Received 20221007:
|
Quote
:
Hello,Thanks for your interest in the "Good for the Internet" pricing promotion for Yubico security keys, offered to Cloudflare customers in collaboration with Yubico. We're reaching out with information about how to qualify for the offer as your account currently does not qualify. Cloudflare users can take advantage of this offer as long as their account is active as follows: The account has an active zone, or The account is actively using Cloudflare Zero Trust and The account has not exceeded the amount of Yubico security keys available as part of this offer. If your account becomes active while the offer is open, you will receive an email from Yubico so that you can partake in the offer. We appreciate your understanding and support in helping improve Internet security. The Cloudflare Team *Cloudflare may modify, limit, or discontinue this offer at any time. Available while supplies last. |
Leave a Comment
Top Comments
When you visit websites that need you to log in, almost always, you use a password and username. That password is 1 identifier.
...
Life used to be simple and you can pick a simple password like "a" and login. Easy to remember.
Then, hackers got smart and tried "a" on all the sites and accounts, got into a few, so sites decided to force you to use complex passwords like IcantRemembr853!#.
So then password managers became popular - standalone or built into browsers. They can create and remember complex passwords so you don't have to write them down.
Naturally, you still must remember the 1 master password to get into the password manager.
..
Naturally, someone can look over your shoulder or install spyware into your computer to steal your complex passwords, and still hack into your accounts.
So some things offered alternative methods that are harder to steal/duplicate. One such is fingerprint login into Windows on PCs with fingerprint readers. Another is face recognition on iPhones.
Naturally, hackers got smart and copied your fingerprint, or simply cut off your finger to log into your accounts. Or simply forced your face in front of the phone or PC to gain access.
...
So then companies started using a second identifying device/method.
The common one is a text (sms) message with a numerical code to your mobile phone.
Once enabled on websites, you then need to enter your username, complex password, and unique text code.
The idea here is even if someone knows your password, they don't know the unique text code.
Naturally, hackers got smart and figured out how to clone/copy/steal your mobile phone number. The SIM card and related mobile technologies aren't as secure as they ought to be, much like most of the internet.
So every text to your phone is automatically copied on another hacker owned phone.
There are other sophisticated devices that can pull the data live from the mobile networks, too, so sim cloning isn't even necessary.
....
So then, 2fa devices like yubikey, titan, and others were created.
Rather than texting you a unique code, you own a device that creates a unique code each time you use it to log in. So still username + complex password + unique code.
Naturally, hackers try.
The poorer, non-state sponsored ones don't seem to have found a good way around them short of stealing it and your password.
It's very likely state sponsored hackers working for the nsa and the like have no issues because they have the tools, equipment, and capability to pull what they need directly from the sites you're logging into.
Ie. Why hack your account when they can hack into the entire company you're accessing?
The fact that they're already planning for obsoleting current encryption standards for emerging quantum means they've got the ability and quantum computers to hack into encrypted accounts today, albeit slowly.
2fa devices do have problems.
To prevent theft of the second unique code, the manufacturing companies can't keep any records of what's embeded - supposedly.
This means if you lose your 2fa device, and have not setup recovery methods for your accounts, you lose all access forever.
This forces uses to keep multiple devices, some off-site, which means hackers can have access to those 2fa devices not in your possession at all times.
Naturally, companies add more layers of complexity by adding fingerprint readers, pin codes, etc to the 2fa devices.
So now you have a password/pin/fingerprint to access the 2fa device, the unique code from that, your username, your master password to the password manager, and your complex password to log into a site protected by 2fa.
...
Cell phones have apps from Microsoft, Google, etc that duplicate the functionality of 2fa devices. Some say it's not as secure because hackers can hack into it and steal it. (But that's just stealing virtually vs stealing in reality taking a 2fa device, so no real difference to hackers that really want your 2fa devices.)
It's the same however as 2fa devices when lost/stolen/broken. No backup? No recovery method? Equals you lose access to all your accounts.
You can read the thousands of mobile 2fa uses screwed because of this fact. The exact same applies to 2fa devices like this one on sale.
...
Keep in mind that MOST Americans have had their personal info stolen, the biggest of which was the recent Equifax breach exposing name, social security and other info.
The hackers have access to this info, so why worry about 2fa protected accounts? There's often some HUMAN server administrator willing to take the hacker on their word that they've properly identified themselves as you with the stolen personal info and unlock your accounts to give hackers access.
And besides that, there's other ways around all that like infecting your pc/phone with a screen copy & remote control software. Why worry about getting your 2fa + passwords when hackers can wait for you to login, then they have full access and control.
Even the smart North Koreans are doing it the easier way to steal bitcoins etc after you login.
......
Many American banks still use text messages because of cost (free), simplicity, and widespread use and carry of a mobile phone.
2fa devices become useless/unused when they're inconvenient.
Naturally, banks, credit card, etc have also started utilizing more advanced AI having detection methods and cell phone tracking to help verify you're you.
Eg cell phone tracking alone.
They have live info on your exact phone location even with cell tower enhanced gps off, so when you're using your credit card, logging in to websites, etc, the banks/credit card companies know and have mapped out your typical, daily routine and locations.
So if a hacker tries to login with a text 2fa suddenly from across the globe, it triggers alerts.
Naturally, mostly computer/ai driven detection given the millions of logins a day, so they don't catch everything. But hey, up until a few years ago, atms were often running windows xp and such, so what do you expect?
Financial companies factor in the thefts, and as long as it's managable, they're not going to push for tons more security. They'll just reimburse you, and still make tons of profits.
.....
Beyond that, the rest of the internet is "leaky" meaning everything from the dns to ip to ssl site encryption were never designed for high security and such. So there's tons of other ways to get to and steal your data on transit.
Black Hat Security Conferences and the Presentations (tons listed on the site to read up on) reveal tons and tons and tons of hacks. Just the tip of what's really out there on the black market to get into anything electronic you own.
You can go hard on security, but keep in mind the likelihood you'll be targeted. Ie. If you're an average Joe without a ton of assets and money, you're not as rewarding to hackers as the multimillionaires or true idiots (like the ones that fall for the easy phone scams pretending to be a daughter in trouble needing money sent asap.).
...
There are possibly better things you can do to reduce hacks and vulnerabilities.
Eg 2 computers.
1 only for banking financials.
1 only for daily, casual use.
E.g. Multiple email accounts with different passwords for banking, financials vs friends vs junk mail/public.
Obviously, only use the financial emails in the financial pc, the other emails in the daily pc.
The point being, the PC that has the financials is kept off unless in use, not used for anything else to keep the exposure to hacks low.
Isolated from the daily PC where if it gets hacks, there only the latest Toks and such to steal.
So, a spare key is needed, and is meant to hold an additional key for each of the accounts, so that you can continue to login to your accounts. This spare key doesn't contain a backup/copy of the exact same keys as that of the primary. Also, not all websites may support a spare. Some sites support multiple spare keys (LastPass Premium supports up to 5). So, each additional key can be used to access your account.
We use these at work and several users have complained that it made the port loose to the point where the Yubikey won't stay in or have broken the port entirely.
I strongly recommend connecting this to a cheap USB hub or USB extension cable instead of using the port on your computer directly. This is especially a must If you have a thinner laptop or one with an aluminum chassis,
1,001 Comments
Sign up for a Slickdeals account to remove this ad.
I love this one: (a woman expert social engineer getting access to someone's cellphone)
https://youtu.be/fHhNWAKw0bY?t=7
You can keep a string in your head, either prepend or postpend it to a crazy random looking string in the key. Press the touch pad and it 'types' it.
It emulates a standard USB keyboard like device, so works across OSes.
The user typically cannot regenerate the authenticator TOTP secret unless they back it up with their own means.
A fraudster could have it if the device was compromised and logged/recorded at the time it was generated. If the user backs up the secret in some way, that opens up a path a fraudster could get to if that backup is not secure in itself.
These hardware keys avoid these pitfalls since at the end of the day, the hardware needs to be physically present.
Sign up for a Slickdeals account to remove this ad.
The user typically cannot regenerate the authenticator TOTP secret unless they back it up with their own means.
A fraudster could have it if the device was compromised and logged/recorded at the time it was generated. If the user backs up the secret in some way, that opens up a path a fraudster could get to if that backup is not secure in itself.
These hardware keys avoid these pitfalls since at the end of the day, the hardware needs to be physically present.
Sign up for a Slickdeals account to remove this ad.
Leave a Comment