Also, don't have your life savings in crypto, but if you must, then please for the love of everything holy don't put it someplace where a SIM swap attack is enough to get it out. Irreversible transactions are kind of the whole point of it, so you need to be much more careful with crypto credentials than, say, your bank password or credit card.
Hey Chase, when will offline TOTP be added for a more secure login?
Thank you for reaching out! What we have is the multi-factor authentication on all online accounts. You can visit https://tinyurl.com/y7r2fztd for more info on how we protect and secure your information. ^AA
No matter how precisely I describe the problem, I get copy paste or poorly thought out response. That's why I like smaller businesses, where there's still a connection between doers and support people, or where the doers are the support people.
I'm waiting for the days our banks will accept multiple 2FA solutions.
The only solution is not using the phone. The phone reached it's limit. It's not trustworthy communication method.
Just as a sidenote, the problem isn't that the transactions are irreversible, they're also irreversible for banks. You never reverse the actual transaction, you just create another transaction in the opposite direction. Sometimes banks accidentally sent money to the wrong (foreign) bank and kissed them goodbye. The other bank had no obligation to send it back and if the 2 don't have a relationship and don't plan on having one it's free money for the recipient.
The difference with crypto is that you're basically dealing with "untrustworthy" parties since there's no central trustworthy authority over the whole network. The advantage is that nobody can control the network. The disadvantage is that you have no leverage over the receiving party.
It's like a private individual ad-hoc lending money to a friend vs. lending money to a total stranger. There's probably no legal obligation to return it but friends most likely will.
Exactly. Cryptocurrency, in my view, are meant to be intermediary currency. Keeping a lot of it is just too risky.
Tech nerds seem to like cryptocurrencies because it's a cool and fancy gadget, but the reality is that normal banks are more secure. If your money gets stolen, banks can trace it, cancel transactions, and there are insurances in place to recover your money. Governments are involved in bank security.
Currencies are not trivial things. Only libertarians and anti-government, anti-federal-reserve people will actually prefer cryptocurrencies to their own risk.
I get that the AT&T employee is guilty, but the victim was asking for it.
Of course the victim could probably have protected his "life savings" better, but that's not the point.
Also insurance doesn't always hold up in cases like this, especially if the company was aware of the weakness and chose to do nothing about it.
This breaks down for internet giants which provide free services which can still be very valuable, like gmail, and that’s why they are moving away from it.
Ideally it wouldn't be possible for a single employee to do this.
I mean this is a bank, are these guys for real?
Currently working on finishing moving passwords from a Google account to my password manager and resetting them all, as well as replacing anything that uses an SMS 2FA with a time based authenticator or other alternative where possible. Planning on getting a FIDO key to use where I can. Also setting up a Voice number on an account that's used for nothing else besides 2FA in the instances where there is no better form of authentication.
Edit:for whatever its worth att does keep a record of what employees accessed an account and when, and notes when managers bypass the pin, so doing this an an employee seems really stupid to me.
Google at least seems to have this right, in that when they attempted to do the same with those, the notification was still there. I also received a separate "request to reset account password" which stated it would take like 15 days to occur, and I was given the option to cancel it.
Regardless, I think I'm going to try to go hardware key with an TOTP app backup for 2FA going forward, wherever possible.
We’ve collectively given up our rights to sue in many instances (including when signing up for HN-backed services run by people who should know better).
>Roughly two-thirds of consumers contesting credit card fraud, fees or costly loans received no monetary awards in arbitration, according to The Times’s data.
1. This excludes non monetary awards
2. The categories are cherry picked and they give us no data on arbitrations overall
And even under those conditions they show a third of consumers win something, which is hardly a unilateral loss. And of course it's impossible to know how many of those cases were frivolous, and they didn't bother to compare to small claims court and see how consumers fare there.
Anyway it's not relevant to this case, because he's not suing for one of those categories, plus he presumably has a lawyer (lots of arbitrations are done without lawyers and I'd bet that they have lower success rates).
For 2015, it shows the majority of cases settle, about 3k out of 5k. Out of the remaining, more than half get some kind of award. But reporting this data goes against the NYTimes narrative so they cherry picked.
I can dig through the data in a bit: they have the info under "source of authority", which will say whether it was in the contract or agreed upon later.
Suppose you lose all your physical keys: I don't think you can social engineer hack Coinbase (pretty sure most companies won't allow people to just give away your password/send a reset email to some other email).
Or suppose you get them to send me an email to reset my password. But my email also has FIDO u2f! And I know as a fact you can't social hack my email provider.
The Google Authenticator app on iOS doesn’t backup its keys so it’s pretty common for people to lose access to that kind of keys.
Which keys is it supposed to backup?
Everything else you said is sadly true.
Under the hood Google Authenticator uses keys to generate the codes you see on screen and these keys are not backed up.
It’s a difficult decision of course. If you back them up in iCloud Apple and people who hack your Apple account have access. If you don’t the keys are lost if the device breaks or is lost and you need a workaround.
Edit: oh you wanted to restore on the same device. Well that might work but it doesn’t help when migrating or if your phone is not available.
It’s not so much a problem as it is a balance of security, redundancy, and effort. You decide where you want to be on that balance of considerations.
Yeah, good luck.
I don't know of any system that lets me enroll 3 security keys for an account.
Then also setup TOTP, so if you lose both keys and have a working cell phone with the app installed you can still login.
Some websites allow TOTP which is still safer than SMS, but if I lose one, I'll get another one while I use the 2nd.
This seems really easy to steal.
> one at home
Most people I know have been burgled too.
Not your keys, not your coins.
And AT&T is the industry leader.
I’m still wondering why I can’t use Touch ID to do U2F...
Translation: "All telcos are equally bad at this, so who are you going to switch to? So why should we bother fixing it? What's in it for us?"
Especially if you’re going around with that much crypto always always remember:
Always store cold storage and set aside some for trading if you want. And if you’re trading, always use FIDO U2F physical keys.
> It essentially destroyed our financial future, our entire life savings was stolen
Who keeps their entire life savings in crypto?
At the end of the day you have to look at it from a bigger picture. Since the next halfing is happening in a year, prices will most likely go up (speculation).
To step out of the regulated financial system is to open oneself up to these liabilities with little recourse.
That is not to say that telecom companies should not fix this. They absolutely should.
Pins obviously have other issues that make no sense, like the incredibly low complexity allowed that would never be acceptable for a password. But even aside from that I guess AT&T also want everyone to turn their pin off? I hope they do lose a lawsuit and actually have to start giving a shit about pin swapping and make things more secure by default.
One time there was something wrong on their end and no one could do anything until the system to verify my pin was back up.
i.e. can a supervisor override lack of a PIN?