Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




6355 posts

Uber Geek
+1 received by user: 403

Moderator
Trusted
Lifetime subscriber

# 139248 2-Feb-2014 10:41
Send private message

Read these first:

How Apple and Amazon Security Flaws Led to My Epic Hacking
How I Lost My $50,000 Twitter Username

What tips/tricks do you use to protect what you have online?

View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2
3284 posts

Uber Geek
+1 received by user: 985

Trusted

  # 978813 2-Feb-2014 11:03
Send private message

I'd be interested in this too...

I turn on two factor authentication when I can and backup backup backup - but really it seems a couple of the companies named in the stories are to blame - mainly the ones treating the last 4 digits of a credit card (looks like that happened in both cases?) as enough to verify identity - just seems mental!

6615 posts

Uber Geek
+1 received by user: 2293
Inactive user


  # 978814 2-Feb-2014 11:05
Send private message

I use mobile phone verification. Got my own personal domain for emails or i use gmail / hotmail. My domain is with outlook.com or windows live domains for email. Seems to be fine.

On the topic of domains:


Query Time/Date 11:07 2/2/2014
Domain Name tim.govt.nz
Status Available

Query Time/Date 11:08 2/2/2014
Domain Name k.iwi.nz
Status Available


 
 
 
 


BDFL - Memuneh
63871 posts

Uber Geek
+1 received by user: 14333

Administrator
Trusted
Geekzone
Lifetime subscriber

  # 978818 2-Feb-2014 11:13
One person supports this post
Send private message

Use generic domains for service accounts - outlook.com and gmail.com... This way if someon hijacks your domain NS records they can't receive the password reset emails (as the GoDaddy hack allowed).

Use Two Factor Authentication wherever possible. Preferably with an app instead of SMS - it's not hard to someone to get a copy of your SIM if they apply enough social engineering.

Make sure the device with the 2FA app is password or PIN protected so it can't easily be accessed.

Store the recovery codes for 2FA app in an encrypted file somewhere - but remember to not store it with a service the needs the 2FA for access (I have both Skydrive and Dropbox with 2FA, so it'd be stupid to store the recovery codes with these services as it would be inaccessible).

Use different passwords for each online service/account.

Use different prepaid credit cards for different accounts and change them when renewing accounts. Or use gift cards instead of credit cards.

Do not log using public computers.

Do not answer calls with "I'm from your bank/card/shop, could you please answer some security questions to identify you?"... How can you identify the caller? Asked for a name and call the bank number you find online. Do not call a number they give you as they could just answer the phone and say it's your bank.

Do not open emails saying "We have charged your card for your eBay purchase, click here to login and authorise it" if you have not done anything on eBay (or any other company).

Do not answer calls with "We're from Microsoft and your computer has a virus, we're here to help."

Trust no one, Mr Mulder.







BDFL - Memuneh
63871 posts

Uber Geek
+1 received by user: 14333

Administrator
Trusted
Geekzone
Lifetime subscriber

  # 978823 2-Feb-2014 11:25
Send private message

Whatever you do, don't bank with ANZ.

For some unknown reason (perhaps because my account was a National Bank before) it seems my password resets by itself every month or so. Last time I tried accessing my account (which I only do once a month) I reset my password online and as part of the process called the 0800 number to confirm the change.

Entered the PIN (it's me!) and answered date of birth (easy to find somewhere, for sure) and the overdraft facility in my in my account (not so easy to find now). Then the next questions were:

- what's the original amount of your home loan (something I signed ten years ago and they wanted to the cents!)
- when was the last date/time you logged into the internet banking system>

Seriously? Are those two "security questions"? I own the account and I have a vague idea of the first one, and absolutely no idea of the second one.

What if I had to change password because someone hijacked my account and accessed it? Even if I had a log of every time I used the internet banking systems my answer would be wrong because I wouldn't know if someone else used it.

I had to go to a branch to reset my password.

I complained on Twitter about these two question. ANZ was silent (yes, they only reply when you say good things about them) and I actually got berated by an ANZ employee who follows me with things like "We're protecting your account, I bet you don't even have a PIN" and saying it was my fault I didn't keep a record of every time I log into the internet banking.

So whatever you do, stay away from ANZ.




773 posts

Ultimate Geek
+1 received by user: 196


  # 978848 2-Feb-2014 11:51
Send private message

RT the ANZ employee tweets (tag in ANZ) and let them deal with it.

6615 posts

Uber Geek
+1 received by user: 2293
Inactive user


  # 978850 2-Feb-2014 11:59
Send private message

Bank with ASB, Has the best 2 factor authentication.

12972 posts

Uber Geek
+1 received by user: 4342

Trusted
Lifetime subscriber

  # 978887 2-Feb-2014 13:25
Send private message

nate: Read these first:

How Apple and Amazon Security Flaws Led to My Epic Hacking
How I Lost My $50,000 Twitter Username

What tips/tricks do you use to protect what you have online?


Go old school to keep track of passwords since you need so many these days and none of them should be the same. 

Write your passwords in a notebook and lock it in a fireproof safe.

Number the passwords but do not write what websites they refer to.

In an online document somewhere just store a list of websites with the corresponding numbers. Either document is useless to anyone on it's own, and the likelihood of someone other than you possessing both is so low that if they are THAT good and THAT determined, you've got no chance anyway! They can't hack the password list because it does not exist in hackable form - they'd have to break and enter your home and be capable of opening your safe.

Unless you have billions, I suspect they'd just find an easier target.





 
 
 
 


3284 posts

Uber Geek
+1 received by user: 985

Trusted

  # 978889 2-Feb-2014 13:38
One person supports this post
Send private message

Geektastic: 
Go old school to keep track of passwords since you need so many these days and none of them should be the same. 

Write your passwords in a notebook and lock it in a fireproof safe.

Number the passwords but do not write what websites they refer to.

In an online document somewhere just store a list of websites with the corresponding numbers. Either document is useless to anyone on it's own, and the likelihood of someone other than you possessing both is so low that if they are THAT good and THAT determined, you've got no chance anyway! They can't hack the password list because it does not exist in hackable form - they'd have to break and enter your home and be capable of opening your safe.

Unless you have billions, I suspect they'd just find an easier target.


None of this will help if the attacker is using social engineering to just get the companies involved to give information over the phone\set PINs\reset passwords\etc with minimal verification of identity.

77 posts

Master Geek
+1 received by user: 17


  # 978895 2-Feb-2014 13:50
One person supports this post
Send private message

freitasm: Whatever you do, don't bank with ANZ.

...I reset my password online and as part of the process called the 0800 number to confirm the change.

Entered the PIN (it's me!) and answered date of birth (easy to find somewhere, for sure) and the overdraft facility in my in my account (not so easy to find now). Then the next questions were:

- what's the original amount of your home loan (something I signed ten years ago and they wanted to the cents!)
- when was the last date/time you logged into the internet banking system>

Seriously? Are those two "security questions"? I own the account and I have a vague idea of the first one, and absolutely no idea of the second one.

So whatever you do, stay away from ANZ.


That's interesting because I also use ANZ, and during the recent Vodafone text fiasco, I had to contact them them to switch off the 2FA until it was fixed just so I could access my accounts. All of those questions were the same, and I also failed :-) .

I asked the nice lady how they expected me to remember a 20+ year old mortgage value ( which wasn't a nice round number - due to repayment insurance and fees ). She said the questions were randomly selected from a set they had. I got the impression from her tone that failure was common, and she was half-expecting an angry response.  I decided to wait for Vodafone to fix the problem. 

Sounds like their procedure might need updating/expanding, and they definitely need to sort out a superior means of telephone security identification. All of the money that ANZ makes should enable them to provide rational means of checking the person calling.

1267 posts

Uber Geek
+1 received by user: 179

Trusted

  # 978906 2-Feb-2014 14:33
Send private message

This is something I've been thinking about after reading the @N twitter handle story.
I've been using 1Password app on iOS to store all my usernames and passwords. I have over 50 usernames/passwords saved for various accounts, there's just no way I can remember usernames, let alone passwords for all these accounts.
My password for the 1Password app is pretty strong, 10 digits, alpha+ numbers+ cases etc.
I've been considering using the integrated "random" password generator to make new passwords for my domain name and google apps administrator account etc
I am also guilty of using the same passwords over multiple accounts, but I periodically invent a new strong one, and demote the old ones down to less important accounts. Thus I know anything involving money always has my newest password.

Cheers,
Joseph

2355 posts

Uber Geek
+1 received by user: 413

Trusted
Subscriber

  # 978910 2-Feb-2014 15:00
Send private message

I've just enabled the two factor auth on both my gmail accounts, only took around 30 minutes to get all my devices re-authed, but I feel better after reading that @N story... poor guy.

I also do at least yearly password changes on my social networking and banking passwords, using silly riddles no one else could know so that I can remember them easily without needing to write them down anywhere, not even in a password manager.

I suspect I'm most vulnerable to those horrible 'lost my password' questions some sites enforce.

1267 posts

Uber Geek
+1 received by user: 179

Trusted

  # 978938 2-Feb-2014 16:10
One person supports this post
Send private message

insane:
I suspect I'm most vulnerable to those horrible 'lost my password' questions some sites enforce.


This. Why can't I provide my own questions. My mothers maiden name, my primary school etc could all be obtained or guessed. Let me provide my own question that no one will be able to guess!

BDFL - Memuneh
63871 posts

Uber Geek
+1 received by user: 14333

Administrator
Trusted
Geekzone
Lifetime subscriber

916 posts

Ultimate Geek
+1 received by user: 53

Trusted

  # 979201 3-Feb-2014 09:15
Send private message

freitasm: Nothing preventing you entering a WRONG answer when setting up the account. This will put anyone out of the tracks.


I HAD to when asked my mother's birth place - four letters (Gore) was too short! Actually, I may have put down "New Zealand" as the answer. I can't remember. So I may be in trouble if I ever need to use it.

I think this was some third party password manager for an academic network that also integrated with Live ID.




 

12972 posts

Uber Geek
+1 received by user: 4342

Trusted
Lifetime subscriber

  # 979207 3-Feb-2014 09:19
Send private message

josephhinvest:
insane:
I suspect I'm most vulnerable to those horrible 'lost my password' questions some sites enforce.


This. Why can't I provide my own questions. My mothers maiden name, my primary school etc could all be obtained or guessed. Let me provide my own question that no one will be able to guess!


True. I suppose that since I did not go to school here in NZ and neither have my parents ever been here, it would at least be a challenge for someone in my case. I can see it might be easier for locals.

I watched a program (from the BBC science/technology magazine series Horizon) about computer security recently. It was interesting. It explained in relatively straightforward terms how most internet security works mainly because the computing power required to calculate the factors in semi-prime numbers is so huge (the largest semi-prime so far generated had over 17 million numbers making it up!) that by the time it succeeded you'd be dead and the accounts deleted!

It then went on to show how quantum computing could crack the calculation in what amounted to seconds by comparison and that the eventual wide propagation of quantum computing would necessitate a different way of securing internet accounts etc. The program went on to explain quantum cryptographics which had really only one flaw - that a human being could be tortured or bribed or coerced into revealing a password thus defeating it easily.

They were trying methods where they used a memory game to teach your subconscious a password that you could never be forced to reveal because you were not consciously aware of it at all!





 1 | 2
View this topic in a long page with up to 500 replies per page Create new topic



Twitter and LinkedIn »



Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Dunedin selects Telensa to deliver smart street lighting for 15,000 LEDs
Posted 18-Jul-2019 10:21


Sprint announces a connected wallet card with built-in IoT support
Posted 18-Jul-2019 08:36


Educational tool developed at Otago makes international launch
Posted 17-Jul-2019 21:57


Symantec introduces cloud access security solution
Posted 17-Jul-2019 21:48


New Zealand government unveils new digital service to make business easier
Posted 16-Jul-2019 17:35


Scientists unveil image of quantum entanglement
Posted 13-Jul-2019 06:00


Hackers to be challenged at University of Waikato
Posted 12-Jul-2019 21:34


OPPO Reno Z now available in New Zealand
Posted 12-Jul-2019 21:28


Sony introduces WF-1000XM3 wireless headphones with noise cancellation
Posted 8-Jul-2019 16:56


Xero announces new smarter tools, push into the North American market
Posted 19-Jun-2019 17:20


New report by Unisys shows New Zealanders want action by social platform companies and police to monitor social media sites
Posted 19-Jun-2019 17:09


ASB adds Google Pay option to contactless payments
Posted 19-Jun-2019 17:05


New Zealand PC Market declines on the back of high channel inventory, IDC reports
Posted 18-Jun-2019 17:35


Air New Zealand uses drones to inspect aircraft
Posted 17-Jun-2019 15:39


TCL Electronics launches its first-ever 8K TV
Posted 17-Jun-2019 15:18



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.