by Tdarcos » Fri Sep 08, 2023 8:03 am
This is probably some overreaction to account jacking or other identity theft incidents. The security level should be commensurate with either the value of the account or its contents to its owner, or the potential for theft or impersonation.
I mean, what are the chances anyone would bother stealing any of our credentials here? There's no money to be made because about all anyone could do is post spam to get people to go to some dodgy website or to try to get someone here potentially to buy something. The odds of this working or to have enough value to be worth the effort is nearly zero. There's not enough meat on this bone to make it worth trying to steal it.
Putting 2FA on the websites that allow access to your bank account or brokerage, where you can withdraw money, or your credit card where someone who stole it could re-route your statements elsewhere, so you don't get them for a few months so they can run up charges, would make sense. But it's being implemented on a "one size fits all" solution to the potential for account jacking or identity theft/fraud.
The simplest answer would be to make 2FA opt in, with the caveat that if your account is compromised, and you chose not to accept 2FA you are 100% responsible for loss or damages if 2FA could have prevented it. Where an account is of low value, the use of username/passwords and/or access tokens might be sufficient. Higher value accounts would have higher levels of security.
There is another system for secure authentication, S/Key. Basically, you generate a list of key words to use for the next n logins, say, 50. You print it out and carry it with you. You use one of the key words instead of your password for this one login only, specifically the one in the list following the last key used. Before you run out, you generate a new list for the next 50 logins. Even if someone knew your password it would not give them access, and even if they knew the keyword you used on your last login, that won't help either. It's similar to a 2FA token, but arranged in advance. Of course, that requires you carry a note with you. More places should also have challenge/response questions that (hopefully) only you can answer, so you can emergency login to change password and/or invalidate the current key list.
I mean, if I want to switch phones on Tracfone, I can do it through self-service. Give their website your phone number and the IMEI of the new phone. They send you a text message where you have to send back the code. Meaning you have to have both the old and new phone to do this. If you lose your phone you have to do it manually, calling their 800 number, giving them this information, then they send the code to the e-mail address on file for your account. The e-mail warns you that this will move your phone service to a different phone, if you did not ask to do this, do not give the code number out, Tracfone will never call you about an account problem, and only give the code to a Tracfone agent if you called them.
You give the agent the number and they will activate the transfer. I think this is quite reasonable to prevent phone jacking. Given how many things get tethered to one's phone, that is important.
The right amount of security relative to the situation is what should be used.
This is probably some overreaction to account jacking or other identity theft incidents. The security level should be commensurate with either the value of the account or its contents to its owner, or the potential for theft or impersonation.
I mean, what are the chances anyone would bother stealing any of our credentials here? There's no money to be made because about all anyone could do is post spam to get people to go to some dodgy website or to try to get someone here potentially to buy something. The odds of this working or to have enough value to be worth the effort is nearly zero. There's not enough meat on this bone to make it worth trying to steal it.
Putting 2FA on the websites that allow access to your bank account or brokerage, where you can withdraw money, or your credit card where someone who stole it could re-route your statements elsewhere, so you don't get them for a few months so they can run up charges, would make sense. But it's being implemented on a "one size fits all" solution to the [i]potential[/i] for account jacking or identity theft/fraud.
The simplest answer would be to make 2FA opt in, with the caveat that if your account is compromised, and you chose not to accept 2FA you are 100% responsible for loss or damages if 2FA could have prevented it. Where an account is of low value, the use of username/passwords and/or access tokens might be sufficient. Higher value accounts would have higher levels of security.
There is another system for secure authentication, S/Key. Basically, you generate a list of key words to use for the next n logins, say, 50. You print it out and carry it with you. You use one of the key words instead of your password for this one login only, specifically the one in the list following the last key used. Before you run out, you generate a new list for the next 50 logins. Even if someone knew your password it would not give them access, and even if they knew the keyword you used on your last login, that won't help either. It's similar to a 2FA token, but arranged in advance. Of course, that requires you carry a note with you. More places should also have challenge/response questions that (hopefully) only you can answer, so you can emergency login to change password and/or invalidate the current key list.
I mean, if I want to switch phones on Tracfone, I can do it through self-service. Give their website your phone number and the IMEI of the new phone. They send you a text message where you have to send back the code. Meaning you have to have both the old and new phone to do this. If you lose your phone you have to do it manually, calling their 800 number, giving them this information, then they send the code to the e-mail address on file for your account. The e-mail warns you that this will move your phone service to a different phone, if you did not ask to do this, do not give the code number out, Tracfone will never call you about an account problem, and only give the code to a Tracfone agent if you called them.
You give the agent the number and they will activate the transfer. I think this is quite reasonable to prevent phone jacking. Given how many things get tethered to one's phone, that is important.
The right amount of security relative to the situation is what should be used.