Cyber Security

[Outcast (Carlton)]

Just thought I'd push this out there for people to be aware & cautious...

On another forum I'm on (not astronomy related) there has been an instance of a members details (from the Optus attack) used to take over a members account & conduct some shonky classified dealings.

Of interest, this other forum has the option of using two factor authentication when logging in but, it's not mandatory & the member involved did not have it activated. His account has subsequently been secured but, not without some damage in the form of a classified ad being posted in his name & it's believed the perpetrator may have successfully scammed some money out of someone..

Noting this forum does not have a two factor authentication option (not that I'm aware of anyways) nor, for that matter do many forums & it wasn't mandatory on the forum of which I speak, people need to be aware that the fallout from the Optus & likely the Medibank Private hacks can & do impact people who were not compromised...

So, folk... be cautious, be aware... this could easily happen on this or any other forum...

Cheers

[AstroViking (Steve)]

Yep, agree with you there.

I strongly suggest people use a password manager such as LastPass or Bitwarden, and keep a unique password for every site they use. You only need to remember one (hopefully long and secure) master password and the manager looks after the rest for you.

Just be aware that 2FA is not the silver bullet it's being made out to be. It's only one more tool in your security arsenal.

Cheers,
V

[leon]

Funny you say this Carlton, well its not funny really, but on this forum a few weeks ago someone somehow copied my IIS Profile and posted responses to threads in my name.

This also has been fixed, but why would someone want to do this.

Alice and i were talking just last night and said "maybe we should just take our money out of the bank and stick it in the safe" at least we know where it is then.

Leon

[Nikolas (Nik)]

Problem with 2 factor is if one is required to leave their phone number then that's more personal information that is out there.
I get enough crank calls by scammers which I ignore without furthering this

[rustigsmed (Russell)]

Rob Braxman isn't a big fan of 2FA https://www.youtube.com/watch?v=ChKpf5HjcSY

[Outcast (Carlton)]

Quote:

Originally Posted by leon

Funny you say this Carlton, well its not funny really, but on this forum a few weeks ago someone somehow copied my IIS Profile and posted responses to threads in my name.

This also has been fixed, but why would someone want to do this.

Alice and i were talking just last night and said "maybe we should just take our money out of the bank and stick it in the safe" at least we know where it is then.

Leon

I don't know either Leon, I truly don't understand what motivates some people or what exactly they believe they might gain. Human nature is truly baffling to me.

Quote:

Originally Posted by Nikolas

Problem with 2 factor is if one is required to leave their phone number then that's more personal information that is out there.
I get enough crank calls by scammers which I ignore without furthering this

The forum I was referring to uses Google Authenticator, the 2FA is done via that app, I cannot recall if establishing my google account required giving them my phone number or not...

What other method do you suggest then in the face of ever increasing threats?

Quote:

Originally Posted by rustigsmed

Rob Braxman isn't a big fan of 2FA https://www.youtube.com/watch?v=ChKpf5HjcSY

Whilst I acknowledge that 2FA is not a silver bullet, as mentioned in another post but, it is an additional layer of security... pretty much like you don't just rely on a finger lock door lock on your door, one has a few layers of home security, none on it's own perfect.

What else would you suggest in an environment where there are no perfect answers yet the threats increase?

[Nikolas (Nik)]

On netrider the 2fa we use is an email with a code which although I hate I will use, no phone number required.

[AstroViking (Steve)]

Hey all,

There are different types of 2FA.

One type is the "send an SMS to your phone", which is being phased out as it's too easy to circumvent. The bad guys will bribe / convince a phone provider support person that your number needs to be ported to a different SIM (that they control) and there goes your phone. This has been used in America in a number of high-profile cryptocurrency heists.

Another is an app on your phone that is tied to the 2FA provider (eg: Symantec VIP, Duo MFA, Google Authenticator) and when prompted you can either enter a 6-digit number into the website or respond to a notification on your device. Trouble is, if your username and password are compromised then the bad guys can simply ask for an MFA prompt and then rely on you to press "ok" without thinking. This happens a lot more often than you would think.

As for Nik's comment about getting scam calls - most of them will be robo-diallers. Automated software that will dial hundreds of numbers in parallel and if/when someone answers, the call is routed to a scammer (or you get an automated message). Sadly, the only real option is to ignore any calls from numbers you don't recognise. Not the best option if you're expecting calls from customers!

As for the "Do not call" register, that's a total waste of time. Most of the robo-diallers and scammers are based outside Oz.

If a store asks me for a phone number I usually give a made-up one (if they won't accept "no" as an answer and there's no need for them to ever contact me) and a fake email address to go with it.

There are too many businesses with too much PII on their systems and we need to stand up and say "No" to gregarious requests for PII where they aren't required.

Now, let's get back to talking about astro! That's what we're here for!

Cheers,
V

Quote:

Originally Posted by Nikolas

Problem with 2 factor is if one is required to leave their phone number then that's more personal information that is out there.
I get enough crank calls by scammers which I ignore without furthering this

[Zuts]

Quote:

Originally Posted by leon

Alice and i were talking just last night and said "maybe we should just take our money out of the bank and stick it in the safe" at least we know where it is then.

Leon

So does everyone else ...

[ronson]

This is a good start to read and follow: https://www.cyber.gov.au/protect-yourself

If in future an upgraded/new version of the forum is setup, hopefully cyber security will be one of the main priorities given lately there have been few people, myself included, stung by fraudsters who have likely taken over dormant accounts.

[DarkArts]

Quote:

Originally Posted by rustigsmed

Rob Braxman isn't a big fan of 2FA https://www.youtube.com/watch?v=ChKpf5HjcSY

I've seen a lot of Rob Braxman's videos along with many other cybersecurity and online privacy 'expert' presentations. I've been on a continuing security and privacy drive myself. FWIW, if you like Brax's presentations, try Naomi Brockwell TV on Youtube as well. There are a bunch of others, too numerous to name, of varying degrees of accuracy/reliability or niche subject matter.

Some 2FA is better than no 2FA. In this regard, Brax's viewpoint is a little overstated, IMHO. It's true that some institutions seem to treat 2FA as a box-ticking exercise and prioritise the ID aspects over true security, such as using SMS to a phone, with banks being the worst culprits. I think Brax's assessment of the impact of "know your customer" legislation is correct in this regard. But, again, some 2FA is better than no 2FA.

I'd love to see the FIDO standard more universally adopted but the humble code-generator (of which there are many examples, and they pretty much all work the same way) is a step up from SMS, even if it is still "phishable".

As we find ourselves in the middle of an undeclared cyberwar, it's incumbent upon all of us to be more cybersecurity aware and to use the best/most secure mechanism that each site/service allows. Beyond that, the more of us who write to our MPs to demand better 2FA/MFA options (especially banks!), the better.


And, yeah, sorry it's an old thread.

[blindman]

Quote:

Originally Posted by leon

Funny you say this Carlton, well its not funny really, but on this forum a few weeks ago someone somehow copied my IIS Profile and posted responses to threads in my name.

This also has been fixed, but why would someone want to do this.

Alice and i were talking just last night and said "maybe we should just take our money out of the bank and stick it in the safe" at least we know where it is then.

Leon

Good thinking