
20 Hours, $18, and 11M Passwords Cracked - smooke
https://hackernoon.com/20-hours-18-and-11-million-passwords-cracked-c4513f61fdb1
======
dredmorbius
The article notes that many organisations don't offer 2FA. Even dismissing the
issues of most 2FA mechanisms -- reliance on mobile or landline acount
integrity is exceptionally poor thinking these days, similarly email
providers[0] -- the option often simply _is not available_.

A particularly pathological case is banking and financial institutions. After
helping an elderly, cognitively-impaired, and frankly combative and denial-
tending relative[1] with OS and browser upgrades, including restoring a whole
host of privacy and security tools and extensions,[2] we then had to walk
through numerous bill-pay and financial sites.

One large brokerage firm actually did offer a Google-esque voice-based numeric
one-time-code callbacks, to a voice line, and I give them kudos for this. It's
not perfect, but ot exceeds industry norms by a huge factor. The bank, a large
national institution, does not, and it took a half-dozen or more rephrasings
of the question "do you offer two-factor authentication" to even get a clear
"no". I was told, a week ago, that someone would call to follow up.

No one has.

Brian Krebs has an excellent, if depressing, 2018 exploration of banking
security, "What Is Your Bank’s Security Banking On?".[3] Sadly, the industry
is dominated by a small handful of banking platform providers. Four, Fiserv,
Jack Henry, FIS, and CSI, serv over 80% of the market. Bank regulators,
responding to Krebs, said that "small to mid-sized banks are massively
beholden to their platform providers, and many banks simply accept the
defaults instead of pushing for stronger alternatives."

This is not a good situation.

Digging further into the matter, I turned up a set of publications by Experian
-- the credit rating agency which hasn't been breached ... yet -- on risk and
fraud, including credential compromise.[4] One of these mentions in. passing
that the _typical_ person has "about 100" service-based accounts.[5] That's
not all that far off the count of 700 accounts HN users have reported
having.[6]

 _The very notion of account-based services is rapidly becoming untenable,
even absent password security._

I mean, yes, let's make passwords obsolete (I'm a fan of very-near-field token
devices, such as NFCRing[7]). But centralising services, especially data
services, only makes thing worse from an all-the-eggs-in-one-basket
perspective. So more importantly, let's kill accounts in favour of both
stateless interactions, and reasonablly self-hosted-and-managed -- and yes,
that means self-hostable and self-manageable, including by elderly and
impaired people -- systems.

That's a high bar, and flies in the face of the past 15 years' surveillance-
capitalism business models. But accounting and risk rules changes recognising
that data are in fact liability might help get us there.

________________________________

Notes:

0\. See Matthew Miller's SIM swap horror story,
[https://www.zdnet.com/article/sim-swap-horror-story-ive-
lost...](https://www.zdnet.com/article/sim-swap-horror-story-ive-lost-decades-
of-data-and-google-wont-lift-a-finger/)
[https://news.ycombinator.com/item?id=20203482](https://news.ycombinator.com/item?id=20203482)

1\. Seeing up close not only the general bewilderment and lack of faculty of
ordinary citizens in dealing with technology, but the declines imposed by age
and illness, as well as the personal and psychological difficulties of fraught
interpersonal and family relationships (also affected by age and illness, both
physical and mental), is sobering. This is a large submarine risk brewing.

2\. OpenWRT's AdBlock on the router
([https://openwrt.org/packages/pkgdata/adblock](https://openwrt.org/packages/pkgdata/adblock)),
as we'll as OpenWRT's basic firewalling, OSX 10.14, Firefox, latest updates.
Extensions are uBlock Origin, uMatrix (which I must specifically tune for
specific sites -- it's powerful but fiddly), Self-Destructing Cookies (also
requiring per-site configuration), Privacy Badger, and Ghostery.

3\. [https://krebsonsecurity.com/2018/03/what-is-your-banks-
secur...](https://krebsonsecurity.com/2018/03/what-is-your-banks-security-
banking-on/)
([https://news.ycombinator.com/item?id=16534820](https://news.ycombinator.com/item?id=16534820))

4\. Stealthily hidden around Experian's website, though this search presently
lists several of the beter ones: [https://www.experian.com/innovation/thought-
leadership/fraud...](https://www.experian.com/innovation/thought-
leadership/fraud-prevention-cybersecurity-and-identity-proofing)
([https://web.archive.org/web/*/https://www.experian.com/innov...](https://web.archive.org/web/*/https://www.experian.com/innovation/thought-
leadership/fraud-prevention-cybersecurity-and-identity-proofing))

5\. "Upcoming fraud trends and how to combat them: Ebook"
[https://www.experian.com/innovation/thought-
leadership/upcom...](https://www.experian.com/innovation/thought-
leadership/upcoming-fraud-trends-ebook.jsp)

6\. packet_nerd reports that here, though I recall an earlier mention as well:
[https://news.ycombinator.com/item?id=19488899](https://news.ycombinator.com/item?id=19488899)

7\. See [https://nfcring.com](https://nfcring.com). For numerous reasons, a
non-insertion-based, replaceable, repudiable, physical token strikes me as
among the best possible options. YubiKey is a close approximation, but not
quite there yet.

