Sep 15, 2018 9:32 am

3-20Characters wrote:
Sat Sep 15, 2018 9:21 am
My black swan fear is system wide cyber risk. It’s entirely plausible IMO, that we wake up one morning to the news that a major bank has been hacked and all accounts read $0.00. Even if accounts can be fully restored, the hit to the trust of our systems (all systems) could be so devastating as to cause a major economic crisis. We’re in a new time with new rules and nobody really knows how it will play out.
This is what I was wondering about in the earlier post. Not sure how feasible it is, how much diversifying into two institutions would protect against this, practical small steps to prevent it, etc.

Wife and I are OK barring a black swan, but in reading Deep Risk this sort of "Confiscation" (not Governmental but a cyber event) seems to be something to at least think about.

User avatar
damjam
Posts: 942
Joined: Thu Mar 25, 2010 7:46 am

Re: How real is cyber risk?

Post by damjam » Sat Sep 15, 2018 9:42 am

3-20Characters wrote:
Sat Sep 15, 2018 9:21 am
Is a google voice number safer than sms to your phone? Maybe, maybe not. The thing about hijacking your cell phone number is that it’s hard to do on a mass scale so it’s less attractive to thieves from a purely cost/benefit analysis. If you’re a famous journalist, spy or politician yes, I’d be very concerned but the risk of someone trying to hijack some random person’s phone number seems like a stretch. There is an sms intercept hack on android phones I’ve read about. Not sure how prevalent it is. Haven’t read anything about an iPhone hack but I’m not following the subject closely.

Google voice is a web based account (like email) which is linked to your google account. It is subject to dictionary attack—like any other web based platform. Ah! You say. I have 2FA protection. Well, ok. But you have that for your vanguard account as well.

Security keys, Time-based One-Time Passwords, etc, may be better options but they are not widely adopted or understood by your average internet user so they lag and what’s worse, providers may offer workarounds to them to keep people from locking themselves out of accounts—so they can lose their effectiveness.

For personal cyber security 2FA is a must on all important accounts. Rather than worry which is best, use what you can. Password manger is a huge plus in my book because of behavioral issues. Without it, your passwords will not be as strong and you will likely start to repeat them. It’s the same basic idea of AA. Being 100% stocks may not force you sell in a crash if you still have your job/income but you may sell anyway. Therefore, a sleep well at night AA is recommended for behavioral reasons.

I certainly hope people aren’t storing their passwords in excel spreadsheets or word documents. That’s very 1990s. Paper in a safe? Well, ok but if you have to keep pulling that out and updating it (see behavioral issues above). I suppose you could come up with some creative system. Using an encryption app with a personal code scheme might work ok but it’s more complicated than a password manager and less useful. With a password manager, you can store things like door codes, PIN numbers, and other things.

My black swan fear is system wide cyber risk. It’s entirely plausible IMO, that we wake up one morning to the news that a major bank has been hacked and all accounts read $0.00. Even if accounts can be fully restored, the hit to the trust of our systems (all systems) could be so devastating as to cause a major economic crisis. We’re in a new time with new rules and nobody really knows how it will play out.
Very nice summary of the situation.

The bold portion is where my frustration lies. It seems to me only those who are most aware of the security risks are adopting security keys and the like. In all likelihood they would also understand that the futility of using them when less secure methods are given as recovery methods. So even those interested in adopting tougher 2fa might just skip it. Unfortunately the knock on effect of slow adoption by users is slow adoption by institutions.

So I have adopted your suggestion of "Rather than worry which is best, use what you can". But the frustration remains.

As for the black swan fear you outlined, most of us can only pray it never happens. Some people will adopt the prepper lifestyle in response to the risk.

User avatar
Vulcan
Posts: 203
Joined: Sat Apr 05, 2014 11:43 pm

Re: How real is cyber risk?

Post by Vulcan » Sat Sep 15, 2018 10:38 am

jalbert wrote:
Sat Sep 15, 2018 12:06 am
The most common weakness of a less than fully robust 2FA like a text code is when it is used for password reset. In this scenario the password is not needed, just the phone to be compromised.
That is not the case for Google accounts. Receiving a code is only one of the steps in their password recovery process (I just tried out of curiosity).

All other intitutions should only use your GV number if you are so concerned about someone transferring out your cell number (a highly unlikely event if you ask me).

User avatar
Vulcan
Posts: 203
Joined: Sat Apr 05, 2014 11:43 pm

Re: How real is cyber risk?

Post by Vulcan » Sat Sep 15, 2018 10:44 am

oldcomputerguy wrote:
Sat Sep 15, 2018 9:28 am
Vulcan wrote:
Fri Sep 14, 2018 4:05 pm
For GMail you would use Authenticator app for 2FA.
Nothing gets sent anywhere.
Google Mail can also be secured with a Yubikey. I have Yubikey as primary 2FA on my Gmail with Authenticator as secondary.
I don't like a physical second factor. I know it is more secure in theory, but in practice it is just too much of a hassle.
Locked phone as a second factor is secure enough for everyone but those targeted by government secret services.

Besides, your protection is only as strong as the weakest authentication factor.
If Authenticator app is secondary, what's the point of Yubikey?

But the convenience of Google's new push verifications beats them all.

User avatar
damjam
Posts: 942
Joined: Thu Mar 25, 2010 7:46 am

Re: How real is cyber risk?

Post by damjam » Sat Sep 15, 2018 10:56 am

Vulcan wrote:
Sat Sep 15, 2018 10:44 am
oldcomputerguy wrote:
Sat Sep 15, 2018 9:28 am
Vulcan wrote:
Fri Sep 14, 2018 4:05 pm
For GMail you would use Authenticator app for 2FA.
Nothing gets sent anywhere.
Google Mail can also be secured with a Yubikey. I have Yubikey as primary 2FA on my Gmail with Authenticator as secondary.
I don't like a physical second factor. I know it is more secure in theory, but in practice it is just too much of a hassle.
Locked phone as a second factor is secure enough for everyone but those targeted by government secret services.

Besides, your protection is only as strong as the weakest authentication factor.
If Authenticator app is secondary, what's the point of Yubikey?

But the convenience of Google's new push verifications beats them all.
What happens if you lose your phone?

I know you can often remotely disable or even wipe them. But then what? All those accounts that depended on some type of authenticator that resided on the phone are now locked. Yes you can have an alternate recovery option, which as discussed, is often SMS. So you just get a new phone.

But what if we went to an all security key all the time system? Register multiple keys. Lose or destroy one and you have another as a backup. Seems more straight forward to me.

User avatar
Vulcan
Posts: 203
Joined: Sat Apr 05, 2014 11:43 pm

Re: How real is cyber risk?

Post by Vulcan » Sat Sep 15, 2018 10:59 am

tibbitts wrote:
Sat Sep 15, 2018 9:24 am
Vulcan wrote:
Fri Sep 14, 2018 1:21 pm
The best way to mitigate the risk associated with phones/SIM cards is not to use cell phone numbers for 2FA.

Use Google Voice instead. Text messages come into your Google Account that is in turn protected by 2FA.

No excuses.
I have had several institutions somehow detect Google Voice numbers and refuse to use them for authentication. I don't know how/why, so I switched to alternate methods for those accounts.
I always prefer email when possible, and that is an option most web sites now offer.
GV is my second preference (the code arrives via email anyway).
I do not believe any web site I use has my actual cell phone number:-)

Needless to say, your email must be strongly protected, but you already knew that.
Your email is indeed the single point of failure and the key to your digital kingdom.
Don't trust it to 2nd best. Get GMail with 2FA. (I know you do, but not everyone does).

Interestingly though, even if someone were to target me or my family members individually, they may not even realize without doing some extra legwork (nslookup on an MX) that our emails are actually a GMail. I was one of the lucky few that were able to jump on the Google Apps bandwagon (it is now called G Suite) before they dealt away with a free option. So my email is something like vulcan@vulcans.us, yet it is actually a Google account. In any future large phishing attack on GMail mailboxes we are likely to not to be included. Pretty nifty if I may say so myself:)

User avatar
Vulcan
Posts: 203
Joined: Sat Apr 05, 2014 11:43 pm

Re: How real is cyber risk?

Post by Vulcan » Sat Sep 15, 2018 11:01 am

damjam wrote:
Sat Sep 15, 2018 10:56 am
What happens if you lose your phone?

I know you can often remotely disable or even wipe them. But then what? All those accounts that depended on some type of authenticator that resided on the phone are now locked. Yes you can have an alternate recovery option, which as discussed, is often SMS. So you just get a new phone.
I have screenshots of the barcodes used to populate Google Authenticator app.
It takes me a minute to set Authenticator up on a new phone.

There are 3rd party versions of Authenticator apps that back these up to their clouds. Needless to say, I do not use those. I only trust myself and Google.

Stormbringer
Posts: 601
Joined: Sun Jun 14, 2015 7:07 am

Re: How real is cyber risk?

Post by Stormbringer » Sat Sep 15, 2018 11:05 am

Coato wrote:
Fri Sep 14, 2018 9:41 am
How real is cyber risk?
Well, my day job is as a software developer and I used to hack for fun back in high school and college when I was young and foolish, so here's my take on it...

The risk is very real. As I see it, there are three broad categories of threats to be concerned with:
  1. System failures.
  2. Criminal hackers.
  3. Foreign intelligence agencies.
The first would involve a poorly run datacenter, buggy software, failed backups or some technical problem that would result in the financial institution somehow losing track of what you have with them. This can be mitigated by keeping paper statements that can provide evidence of what you should have. Some things, like account statements and ballots should always leave a physical paper trail.

The second would involve someone trying to steal your money. Defending against this requires a paper trail as with #1, but also properly securing your accounts. Your password should be unique to every important website because you don't know if they are protecting it properly. If one gets compromised, you don't want the attacker to gain access to all your accounts, so compartmentalize. Also, long but easy-to-remember passphrases are many orders of magnitude more secure than the short cryptic ones that end up on a sticky note on your monitor. Try it and see for yourself.

You should always use at least two of the three factors of authentication:
  • Something you know (e.g. a password)
  • Something you have (e.g. a token or smart phone)
  • Something you are (e.g. biometrics such as facial recognition, or a fingerprint or retina scanner)
If one factor is compromised, the other will still protect you.

The third threat is far more difficult to defend against, and potentially catastrophic. Hackers are bad enough, but to get sense of what foreign intelligence agencies are capable of, you should read about the Stuxnet worm that attacked the Iranian nuclear program. The level of sophistication of that attack is truly mind-boggling. Now imagine a war between the United States and a country with a capable cyber-warfare program that is unleashing a frightening series of attacks on our financial nerve centers. Worse, almost every data center in the US is staffed with foreign workers who undergo very little screening and often have administrative access to these computer systems. Any of them could be foreign agents that get activated during a conflict to launch attacks from the inside. All I can say is that a little cash in the safe and enough gold to bribe the border guards never hurt anyone.

Lastly, don't just diversify your holdings, diversify your financial institutions. Having assets spread across two or three will provide you with protection in case one of them is compromised.
"Compound interest is the most powerful force in the universe." - Albert Einstein

3funder
Posts: 758
Joined: Sun Oct 15, 2017 9:35 pm

Re: How real is cyber risk?

Post by 3funder » Sat Sep 15, 2018 12:24 pm

VictoriaF wrote:
Fri Sep 14, 2018 6:06 pm
3funder wrote:
Fri Sep 14, 2018 5:24 pm
I don't lose sleep over it.
Losing sleep is not a recommended mitigation for cyber risk. 2FA and other methods recommended above are.

Victoria
I only use 2FA when required. That said, I agree that 2FA is a reasonable mitigation tool.

killjoy2012
Posts: 1044
Joined: Wed Sep 26, 2012 5:30 pm

Re: How real is cyber risk?

Post by killjoy2012 » Sat Sep 15, 2018 12:33 pm

One of the underlying issues people in this thread are hinting at, but not saying, is that using your cell phone w/ SMS codes really doesn't meet the "something you have" factor in 2FA. For multi-factor authentication, it's a combo of something you know (e.g. password), something you have (e.g. a hardware token), or something you are (e.g. biometrics). WRT the "something you have" factor, it's supposed to be a hardened, physical thing... common instantiation is an RSA/Duo keyfob that generates a new code every minute. However, for a company, purchasing hardware tokens, distributing them, etc. is costly and a PITA... so as smart phones became more prevalent, some companies have leveraged SMS texts to your cell as a cheap and easy replacement to hardware tokens. But the downside is, smart phones, being internet connected, are very hackable and can be remotely monitored... unlike a hardware keyfob, so it's not equivalent (but still better than single factor, password-only). Most people in cyber refer to SMS codes delivered via mobile to be 1.5 factor... but is commonly marketed as 2FA.

chambers136
Posts: 177
Joined: Tue Feb 28, 2017 9:49 am

Re: How real is cyber risk?

Post by chambers136 » Sat Sep 15, 2018 1:49 pm

There’s a lot of discussion about SMS 2FA and Yubikey with Vanguard . What about Symantec one time password 2FA that Fidelity and Schwab use- are the vulnerabilities similar?

SpaethCo
Posts: 118
Joined: Thu Jan 14, 2016 12:58 am

Re: How real is cyber risk?

Post by SpaethCo » Sat Sep 15, 2018 1:56 pm

jalbert wrote:
Sat Sep 15, 2018 12:06 am
The point of 2FA is that if your password is compromised, you have more time to change it before it can be abused.
Not necessarily. The reality of web-based applications is that the return of a successful authentication transaction is a much longer-lived session token.

The thing that we've seen in red team tests is that the perception of security created by "time-based code" or "app push" validation causes people to miscalculate the sign-in risks they take because they think they have extra protection. Our conversion rate on internal phishing campaigns for SMS notifications ("We need to confirm your phone number as part of our migration to {new payroll application}, please click here to validate your contact information so we can ensure your paycheck processing is not delayed") was higher for teams that had forced the implementation of Duo push 2FA. In those tests our teams even tried to make it more obvious by ensuring the Duo authenticator app was showing a completely different system type and location (ie, "App validation requested by a Windows 10 workstation running Edge in San Francisco, California" when the user was using an iPhone in Minnesota), and people still clicked through because they were so accustomed to the authenticator app popping up a request after they entered their credentials. In post campaign surveys, users reported that they thought the notification and link looked a little suspicious, but because they knew a new system was being implemented they went along with the URL that looked slightly off, and they assumed because they got the 2FA push notification on the Duo app that everything was completely okay.

Right now, client certificates and U2F security keys are the only semi-mainstream 2FA solutions that offer any kind of phishing protection. This matters because phishing is the most successful attack vector in play today. Google published research last year ( https://ai.google/research/pubs/pub46437 ) where they identified credentials leaked via various disclosure events -- credentials gained through phishing were 463.4x more likely to lead to an account take-over than credentials gained through keyloggers/malware or other site data breaches.

A password is just data you are presenting to an online system to assert your identity. While the concept of a "something you have" factor is valid, the most common implementations we're using are still presenting more data to an online system that in most cases can't identify that we actually have physical possession of something.

If I could distill this down to a single point, it would be this: In most cases, using a password manager (1Password, Chrome autofill, iCloud Keychain) that validates the URL that you're supplying credentials to ends up offering substantially more security than that of most 2FA implementations. The password manager ensures site uniqueness for each credential, and helps the user to identify when they've landed somewhere they didn't intend by not auto-filling in the credentials when the URL is different than where the account details were originally registered.
Last edited by SpaethCo on Sat Sep 15, 2018 2:51 pm, edited 1 time in total.

jalbert
Posts: 3814
Joined: Fri Apr 10, 2015 12:29 am

Re: How real is cyber risk?

Post by jalbert » Sat Sep 15, 2018 2:45 pm

Vulcan wrote:
Sat Sep 15, 2018 10:38 am
jalbert wrote:
Sat Sep 15, 2018 12:06 am
The most common weakness of a less than fully robust 2FA like a text code is when it is used for password reset. In this scenario the password is not needed, just the phone to be compromised.
That is not the case for Google accounts. Receiving a code is only one of the steps in their password recovery process (I just tried out of curiosity).

All other intitutions should only use your GV number if you are so concerned about someone transferring out your cell number (a highly unlikely event if you ask me).
I don’t use services that require a google account for other reasons, so GV is not an option unless I relax that constraint.

There have been two documented cases of someone transferring a cell number and then draining a financial account for which they had the password.

2FA is much more robust if you use a different device for making the connection and typing in a password than used for the second factor. This is so that one device being compromised does not compromise the entire authentication protocol. As long as you don’t use your phone to login to an account, using it for a text code 2FA is a reasonable approach. This segregation of devices for each factor is more important than whether GV or SMS is used.

Password reset protocols are a problem because they tend to invalidate the segregation of two authentication factors, often even relying on only one factor.
Risk is not a guarantor of return.

mouses
Posts: 3811
Joined: Sat Oct 24, 2015 12:24 am

Re: How real is cyber risk?

Post by mouses » Sat Sep 15, 2018 2:56 pm

damjam wrote:
Fri Sep 14, 2018 12:54 pm
Also, Vanguard offers Voice Verification for transacting business over the phone. I would encourage everyone to go through the process of establishing the voice print. Why? Because if you don't someone else pretending to be you could. If the impostor has the correct answers to any questions the Vanguard employee may have, the Vanguard employee will pass them through and let them create the voice print.
Does this actually work? I am always having trouble with voice systems not recognizing what I am saying. That is not really the same, but it does make me think there's a chance Vanguard would not recognize my voice. Then what.

likegarden
Posts: 2698
Joined: Mon Feb 26, 2007 5:33 pm

Re: How real is cyber risk?

Post by likegarden » Sat Sep 15, 2018 3:31 pm

Perhaps I could have downloaded something bad today from an Email from Spain, address of sender was ending in '.es'. I deleted it, was never opening it. Any Email from a sender I do not recognize I will delete, do similarly with phone calls.

Kompass
Posts: 147
Joined: Sat Oct 01, 2016 5:42 pm

Re: How real is cyber risk?

Post by Kompass » Sat Sep 15, 2018 3:42 pm

I think cyber risk is a very real unknown and I practice what I believe to be good internet hygiene because of it. What frustrates me is when these measures fail due to reliance on those we are supposed to trust. By way of example, yesterday I went into a Verizon store to get a new cellular chip for my iPad2 for traveling.

I walked in and told the young fellow my phone number so he could pull up my account. He produced and installed the chip, talked to me about a better deal on a different plan, which I had set up, I turned on the new cell function and it worked fine. He thanked me and we were done. At that point I asked him why he had never asked me to produce any id or confirm my identity in any way. He seemed quite embarrassed and said he was surprised the verification screen had not popped up and there must be a glitch. I asked him to report it to his supervisor. :oops:

*********

For general protection I split my holdings between two brokerages and one hub bank, print the summary page of statements and hold in a physical file until the next one (proof of holdings if records get wiped). I use voice prints and 2FA at both brokerages, I only use one ATM as consistency of behavior and hold an admittedly weird amount of cash at home because I can. For day to day I pay cash for things under $1k (after being data breached 6 times in two years) and over $1k I use either bank generated checks or a token version of one credit card which is paid in full every month. Locking mailbox on house.

Proud member of the tinfoil hat club! :beer
The large print giveth and the fine print taketh away.

bac
Posts: 31
Joined: Sun Apr 01, 2018 6:19 pm

Re: How real is cyber risk?

Post by bac » Sat Sep 15, 2018 3:55 pm

I've pondered setting up a second desktop computer and using it solely for financial matters, but wonder if it would be overkill. I take lots of precautions (F2A and Yubikey among them) as it is and employ a great deal of caution and common sense.

3-20Characters
Posts: 85
Joined: Tue Jun 19, 2018 2:20 pm

Re: How real is cyber risk?

Post by 3-20Characters » Sat Sep 15, 2018 4:30 pm

bac wrote:
Sat Sep 15, 2018 3:55 pm
I've pondered setting up a second desktop computer and using it solely for financial matters, but wonder if it would be overkill. I take lots of precautions (F2A and Yubikey among them) as it is and employ a great deal of caution and common sense.
It’s debatable. Quite a few bogleheads adopt this approach. I don’t. There will be complications. One of the ways you secure your computer and other devices is by keeping software up to date. You will now have on extra computer to keep updated.

Another matter is keeping files synced and available. Say you download a statement to your “safe” computer and need to get it to to your “regular” computer. You will have to develop good, safe practices for how to get files to and fro. With that being a given, you will in the end (I believe) need to secure your regular computer every bit as tight as your safe computer because it’s the weak link in the chain. Why not just focus on properly securing just the one normal computer and on good hygiene practices instead? Less to think about, less expense, less work, less likely to slip up.

Other will disagree.

MrNo
Posts: 13
Joined: Thu Dec 21, 2017 10:13 am

Re: How real is cyber risk?

Post by MrNo » Sun Sep 16, 2018 12:44 am

Vulcan wrote:
Fri Sep 14, 2018 4:07 pm
Vulcan wrote:
Fri Sep 14, 2018 4:05 pm
For GMail you would use Authenticator app for 2FA.
Nothing gets sent anywhere.
On newer Android phones you can also use phone prompts, with one-time codes saved as last-ditch backup.
This works on iPhones as well, very convenient and fast.

evestor
Posts: 114
Joined: Sat Feb 21, 2015 5:37 pm

Re: How real is cyber risk?

Post by evestor » Sun Sep 16, 2018 9:32 am

oldcomputerguy wrote:
Sat Sep 15, 2018 9:28 am
Vulcan wrote:
Fri Sep 14, 2018 4:05 pm
For GMail you would use Authenticator app for 2FA.
Nothing gets sent anywhere.
Google Mail can also be secured with a Yubikey. I have Yubikey as primary 2FA on my Gmail with Authenticator as secondary.
Enable Google's advanced account protection

User avatar
Rob5TCP
Posts: 3161
Joined: Tue Jun 05, 2007 7:34 pm
Location: New York, NY

Re: How real is cyber risk?

Post by Rob5TCP » Sun Sep 16, 2018 9:35 am

Stormbringer wrote:
Sat Sep 15, 2018 11:05 am
Coato wrote:
Fri Sep 14, 2018 9:41 am
How real is cyber risk?
Well, my day job is as a software developer and I used to hack for fun back in high school and college when I was young and foolish, so here's my take on it...

The risk is very real. As I see it, there are three broad categories of threats to be concerned with:
  1. System failures.
  2. Criminal hackers.
  3. Foreign intelligence agencies.


The second would involve someone trying to steal your money. Defending against this requires a paper trail as with #1, but also properly securing your accounts. Your password should be unique to every important website because you don't know if they are protecting it properly. If one gets compromised, you don't want the attacker to gain access to all your accounts, so compartmentalize. Also, long but easy-to-remember passphrases are many orders of magnitude more secure than the short cryptic ones that end up on a sticky note on your monitor. Try it and see for yourself.

Don't rely on Dashlane's password security test. Correcthorsebatterystaples showed as being 7 quadrillion years as being secure. In reality, it would take a fraction of a second. The length saying at one time was sufficient, but today phrases are routinely used in breaking passwords (billions and billions of both common and uncommon phrases and combinations). Most password tests assume a brute force attack and that is no longer the case.

This was solid gold a number of years ago, not so much anymore
https://xkcd.com/936/

https://nakedsecurity.sophos.com/2015/0 ... th-meters/

Complexity and length are your two deterrents to keeping your password more secure.






User avatar
Rob5TCP
Posts: 3161
Joined: Tue Jun 05, 2007 7:34 pm
Location: New York, NY

Re: How real is cyber risk?

Post by Rob5TCP » Sun Sep 16, 2018 9:41 am

Stormbringer wrote:
Sat Sep 15, 2018 11:05 am
Coato wrote:
Fri Sep 14, 2018 9:41 am
How real is cyber risk?
Well, my day job is as a software developer and I used to hack for fun back in high school and college when I was young and foolish, so here's my take on it...

The risk is very real. As I see it, there are three broad categories of threats to be concerned with:
  1. System failures.
  2. Criminal hackers.
  3. Foreign intelligence agencies.


The second would involve someone trying to steal your money. Defending against this requires a paper trail as with #1, but also properly securing your accounts. Your password should be unique to every important website because you don't know if they are protecting it properly. If one gets compromised, you don't want the attacker to gain access to all your accounts, so compartmentalize. Also, long but easy-to-remember passphrases are many orders of magnitude more secure than the short cryptic ones that end up on a sticky note on your monitor. Try it and see for yourself.

Don't rely on Dashlane's password security test. Correcthorsebatterystaples showed as being 7 quadrillion years as being secure. In reality, it would take a fraction of a second. The length saying at one time was sufficient, but today phrases are routinely used in breaking passwords (billions and billions of both common and uncommon phrases and combinations). Most password tests assume a brute force attack and that is no longer the case.

This was solid gold a number of years ago, not so much anymore
https://xkcd.com/936/

https://nakedsecurity.sophos.com/2015/0 ... th-meters/

Complexity AND length are your two deterrents to keeping your password more secure.

User avatar
damjam
Posts: 942
Joined: Thu Mar 25, 2010 7:46 am

Re: How real is cyber risk?

Post by damjam » Sun Sep 16, 2018 9:42 am

evestor wrote:
Sun Sep 16, 2018 9:32 am
oldcomputerguy wrote:
Sat Sep 15, 2018 9:28 am
Vulcan wrote:
Fri Sep 14, 2018 4:05 pm
For GMail you would use Authenticator app for 2FA.
Nothing gets sent anywhere.
Google Mail can also be secured with a Yubikey. I have Yubikey as primary 2FA on my Gmail with Authenticator as secondary.
Enable Google's advanced account protection
evestor, thank you. This is exactly what I've been looking for!

I wonder if Yubikey works with this. The blurb on the service says a "wireless" enabled key? I believe the Google Titan key works with bluetooth, but Yubikey NEO works with NFC. Dealing with multiple keys from different vendors would be a bit of a pain, but such is life.

evestor
Posts: 114
Joined: Sat Feb 21, 2015 5:37 pm

Re: How real is cyber risk?

Post by evestor » Sun Sep 16, 2018 9:52 am

damjam wrote:
Sun Sep 16, 2018 9:42 am
evestor wrote:
Sun Sep 16, 2018 9:32 am
oldcomputerguy wrote:
Sat Sep 15, 2018 9:28 am
Vulcan wrote:
Fri Sep 14, 2018 4:05 pm
For GMail you would use Authenticator app for 2FA.
Nothing gets sent anywhere.
Google Mail can also be secured with a Yubikey. I have Yubikey as primary 2FA on my Gmail with Authenticator as secondary.
Enable Google's advanced account protection
evestor, thank you. This is exactly what I've been looking for!

I wonder if Yubikey works with this. The blurb on the service says a "wireless" enabled key? I believe the Google Titan key works with bluetooth, but Yubikey NEO works with NFC. Dealing with multiple keys from different vendors would be a bit of a pain, but such is life.
It does. You must have at least 2 keys associated with your account.
I have 4.

evestor
Posts: 114
Joined: Sat Feb 21, 2015 5:37 pm

Re: How real is cyber risk?

Post by evestor » Sun Sep 16, 2018 9:53 am

damjam wrote:
Sun Sep 16, 2018 9:42 am
evestor wrote:
Sun Sep 16, 2018 9:32 am
oldcomputerguy wrote:
Sat Sep 15, 2018 9:28 am
Vulcan wrote:
Fri Sep 14, 2018 4:05 pm
For GMail you would use Authenticator app for 2FA.
Nothing gets sent anywhere.
Google Mail can also be secured with a Yubikey. I have Yubikey as primary 2FA on my Gmail with Authenticator as secondary.
Enable Google's advanced account protection
evestor, thank you. This is exactly what I've been looking for!

I wonder if Yubikey works with this. The blurb on the service says a "wireless" enabled key? I believe the Google Titan key works with bluetooth, but Yubikey NEO works with NFC. Dealing with multiple keys from different vendors would be a bit of a pain, but such is life.
You also don't have to have a wireless key. Not strictly required. They push you down this path because most users want email on their phone and that is the cleanest path to achieving it.

Stormbringer
Posts: 601
Joined: Sun Jun 14, 2015 7:07 am

Re: How real is cyber risk?

Post by Stormbringer » Sun Sep 16, 2018 1:30 pm

Rob5TCP wrote:
Sun Sep 16, 2018 9:41 am
Complexity AND length are your two deterrents to keeping your password more secure.
From a pure math perspective, you are correct. The problem is a human one:

Password 1: sgKu72)f+13^%$z
Password 2: When I was a boy I liked to eat hot dogs.

The first one is impossible for anyone to remember, and is going to end up being written on a sticky note.
The second one is both easier to remember and type, but also is many orders of magnitude more difficult to brute force crack than the first one.
"Compound interest is the most powerful force in the universe." - Albert Einstein

jsmoove123
Posts: 24
Joined: Sun Oct 22, 2017 12:01 am

Re: How real is cyber risk?

Post by jsmoove123 » Sun Sep 16, 2018 1:47 pm

Stormbringer wrote:
Sun Sep 16, 2018 1:30 pm
Rob5TCP wrote:
Sun Sep 16, 2018 9:41 am
Complexity AND length are your two deterrents to keeping your password more secure.
From a pure math perspective, you are correct. The problem is a human one:

Password 1: sgKu72)f+13^%$z
Password 2: When I was a boy I liked to eat hot dogs.

The first one is impossible for anyone to remember, and is going to end up being written on a sticky note.
The second one is both easier to remember and type, but also is many orders of magnitude more difficult to brute force crack than the first one.
Isn't Rob5TCP saying that the second one has phrases that will be easily tested with modern brute-force attacks?

User avatar
damjam
Posts: 942
Joined: Thu Mar 25, 2010 7:46 am

Re: How real is cyber risk?

Post by damjam » Sun Sep 16, 2018 1:56 pm

evestor wrote:
Sun Sep 16, 2018 9:53 am
damjam wrote:
Sun Sep 16, 2018 9:42 am
evestor wrote:
Sun Sep 16, 2018 9:32 am
oldcomputerguy wrote:
Sat Sep 15, 2018 9:28 am
Vulcan wrote:
Fri Sep 14, 2018 4:05 pm
For GMail you would use Authenticator app for 2FA.
Nothing gets sent anywhere.
Google Mail can also be secured with a Yubikey. I have Yubikey as primary 2FA on my Gmail with Authenticator as secondary.
Enable Google's advanced account protection
evestor, thank you. This is exactly what I've been looking for!

I wonder if Yubikey works with this. The blurb on the service says a "wireless" enabled key? I believe the Google Titan key works with bluetooth, but Yubikey NEO works with NFC. Dealing with multiple keys from different vendors would be a bit of a pain, but such is life.
You also don't have to have a wireless key. Not strictly required. They push you down this path because most users want email on their phone and that is the cleanest path to achieving it.
Yep, guilty party.
I want email on my phone. I have one account set up to receive alerts and I'm not at my desktop all day.
Feel free to let me know if that is a really bad idea.

evestor
Posts: 114
Joined: Sat Feb 21, 2015 5:37 pm

Re: How real is cyber risk?

Post by evestor » Sun Sep 16, 2018 2:47 pm

tadamsmar wrote:
Sat Sep 15, 2018 7:08 am
damjam wrote:
Fri Sep 14, 2018 6:36 pm
tadamsmar wrote:
Fri Sep 14, 2018 5:19 pm
For Vanguard and other brokerage and mutual fund companies there is no federal regulation if you are hacked. Some firms offer a policy. Here is Vanguard policy about your responsibilities:

https://personal.vanguard.com/us/help/S ... ontent.jsp
I found this requirement from Vanguard interesting:
Don't store your password or answers to security questions on the computer or device you use to access your Vanguard accounts.
I suppose they don't intend us to use password managers then?
If you follow the informational links from the fraud pledge page, get to a page that says that you are not supposed to store your password unencrypted on your computer:

https://investor.vanguard.com/security/credentials

I guess that means encrypted is OK. But, interpreting the fraud pledge has always been a guessing game!

The pledge used to imply that not sharing your password was one of your responsibilities required for the reimbursement guarantee. Now it just states that all shared-password transactions are considered to be authorized by you. A good clarification for the many clients that share passwords with their spouses.
The threat model of the OS is not such that encrypting your credentials locally moves the needle anyway.
iOS is probably the only exception as the sandboxing track record, while imperfect, it awfully good over the last 10 years.

That said, on some level this is all a fools errand. If a bad guy gets on your computer they own everything on your computer. It is not a matter if but rather when this happens.

Tabulator
Posts: 265
Joined: Sat Mar 31, 2012 4:03 pm

Re: How real is cyber risk?

Post by Tabulator » Sun Sep 16, 2018 2:51 pm

evestor wrote:
Sun Sep 16, 2018 2:47 pm
iOS is probably the only exception as the sandboxing track record, while imperfect, it awfully good over the last 10 years.
What about Chrome OS?

User avatar
damjam
Posts: 942
Joined: Thu Mar 25, 2010 7:46 am

Re: How real is cyber risk?

Post by damjam » Sun Sep 16, 2018 3:07 pm

evestor wrote:
Sun Sep 16, 2018 2:47 pm
tadamsmar wrote:
Sat Sep 15, 2018 7:08 am
damjam wrote:
Fri Sep 14, 2018 6:36 pm
tadamsmar wrote:
Fri Sep 14, 2018 5:19 pm
For Vanguard and other brokerage and mutual fund companies there is no federal regulation if you are hacked. Some firms offer a policy. Here is Vanguard policy about your responsibilities:

https://personal.vanguard.com/us/help/S ... ontent.jsp
I found this requirement from Vanguard interesting:
Don't store your password or answers to security questions on the computer or device you use to access your Vanguard accounts.
I suppose they don't intend us to use password managers then?
If you follow the informational links from the fraud pledge page, get to a page that says that you are not supposed to store your password unencrypted on your computer:

https://investor.vanguard.com/security/credentials

I guess that means encrypted is OK. But, interpreting the fraud pledge has always been a guessing game!

The pledge used to imply that not sharing your password was one of your responsibilities required for the reimbursement guarantee. Now it just states that all shared-password transactions are considered to be authorized by you. A good clarification for the many clients that share passwords with their spouses.
The threat model of the OS is not such that encrypting your credentials locally moves the needle anyway.
iOS is probably the only exception as the sandboxing track record, while imperfect, it awfully good over the last 10 years.

That said, on some level this is all a fools errand. If a bad guy gets on your computer they own everything on your computer. It is not a matter if but rather when this happens.
I think were talking about very different levels of risk.

Does the world contain trained assassins that can kill me in the blink of a eye? Yes.
Are any of them even remotely interested in me or my life? I doubt it sincerely.

No security set up is impenetrable. Each of us needs to gauge our risk profile and act accordingly. Not that unlike the choices we make regarding an asset allocation. Perhaps you suffer from knowing too much, if that's possible.

evestor
Posts: 114
Joined: Sat Feb 21, 2015 5:37 pm

Re: How real is cyber risk?

Post by evestor » Sun Sep 16, 2018 3:20 pm

damjam wrote:
Sun Sep 16, 2018 3:07 pm
evestor wrote:
Sun Sep 16, 2018 2:47 pm
The threat model of the OS is not such that encrypting your credentials locally moves the needle anyway.
iOS is probably the only exception as the sandboxing track record, while imperfect, it awfully good over the last 10 years.

That said, on some level this is all a fools errand. If a bad guy gets on your computer they own everything on your computer. It is not a matter if but rather when this happens.
I think were talking about very different levels of risk.

Does the world contain trained assassins that can kill me in the blink of a eye? Yes.
Are any of them even remotely interested in me or my life? I doubt it sincerely.

No security set up is impenetrable. Each of us needs to gauge our risk profile and act accordingly. Not that unlike the choices we make regarding an asset allocation. Perhaps you suffer from knowing too much, if that's possible.
This is unfortunately not an apt comparison anymore.
It used to be that we would say that only nation states are capable of this sort of thing. However, in the world in which we live in 2018, 2 things have become true: 1) The ability for individuals to get their hands on the tools used by nation states is better than ever 2) the susceptibility of users to fall for very well designed traps is higher than ever

I wish I were speaking theoretically. I see this stuff *for a living* on a very regular basis.

The overwhelming odds are that you or a friend/family member's computer will get compromised at some point. What then? Bad guys are better than ever at leveraging lateral attack patterns.

Talking about this like it is a nation state problem does not acknowledge what is happening day to day right now. And it removes accountability from those that can make the largest difference...everyday users.

I understand that what I say sounds alarmist. But that's because I see this *all the time* in my line of work. The evolution of attacks from 2005 to today is very material. This is not the AOL dialup world threat anymore. It has evolved.

The message is not "panic!" The message is, there is LOTS people can and should do to protect themselves.
The tech industry (of which I am a part) has done a *terrible* job preparing everyday users for this landscape of threats. We have made it sound complex, like you need an expert to think through the risks for you. It is much simpler than this. It's very normal sorts of thinking.
One of these days I'll ask the forum moderators if I can submit a page about how to protect yourselves. We all should do it. It's relatively straight forward stuff.

User avatar
damjam
Posts: 942
Joined: Thu Mar 25, 2010 7:46 am

Re: How real is cyber risk?

Post by damjam » Sun Sep 16, 2018 3:28 pm

evestor wrote:
Sun Sep 16, 2018 3:20 pm
damjam wrote:
Sun Sep 16, 2018 3:07 pm
evestor wrote:
Sun Sep 16, 2018 2:47 pm
The threat model of the OS is not such that encrypting your credentials locally moves the needle anyway.
iOS is probably the only exception as the sandboxing track record, while imperfect, it awfully good over the last 10 years.

That said, on some level this is all a fools errand. If a bad guy gets on your computer they own everything on your computer. It is not a matter if but rather when this happens.
I think were talking about very different levels of risk.

Does the world contain trained assassins that can kill me in the blink of a eye? Yes.
Are any of them even remotely interested in me or my life? I doubt it sincerely.

No security set up is impenetrable. Each of us needs to gauge our risk profile and act accordingly. Not that unlike the choices we make regarding an asset allocation. Perhaps you suffer from knowing too much, if that's possible.
This is unfortunately not an apt comparison anymore.
It used to be that we would say that only nation states are capable of this sort of thing. However, in the world in which we live in 2018, 2 things have become true: 1) The ability for individuals to get their hands on the tools used by nation states is better than ever 2) the susceptibility of users to fall for very well designed traps is higher than ever

I wish I were speaking theoretically. I see this stuff *for a living* on a very regular basis.

The overwhelming odds are that you or a friend/family member's computer will get compromised at some point. What then? Bad guys are better than ever at leveraging lateral attack patterns.

Talking about this like it is a nation state problem does not acknowledge what is happening day to day right now. And it removes accountability from those that can make the largest difference...everyday users.

I understand that what I say sounds alarmist. But that's because I see this *all the time* in my line of work. The evolution of attacks from 2005 to today is very material. This is not the AOL dialup world threat anymore. It has evolved.

The message is not "panic!" The message is, there is LOTS people can and should do to protect themselves.
The tech industry (of which I am a part) has done a *terrible* job preparing everyday users for this landscape of threats. We have made it sound complex, like you need an expert to think through the risks for you. It is much simpler than this. It's very normal sorts of thinking.
One of these days I'll ask the forum moderators if I can submit a page about how to protect yourselves. We all should do it. It's relatively straight forward stuff.
Please do.
I for one would be very interested in reading it.

Kompass
Posts: 147
Joined: Sat Oct 01, 2016 5:42 pm

Re: How real is cyber risk?

Post by Kompass » Sun Sep 16, 2018 3:29 pm

evestor,

"One of these days I'll ask the forum moderators if I can submit a page about how to protect yourselves. We all should do it. It's relatively straight forward stuff."

I think this sounds like a great idea for a Wiki page, I hope you decide to do it. Thanks
The large print giveth and the fine print taketh away.

3-20Characters
Posts: 85
Joined: Tue Jun 19, 2018 2:20 pm

Re: How real is cyber risk?

Post by 3-20Characters » Sun Sep 16, 2018 6:11 pm

Kompass wrote:
Sun Sep 16, 2018 3:29 pm
evestor,

"One of these days I'll ask the forum moderators if I can submit a page about how to protect yourselves. We all should do it. It's relatively straight forward stuff."

I think this sounds like a great idea for a Wiki page, I hope you decide to do it. Thanks
Count me in as an interesting party. Always willing to learn from those in the battlefield.

randomguy
Posts: 6479
Joined: Wed Sep 17, 2014 9:00 am

Re: How real is cyber risk?

Post by randomguy » Sun Sep 16, 2018 7:15 pm

damjam wrote:
Sat Sep 15, 2018 6:49 am
golfCaddy wrote:
Fri Sep 14, 2018 9:39 pm
tadamsmar wrote:
Fri Sep 14, 2018 8:51 pm
I think Vanguard would be responsible for that.

I said "if you are hacked" and I meant you not Vanguard.

I don't think that is the most likely scenario. All the cases I know of involved hacks of individual investors or seemed to involve hacks of individual investors. Never heard of a hack of a brokerage firm's password file.
For the types of hacks you're talking about, most of the advice in this thread is useless. If someone pwns your phone, it doesn't matter that you use two-factor authentication or strong passwords. They have access to your password because you type it on your phone and they have access to the SMS text codes which get sent to your phone. 2FA and strong passwords are designed to protect you against dictionary attacks, in other words someone hacks Vanguard's servers.
Vanguard opens people's accounts up to the possibility of this type of attack. Vanguard requires SMS as a recovery method and they offer a phone app to access accounts.

This trend of tying everything to a person's smart phone is just creating an Achilles heal that will be increasingly targeted.

Meanwhile Vanguard's fraud policy seems to say that using a password manager is verboten for storing passwords and notes re the Vanguard account. Any decent password manager highly encrypts all that information for goodness sake. From what I can gather it's when entering the password that your most vulnerable, not when it's stored in an encrypted format. Password managers enable and encourage long, complicated and unique passwords for every site. PMs make keeping and remembering non-obvious answers to challenge questions simple. Why forbid the use of password managers?
Because password managers store you password. Hacker gets access to that file and they have all your secrets. From last year is were the KNOW security flaws in a bunch of password managers. https://thehackernews.com/2017/02/passw ... -apps.html .Who knows how many unknow security flaws are there are. Maybe it is possible to hack into Lastpass, download all those cloudback ups and then systematically unlock each and everyone. Yes it should be impossible. Doesn't mean there isn't a defect somewhere that allows it. Or far more likely they didn't really think it through and just wanted you not to store all your passwords in a file called passwords:)

To some extent the security assumption has to be that at some point you will get hacked and that you will be impersonated. That is pretty much unavoidable given flaws in technology and people. You want to make it as hard as possible but at some level you need to be prepared for failure. The key is to make sure that when it happens it isn't fatal. Being able to log in and see my data is one thing. Being able to log in and transfer out 500k is another. How much convenience we should give up for safety is probably going to take a while to work out.

evestor
Posts: 114
Joined: Sat Feb 21, 2015 5:37 pm

Re: How real is cyber risk?

Post by evestor » Mon Sep 17, 2018 12:21 am

randomguy wrote:
Sun Sep 16, 2018 7:15 pm
Because password managers store you password. Hacker gets access to that file and they have all your secrets. From last year is were the KNOW security flaws in a bunch of password managers. https://thehackernews.com/2017/02/passw ... -apps.html .Who knows how many unknow security flaws are there are. Maybe it is possible to hack into Lastpass, download all those cloudback ups and then systematically unlock each and everyone. Yes it should be impossible. Doesn't mean there isn't a defect somewhere that allows it. Or far more likely they didn't really think it through and just wanted you not to store all your passwords in a file called passwords:)

To some extent the security assumption has to be that at some point you will get hacked and that you will be impersonated. That is pretty much unavoidable given flaws in technology and people. You want to make it as hard as possible but at some level you need to be prepared for failure. The key is to make sure that when it happens it isn't fatal. Being able to log in and see my data is one thing. Being able to log in and transfer out 500k is another. How much convenience we should give up for safety is probably going to take a while to work out.
Amen.

I am reminded of a time as a kid when we came back from vacation only to find the basement flooded with sewage. After it was cleaned out a plumber came to fix the problem. Tens of minutes later he came upstairs and announced the problem was solved...he put a check valve on the sewer line. My dad asked how this solve the problem...won't it just flood a neighbor next time? The plumber at that point asked whose problem we wanted solve...ours or the neighbors?

The goal is to make it as inconvenient as possible to steal your stuff. So much so that they go somewhere else. Everything is breakable eventually. But you want to be sufficiently difficult that 1) you're a tougher target so they move on and 2) it isn't your fault if it is broken (ie the bank will take the liability on).

slalom
Posts: 47
Joined: Mon Dec 25, 2017 4:59 am

Re: How real is cyber risk?

Post by slalom » Mon Sep 17, 2018 12:35 am

The chances of your phone’s SMS messages being hacked or someone getting a SIM card that steals your phone number are so incredibly small you may as well not consider it just like you don’t plan your life around getting struck by lightning.

Your identity being stolen on the other hand is increasingly likely.

So is a company’s database of users and passwords being hacked.

evestor
Posts: 114
Joined: Sat Feb 21, 2015 5:37 pm

Re: How real is cyber risk?

Post by evestor » Mon Sep 17, 2018 12:52 am

slalom wrote:
Mon Sep 17, 2018 12:35 am
The chances of your phone’s SMS messages being hacked or someone getting a SIM card that steals your phone number are so incredibly small you may as well not consider it just like you don’t plan your life around getting struck by lightning.
It happens way more than you think

jalbert
Posts: 3814
Joined: Fri Apr 10, 2015 12:29 am

Re: How real is cyber risk?

Post by jalbert » Mon Sep 17, 2018 1:47 am

You should always use at least two of the three factors of authentication:
Something you know (e.g. a password)
Something you have (e.g. a token or smart phone)
Something you are (e.g. biometrics such as facial recognition, or a fingerprint or retina scanner)
I hate to be so nitpicky about this, but the correct way to state it is:

Something only you know (e.g. a password)
Something only you have (e.g. a token or smart phone)
A live copy of something you are (e.g. biometrics such as facial recognition, or a fingerprint or retina scanner known by the authenticator to have been captured live during the authentication session).

Something you and many other people know or have is not an adequate implementation of the first two. And a live fingerprint is good. A digital copy of it is not.
Risk is not a guarantor of return.

User avatar
damjam
Posts: 942
Joined: Thu Mar 25, 2010 7:46 am

Re: How real is cyber risk?

Post by damjam » Mon Sep 17, 2018 4:05 am

Although I greatly appreciate what all of you have contributed to this thread and other threads, I think you guys have given me a headache.

I really wish someone could explain to me what is a reasonable course of action.

I have a tech person who is willing to help me (a former UNIX administrator), but personal cyber security is not his area of expertise.

Honestly I'm beginning to see why most people don't even bother to try to get this right.

3-20Characters
Posts: 85
Joined: Tue Jun 19, 2018 2:20 pm

Re: How real is cyber risk?

Post by 3-20Characters » Mon Sep 17, 2018 6:15 am

damjam wrote:
Mon Sep 17, 2018 4:05 am
Although I greatly appreciate what all of you have contributed to this thread and other threads, I think you guys have given me a headache.

I really wish someone could explain to me what is a reasonable course of action.

I have a tech person who is willing to help me (a former UNIX administrator), but personal cyber security is not his area of expertise.

Honestly I'm beginning to see why most people don't even bother to try to get this right.
— Use a strong, unique password for each site and store passwords in a password manager.
— Use 2FA.
— For security questions, instead of giving the the correct answer (first car is a mustang), give an answer that doesn’t make sense and only you would know, like lollipop.
— Use a strong passcode on your computer and other devices.
— Keep all your devices updated (latest OS).
— Do not click on email links and if you do, never enter password into site you clicked from email.
— Be mighty suspicious of any file you download.
— If your worried about viruses, use virus software.

If you do all these, you’ll be way ahead of most people.

hdas
Posts: 314
Joined: Thu Jun 11, 2015 8:24 am

Re: How real is cyber risk?

Post by hdas » Mon Sep 17, 2018 7:35 am


User avatar
damjam
Posts: 942
Joined: Thu Mar 25, 2010 7:46 am

Re: How real is cyber risk?

Post by damjam » Mon Sep 17, 2018 8:48 am

3-20Characters wrote:
Mon Sep 17, 2018 6:15 am
damjam wrote:
Mon Sep 17, 2018 4:05 am
Although I greatly appreciate what all of you have contributed to this thread and other threads, I think you guys have given me a headache.

I really wish someone could explain to me what is a reasonable course of action.

I have a tech person who is willing to help me (a former UNIX administrator), but personal cyber security is not his area of expertise.

Honestly I'm beginning to see why most people don't even bother to try to get this right.
— Use a strong, unique password for each site and store passwords in a password manager.
— Use 2FA.
— For security questions, instead of giving the the correct answer (first car is a mustang), give an answer that doesn’t make sense and only you would know, like lollipop.
— Use a strong passcode on your computer and other devices.
— Keep all your devices updated (latest OS).
— Do not click on email links and if you do, never enter password into site you clicked from email.
— Be mighty suspicious of any file you download.
— If your worried about viruses, use virus software.

If you do all these, you’ll be way ahead of most people.
Thank you for responding to my early morning plaintive cry.

I see you fail to mention a password manager. Is that because you think they're a bad idea?

Here's my difficulty around not using a password manager: I really am terrible at coming up with passwords. Also I simply have too many accounts to manage with paper and pencil efficiently. I suppose if I imagine a gun to my head, I could do it. But it's more annoyance/inconvenience than I'd like to endure, especially if it's not really necessary.

To those of you who strongly believe that a password manager is not worth the risk, what do you suggest?

3-20Characters
Posts: 85
Joined: Tue Jun 19, 2018 2:20 pm

Re: How real is cyber risk?

Post by 3-20Characters » Mon Sep 17, 2018 8:53 am

damjam wrote:
Mon Sep 17, 2018 8:48 am
3-20Characters wrote:
Mon Sep 17, 2018 6:15 am
damjam wrote:
Mon Sep 17, 2018 4:05 am
Although I greatly appreciate what all of you have contributed to this thread and other threads, I think you guys have given me a headache.

I really wish someone could explain to me what is a reasonable course of action.

I have a tech person who is willing to help me (a former UNIX administrator), but personal cyber security is not his area of expertise.

Honestly I'm beginning to see why most people don't even bother to try to get this right.
— Use a strong, unique password for each site and store passwords in a password manager.
— Use 2FA.
— For security questions, instead of giving the the correct answer (first car is a mustang), give an answer that doesn’t make sense and only you would know, like lollipop.
— Use a strong passcode on your computer and other devices.
— Keep all your devices updated (latest OS).
— Do not click on email links and if you do, never enter password into site you clicked from email.
— Be mighty suspicious of any file you download.
— If your worried about viruses, use virus software.

If you do all these, you’ll be way ahead of most people.
Thank you for responding to my early morning plaintive cry.

I see you fail to mention a password manager. Is that because you think they're a bad idea?

Here's my difficulty around not using a password manager: I really am terrible at coming up with passwords. Also I simply have too many accounts to manage with paper and pencil efficiently. I suppose if I imagine a gun to my head, I could do it. But it's more annoyance/inconvenience than I'd like to endure, especially if it's not really necessary.

To those of you who strongly believe that a password manager is not worth the risk, what do you suggest?
I DO, STRONGLY recommend a password manager. See bullet point #1.
:beer

Post Reply