![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
thewayneWhenever you use your cell phone, or a land line, your call is routed through a switch that uses something called SS7 routing. It's an industry standard used literally around the world. And it is insecure by design. It became this way because SS7's predecessors began in those halcyon days of the internet when everybody was nice to each other and there were no bad people online, so trust, verification, and security wasn't baked in from the beginning. Sadly, we now know that those days never really existed and we're really paying the price now.
You can now buy a cyber malware toolkit for about $1000 that will let you gain control of SS7 switches. Bank accounts are being looted in Germany where malware and keyboard loggers have been used to suck credentials from personal and business accounts, then SS7 malware is used to intercept the SMS verification code sent by the bank to the "account holder", allowing accounts to be drained and tracking the criminals becomes very difficult.
I use PayPal in such a mode, tied directly to my checking account. Perhaps I should see if I can point it at my savings account, and when I go to buy something from Humble Bundle or whatever, transfer funds to that account, make the transaction, and ignore it.
THERE. IS. NO. EASY. SOLUTION. TO. THIS. The best solution is the keyfob authenticator that has the random number LCD display that changes every minute or so, but those are expensive to deploy and, if you lose the fob, a PITB to replace and re-integrate in to your account. And they aren't 100% impervious to hacking, but they're damn difficult.
I use my bank via web browsing. I access it via my phone through a fingerprint scan, likewise my main credit card, which also pops up an alert on my phone whenever a charge hits. I have no idea how secure that fingerprint technology is for that purpose. It is somewhat secure in that a fingerprint won't unlock my phone: for that, you'll need a code that isn't just a four digit number.
https://www.schneier.com/blog/archives/2017/05/criminals_are_n.html
You can now buy a cyber malware toolkit for about $1000 that will let you gain control of SS7 switches. Bank accounts are being looted in Germany where malware and keyboard loggers have been used to suck credentials from personal and business accounts, then SS7 malware is used to intercept the SMS verification code sent by the bank to the "account holder", allowing accounts to be drained and tracking the criminals becomes very difficult.
I use PayPal in such a mode, tied directly to my checking account. Perhaps I should see if I can point it at my savings account, and when I go to buy something from Humble Bundle or whatever, transfer funds to that account, make the transaction, and ignore it.
THERE. IS. NO. EASY. SOLUTION. TO. THIS. The best solution is the keyfob authenticator that has the random number LCD display that changes every minute or so, but those are expensive to deploy and, if you lose the fob, a PITB to replace and re-integrate in to your account. And they aren't 100% impervious to hacking, but they're damn difficult.
I use my bank via web browsing. I access it via my phone through a fingerprint scan, likewise my main credit card, which also pops up an alert on my phone whenever a charge hits. I have no idea how secure that fingerprint technology is for that purpose. It is somewhat secure in that a fingerprint won't unlock my phone: for that, you'll need a code that isn't just a four digit number.
https://www.schneier.com/blog/archives/2017/05/criminals_are_n.html
no subject
Date: 2017-05-10 06:27 pm (UTC)I remember having a discussion with a friend once about ApplePay/Android Pay in which I mentioned having security concerns. He said, "It's more secure than making a bank deposit thru the ATM." I said, "I don't do that either." The expression on his face was priceless! (I actually do have Android Pay installed on my smartphone, but I've never activated it.)
no subject
Date: 2017-05-10 07:24 pm (UTC)I haven't done ATM deposits in quite a while: my bank added photo deposit to their app, so that's been my methodology for quite a while. It's very cool: enter the amount, take a photo of both sides of the endorsed check, and you're done. I have Apple Pay for my iPhone, and I've been noticing an increasing number of merchants accepting it, but I haven't enabled it yet. Considering the number of restaurants that get hacked, perhaps I should. I ought to look in to see if it will support multiple cards/accounts.
I'll post something tomorrow about tugging on ATMs.... :-)
no subject
Date: 2017-05-10 08:07 pm (UTC)The bank I had that got eaten by the POS that made me jump to the credit union had 2-step authentication -- you enter your ID, that takes you to a page with a security image and text selected by you, and only after you can see that it's the right image/text do you enter your password. And they put that in before they had any kind of breach. I liked that bank, but the one that bought them out... well, like I said, that's why I'm now with a credit union.