Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




6357 posts

Uber Geek

Moderator
Trusted
Lifetime subscriber

# 139248 2-Feb-2014 10:41
Send private message

Read these first:

How Apple and Amazon Security Flaws Led to My Epic Hacking
How I Lost My $50,000 Twitter Username

What tips/tricks do you use to protect what you have online?

View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2
3292 posts

Uber Geek

Trusted

  # 978813 2-Feb-2014 11:03
Send private message

I'd be interested in this too...

I turn on two factor authentication when I can and backup backup backup - but really it seems a couple of the companies named in the stories are to blame - mainly the ones treating the last 4 digits of a credit card (looks like that happened in both cases?) as enough to verify identity - just seems mental!

6615 posts

Uber Geek
Inactive user


  # 978814 2-Feb-2014 11:05
Send private message

I use mobile phone verification. Got my own personal domain for emails or i use gmail / hotmail. My domain is with outlook.com or windows live domains for email. Seems to be fine.

On the topic of domains:


Query Time/Date 11:07 2/2/2014
Domain Name tim.govt.nz
Status Available

Query Time/Date 11:08 2/2/2014
Domain Name k.iwi.nz
Status Available


 
 
 
 


BDFL - Memuneh
64219 posts

Uber Geek

Administrator
Trusted
Geekzone
Lifetime subscriber

  # 978818 2-Feb-2014 11:13
One person supports this post
Send private message

Use generic domains for service accounts - outlook.com and gmail.com... This way if someon hijacks your domain NS records they can't receive the password reset emails (as the GoDaddy hack allowed).

Use Two Factor Authentication wherever possible. Preferably with an app instead of SMS - it's not hard to someone to get a copy of your SIM if they apply enough social engineering.

Make sure the device with the 2FA app is password or PIN protected so it can't easily be accessed.

Store the recovery codes for 2FA app in an encrypted file somewhere - but remember to not store it with a service the needs the 2FA for access (I have both Skydrive and Dropbox with 2FA, so it'd be stupid to store the recovery codes with these services as it would be inaccessible).

Use different passwords for each online service/account.

Use different prepaid credit cards for different accounts and change them when renewing accounts. Or use gift cards instead of credit cards.

Do not log using public computers.

Do not answer calls with "I'm from your bank/card/shop, could you please answer some security questions to identify you?"... How can you identify the caller? Asked for a name and call the bank number you find online. Do not call a number they give you as they could just answer the phone and say it's your bank.

Do not open emails saying "We have charged your card for your eBay purchase, click here to login and authorise it" if you have not done anything on eBay (or any other company).

Do not answer calls with "We're from Microsoft and your computer has a virus, we're here to help."

Trust no one, Mr Mulder.







BDFL - Memuneh
64219 posts

Uber Geek

Administrator
Trusted
Geekzone
Lifetime subscriber

  # 978823 2-Feb-2014 11:25
Send private message

Whatever you do, don't bank with ANZ.

For some unknown reason (perhaps because my account was a National Bank before) it seems my password resets by itself every month or so. Last time I tried accessing my account (which I only do once a month) I reset my password online and as part of the process called the 0800 number to confirm the change.

Entered the PIN (it's me!) and answered date of birth (easy to find somewhere, for sure) and the overdraft facility in my in my account (not so easy to find now). Then the next questions were:

- what's the original amount of your home loan (something I signed ten years ago and they wanted to the cents!)
- when was the last date/time you logged into the internet banking system>

Seriously? Are those two "security questions"? I own the account and I have a vague idea of the first one, and absolutely no idea of the second one.

What if I had to change password because someone hijacked my account and accessed it? Even if I had a log of every time I used the internet banking systems my answer would be wrong because I wouldn't know if someone else used it.

I had to go to a branch to reset my password.

I complained on Twitter about these two question. ANZ was silent (yes, they only reply when you say good things about them) and I actually got berated by an ANZ employee who follows me with things like "We're protecting your account, I bet you don't even have a PIN" and saying it was my fault I didn't keep a record of every time I log into the internet banking.

So whatever you do, stay away from ANZ.




782 posts

Ultimate Geek


  # 978848 2-Feb-2014 11:51
Send private message

RT the ANZ employee tweets (tag in ANZ) and let them deal with it.

6615 posts

Uber Geek
Inactive user


  # 978850 2-Feb-2014 11:59
Send private message

Bank with ASB, Has the best 2 factor authentication.

13064 posts

Uber Geek

Trusted
Lifetime subscriber

  # 978887 2-Feb-2014 13:25
Send private message

nate: Read these first:

How Apple and Amazon Security Flaws Led to My Epic Hacking
How I Lost My $50,000 Twitter Username

What tips/tricks do you use to protect what you have online?


Go old school to keep track of passwords since you need so many these days and none of them should be the same. 

Write your passwords in a notebook and lock it in a fireproof safe.

Number the passwords but do not write what websites they refer to.

In an online document somewhere just store a list of websites with the corresponding numbers. Either document is useless to anyone on it's own, and the likelihood of someone other than you possessing both is so low that if they are THAT good and THAT determined, you've got no chance anyway! They can't hack the password list because it does not exist in hackable form - they'd have to break and enter your home and be capable of opening your safe.

Unless you have billions, I suspect they'd just find an easier target.





 
 
 
 


3292 posts

Uber Geek

Trusted

  # 978889 2-Feb-2014 13:38
One person supports this post
Send private message

Geektastic: 
Go old school to keep track of passwords since you need so many these days and none of them should be the same. 

Write your passwords in a notebook and lock it in a fireproof safe.

Number the passwords but do not write what websites they refer to.

In an online document somewhere just store a list of websites with the corresponding numbers. Either document is useless to anyone on it's own, and the likelihood of someone other than you possessing both is so low that if they are THAT good and THAT determined, you've got no chance anyway! They can't hack the password list because it does not exist in hackable form - they'd have to break and enter your home and be capable of opening your safe.

Unless you have billions, I suspect they'd just find an easier target.


None of this will help if the attacker is using social engineering to just get the companies involved to give information over the phone\set PINs\reset passwords\etc with minimal verification of identity.

77 posts

Master Geek


  # 978895 2-Feb-2014 13:50
One person supports this post
Send private message

freitasm: Whatever you do, don't bank with ANZ.

...I reset my password online and as part of the process called the 0800 number to confirm the change.

Entered the PIN (it's me!) and answered date of birth (easy to find somewhere, for sure) and the overdraft facility in my in my account (not so easy to find now). Then the next questions were:

- what's the original amount of your home loan (something I signed ten years ago and they wanted to the cents!)
- when was the last date/time you logged into the internet banking system>

Seriously? Are those two "security questions"? I own the account and I have a vague idea of the first one, and absolutely no idea of the second one.

So whatever you do, stay away from ANZ.


That's interesting because I also use ANZ, and during the recent Vodafone text fiasco, I had to contact them them to switch off the 2FA until it was fixed just so I could access my accounts. All of those questions were the same, and I also failed :-) .

I asked the nice lady how they expected me to remember a 20+ year old mortgage value ( which wasn't a nice round number - due to repayment insurance and fees ). She said the questions were randomly selected from a set they had. I got the impression from her tone that failure was common, and she was half-expecting an angry response.  I decided to wait for Vodafone to fix the problem. 

Sounds like their procedure might need updating/expanding, and they definitely need to sort out a superior means of telephone security identification. All of the money that ANZ makes should enable them to provide rational means of checking the person calling.

1272 posts

Uber Geek

Trusted

  # 978906 2-Feb-2014 14:33
Send private message

This is something I've been thinking about after reading the @N twitter handle story.
I've been using 1Password app on iOS to store all my usernames and passwords. I have over 50 usernames/passwords saved for various accounts, there's just no way I can remember usernames, let alone passwords for all these accounts.
My password for the 1Password app is pretty strong, 10 digits, alpha+ numbers+ cases etc.
I've been considering using the integrated "random" password generator to make new passwords for my domain name and google apps administrator account etc
I am also guilty of using the same passwords over multiple accounts, but I periodically invent a new strong one, and demote the old ones down to less important accounts. Thus I know anything involving money always has my newest password.

Cheers,
Joseph

2364 posts

Uber Geek

Trusted
Subscriber

  # 978910 2-Feb-2014 15:00
Send private message

I've just enabled the two factor auth on both my gmail accounts, only took around 30 minutes to get all my devices re-authed, but I feel better after reading that @N story... poor guy.

I also do at least yearly password changes on my social networking and banking passwords, using silly riddles no one else could know so that I can remember them easily without needing to write them down anywhere, not even in a password manager.

I suspect I'm most vulnerable to those horrible 'lost my password' questions some sites enforce.

1272 posts

Uber Geek

Trusted

  # 978938 2-Feb-2014 16:10
One person supports this post
Send private message

insane:
I suspect I'm most vulnerable to those horrible 'lost my password' questions some sites enforce.


This. Why can't I provide my own questions. My mothers maiden name, my primary school etc could all be obtained or guessed. Let me provide my own question that no one will be able to guess!

BDFL - Memuneh
64219 posts

Uber Geek

Administrator
Trusted
Geekzone
Lifetime subscriber

917 posts

Ultimate Geek

Trusted

  # 979201 3-Feb-2014 09:15
Send private message

freitasm: Nothing preventing you entering a WRONG answer when setting up the account. This will put anyone out of the tracks.


I HAD to when asked my mother's birth place - four letters (Gore) was too short! Actually, I may have put down "New Zealand" as the answer. I can't remember. So I may be in trouble if I ever need to use it.

I think this was some third party password manager for an academic network that also integrated with Live ID.




 

13064 posts

Uber Geek

Trusted
Lifetime subscriber

  # 979207 3-Feb-2014 09:19
Send private message

josephhinvest:
insane:
I suspect I'm most vulnerable to those horrible 'lost my password' questions some sites enforce.


This. Why can't I provide my own questions. My mothers maiden name, my primary school etc could all be obtained or guessed. Let me provide my own question that no one will be able to guess!


True. I suppose that since I did not go to school here in NZ and neither have my parents ever been here, it would at least be a challenge for someone in my case. I can see it might be easier for locals.

I watched a program (from the BBC science/technology magazine series Horizon) about computer security recently. It was interesting. It explained in relatively straightforward terms how most internet security works mainly because the computing power required to calculate the factors in semi-prime numbers is so huge (the largest semi-prime so far generated had over 17 million numbers making it up!) that by the time it succeeded you'd be dead and the accounts deleted!

It then went on to show how quantum computing could crack the calculation in what amounted to seconds by comparison and that the eventual wide propagation of quantum computing would necessitate a different way of securing internet accounts etc. The program went on to explain quantum cryptographics which had really only one flaw - that a human being could be tortured or bribed or coerced into revealing a password thus defeating it easily.

They were trying methods where they used a memory game to teach your subconscious a password that you could never be forced to reveal because you were not consciously aware of it at all!





 1 | 2
View this topic in a long page with up to 500 replies per page Create new topic



Twitter and LinkedIn »



Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Disney+ streaming service confirmed launch in New Zealand
Posted 20-Aug-2019 09:29


Industry plan could create a billion dollar interactive games sector
Posted 19-Aug-2019 20:41


Personal cyber insurance a New Zealand first
Posted 19-Aug-2019 20:26


University of Waikato launches space for esports
Posted 19-Aug-2019 20:20


D-Link ANZ expands mydlink ecosystem with new mydlink Mini Wi-Fi Smart Plug
Posted 19-Aug-2019 20:14


Kiwi workers still falling victim to old cyber tricks
Posted 12-Aug-2019 20:47


Lightning Lab GovTech launches 2019 programme
Posted 12-Aug-2019 20:41


Epson launches portable laser projector
Posted 12-Aug-2019 20:27


Huawei launches new distributed HarmonyOS
Posted 12-Aug-2019 20:20


Lenovo introduces single-socket servers for edge and data-intensive workloads
Posted 9-Aug-2019 21:26


The Document Foundation announces LibreOffice 6.3
Posted 9-Aug-2019 16:57


Symantec sell enterprise security assets for US$ 10.7 billion to Broadcom
Posted 9-Aug-2019 16:43


Artificial tongue can distinguish whisky and identify counterfeits
Posted 8-Aug-2019 20:20


Toyota and Preferred Networks to develop service robots
Posted 8-Aug-2019 20:11


Vodafone introduces new Vodafone TV device
Posted 7-Aug-2019 17:16



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.