50m Facebook accounts attacked/breached

So what did you do before facebook?

It was awful.

eg Yesterday with one of my bands there were 6 conversations going on with 6 members, how do we do that without Facebook (or Whatsapp etc) and don't say ring each other up or text each other because it would take infinitely longer to get everybody's views/ideas and then all the minor alterations?

I run a very useful page with nearly 5000 members and rising.
It depends on Landlords and artists adding to that page so that punters know what's on. In the old days we had The Sentinel but nobody buys it any more.
There is a web page that artists/punters/landlords can add to but nobody uses it because nearly 5000 people would rather get the info off Facebook.

Go on, I asked this question before, if you know of a better way tell me.

Facebook is a Godsend
 
It would not address the social problems created by facebook, but on the advertising front, why does google#, or someone, not produce a licensed fb type product with no harvesting potential ; and escape the 'free you're the product' paradigm. ?
For windows 10 too, we see the impact on the product quality of producing a free product.

People pay enough for monthly phone contract that a 50p/% addition to pay for this product would not be untoward, licensed to that simcard.

Otherwise, for harvested data, its use in a, recently publicized, chinese type, social ranking 'status' will soon rear its head.

Not sure how you ensure you are immune to harvesting, in the example above, if you are assoiciated with bands/music/pubs that would raise alarm bells for health insurance/loans companies ?


(# albeit google no evil strategy was further eroded by the autoamtic login of latest chrome - if you still use it)
 
I knew it was just another charade to collect data, the fact that it CAN provide a layer of security is just a consequence of the data collection.

Also 2FA via SMS is actually a security hole, it's simply opens up an attack vector.

Yeah SMS for 2FA is a joke. Its maybe ok if it "cannot" be used for account recovery, but if it can be used for account recovery, stay away from it. So basically an extra step to login but nothing else.
 
Aye many people still have no idea what other social networking products Facebook own.

'oh you hate facebook, but you can't live without WhatsApp, or instagram'

Muppets.
Each serves a purpose, you either use it or not, but if you give your live and soul to the networks, then don't be surprised when it bites you back.
 
whatsapp sadly I have to use due to family and friends using it, but where possible I use telegram instead. I got no doubt data is been harvested from it, facebook cannot be trusted at all.

My phone also has issues with sms for a undetermined reason adding more burden to whatsapp as a result.
 
In terms of breached accounts the fine today and Teso bank weakness seemed more concerning -

has anyone looked for more details
....
Tesco Bank's method of access for customers is "weak for this type of system", according to Mann. "Username is your email by default, and you only need digits from a numeric PIN. By requiring limited digits from the PIN on login, they make it virtually impossible to hash (encrypt) the PINs they have stored. This means a compromise of their customer database will reveal all logins and passwords to the attacker."

The losses are insured, but should I only be engaging with a bank if it has a 2fa app ?

(santander I use + those silly barclays adds ...they still use pins)
 
whatsapp sadly I have to use due to family and friends using it, but where possible I use telegram instead. I got no doubt data is been harvested from it, facebook cannot be trusted at all.

My phone also has issues with sms for a undetermined reason adding more burden to whatsapp as a result.

I can tell you now, you cannot trust Telegram either. It is allowed to operate by the Russian government. That speaks for itself. Just the same as WeChat is allowed to operate by the Chinese govt...

If I could, I would have all my friends and family use Signal. Oh well.
 
Personally I have more trust in telegram, to assume anything trusted or developed by russians is automatically untrustworthy feels like one accepting british propaganda. Most of the best security software is written by germans or eastern europeans.

On to the subject of passwords.

Some experts are finally talking out that password policies need to be user friendly to be effective.

By user friendly the following.

Do not block auto complete.
Do not block password managers
Do not enforce changing of passwords unless actually compromised
Do not block copy and paste

The reason being, if you force your users to manually type in a password, its much more likely they will use an easy to remember short password, and also more likely they will use the same password on multiple services.

Password managers should require some form of authentication to unlock.
2FA systems ideally need a form of authentication as well. Authy FTW over google authenticator.

PIN's in place of passwords I agree is a big downgrade, so e.g. compare say a 8 character alphanumeric mixed case password to a 4 digit pin, the amount of possible combinations is drastically reduced. PIN's I believe got introduced because service providers are obsessed with the idea of the end user having to enter their password on every access (no persistence) and to compensate for the inconvenience they come up with PIN systems which are much quicker to type in especially on phones.

I think persistent logins are fine on non shared home PCs and laptops. Phones which are considerably easier to steal and lose, perhaps not so much but I do feel phones should at least have some semi persistence that is utilised when on a wifi network, but disabled when on mobile data, the persistence would also get reset if the WAP changes.

An issue with 2FA that has no authentication in front of it is what happens if e.g. tesco bank implement google authenticator, and the google authenticator is on the stolen phone. The only protection is if the thief has no clue what it is so cannot work out how to use it, otherwise they need to merely open the app to get the key. What I do here is I only use internet banking on my PC, never from my phone. That means 2FA and the device used to access the banking are not the same devices.

Authy can remotely disable devices access to keys, and also can be protected locally by a pin to use, a pin is short, but its better than google authenticator that has no protection to open the app. SMS for 2FA is better than no 2FA providing the 2FA can not be used for account recovery.
 
Back
Top Bottom