It would be great if online services showed a clear matrix of authentication methods so you can see which combinations are sufficient and necessary to access your account. Simply adding a 2nd factor is a bad idea because it means if you lose either one, you're locked out of your account, so you also need a 3rd factor to protect you from yourself. I personally have 4 factors for my gmail account - regular SMS 2FA, a friend's phone number for password recovery and paper backup codes. This way, I can lose almost any two factors and still have access. If I forget my password and also lose access to my friend's phone for password recovery, then perhaps I'll be in trouble but Google doesn't make it clear if they'll let you in using only your backup codes and 2nd factor phone number.
reply
That story got him quite significant press at the time, I found thousands of deviations of the original Bloomberg story - people LOVE the "darwin award" story category.
I was going to crack a joke about this being a Paul Graham submarine strategy (2) but it's just too sad and I believe him, 2FA is a mess.
(1) https://www.bloomberg.com/news/articles/2013-04-10/meet-the-...
(2) http://paulgraham.com/submarine.html
The apps are actually more secure.
> But 2FA via SMS is ubiquitous because of its ease of use. “Not everyone is running around with a smartphone. Some people still have dumb phones,” says Android security researcher Jon Sawyer. “If Google cut off 2FA via SMS, then everybody with a dumb phone would have no two-factor at all. So what’s worse — no two-factor or two-factor that is getting hacked?”
The thing is, SMS is worse than a reasonably good password. So it's a bit annoying that Google strongly encourages me to register my phone number with my gmail account for recovery.
And many services, including Google, make it difficult or impossible to enable TOTP without first registering a phone number. They really really push the SMS route. Brings up the average security level for the average person, I'm sure. Very annoying for me.
So (for me) it's a real PITA when places require a mobile phone number and there's no way to skip it. Obviously, can't use those services.
Does anyone know if Google Authenticator would run on a wifi iPad? As a potential workaround for the "no mobile network" situation.
http://www.coindesk.com/facebooks-ben-davenport-leaves-bitco...
Lloyds isn't getting involved unless they have an incredibly high degree of satisifaction in security processes, in fact they stripped Elliptic of their first ever "vault" insurance shortly after awarding claiming they didn't like the "publicity".
http://www.coindesk.com/lloyds-back-bitcoin-insurance-deal-e...
Get a mobile wallet like Mycelium. It's very simple, and you back up your wallet forever with a short string of words. You also retain control of your private keys.
I really do not condone ripping people off or hacking but I have to admire the tenacity of these hackers, nothing is out of bounds, every opportunity to steal or rip people off is a naked call option where only their time is the currency that can be lost with a failed heist.
It's the new bank robbers of our age but without films or hollywood glamourizing it (yet) the same bank robbers.
Crime does pay but it's a shame smart talent is being used to destroy not build. We can't point fingers at specific regions or countries with a depressed economy and expect them to find honest work-they may not exist there when government corruption has already robbed their citizens of the livelihood they were owed. This is not a justification for criminal action but a mere observation of the structural environment giving rise to such behaviours.
I don't see how to stop it though. For areas of the world with few economic opportunities, and little resources to chase you...the risk/reward profile is just too tempting.
but this is just fucked up and repulsive. it's sad how poverty can dehumanize people into doing inhuman things for money.
https://www.wired.com/2008/11/valve-tricked-h/
https://arstechnica.com/gaming/2016/06/what-drove-one-half-l... (better story)
I definitely won't be buying Half Life 3.
TIL Gabe Newell is actually very narrow minded and not a nice guy. Hacking and leaking is also bad but it's not clear that the action led to losses when Half Life 2 was a phenomenal success. It's the deceptive tactic of pretending to offer an olive branch and going back on your word. He should be fucking ashamed of himself.
If the amount is above say, $500 or so, it should be stored in something like a Trezor, where only you have the keys to access it.
This post [1] from Kraken covers how to protect yourself from this kind of attack. It's quite thorough. Interesting even if this isn't a concern for you directly.
1 - http://blog.kraken.com/post/153209105847/security-advisory-m...
A 40-step instruction "how to make your google account secure" as a proof of the sad state of internet security. No way my parents can do it.
I regularly get aggravated about the sensitivity of my bank's fraud screening. I have to call them constantly just to spend my money. But, I am at least reassured about how difficult it is to siphon money from the account.
The windows 10 experience
But Macs work similarly IIRC; if someone has access to your iCloud account, they own your machine as well.
I think this is more of a comment on the cloud-centric-everything-must-live-in-the-cloud-now mentality than anything else.
But there's good reason these OSes tie local logins to online accounts. The average user is more likely to get frustrated forgetting or not understanding why their email password is not their login password, than the (comparatively) rare scenario that someone will compromise the one-account-to-rule-them-all and wreck all their data. My grandmother confuses her Gmail login with every other online account because they all use the email address as a username.
Also, I'm continually amazed how little normal people care about the data on their computers. I still have all my files from when I was 5 years old on my main machine, but most people only care about bringing over whatever they're currently working on when they get a new machine.
If you want to store Bitcoin, use (in order of preference) a reasonably secure computer (not an obviously poorly secured windows machine), a secure cell phone (not a $50 backdoored Chinese android phone), or a hardware wallet. Don't use cloud services, web wallets, or anything else that very obviously sucks from a security perspective.
I would be more than willing to trust, say, $50,000 in Bitcoin to an iPhone with a good passcode, running an SPV wallet. Above that and you probably ought to put in the modest investment for a hardware solution.
Is this being reported correctly? This sounds completely nuts.
http://blog.ikura.co/posts/dear-mainstream-media.html
Shame he didn't keep them in an exchange. Oh wait...
I always thought had I got in early in bitcoin I'd plan to sell off in tranches at $1, $10, $100 value etc. Then at least when the coins get stolen or worthless I'd have something to show for it.
My prediction: Bitcoin will become worthless in the long term once the crypto is cracked by mathematics, a backdoor or quantum computing
It places users in the position of either having to provide their own bank-level security, or to leave their bitcoin with a BTC bank (the exchanges). The latter has had a few issues.
It refers to the fact that people get rich from bitcoin if they don't fall off their bull by:
Losing their coins e.g. forgetting a password, throwing away a laptop.
Having their coins hacked from their computer by a Trojan or the mentioned attack.
An exchange loses them or shuts down.
Due to greed you wait it out and bitcoin plummets to zero
Due to greed day trade your stash into the ground.
Due to fear sold your 1000 btc at 10$ each back in the day.
Etc.
Great system.
It would be great if online services showed a clear matrix of authentication methods so you can see which combinations are sufficient and necessary to access your account. Simply adding a 2nd factor is a bad idea because it means if you lose either one, you're locked out of your account, so you also need a 3rd factor to protect you from yourself. I personally have 4 factors for my gmail account - regular SMS 2FA, a friend's phone number for password recovery and paper backup codes. This way, I can lose almost any two factors and still have access. If I forget my password and also lose access to my friend's phone for password recovery, then perhaps I'll be in trouble but Google doesn't make it clear if they'll let you in using only your backup codes and 2nd factor phone number.
reply