Non-motoring > Risk... Car Deals
Thread Author: No FM2R Replies: 20

 Risk... - No FM2R
....is a combination of assessing how likely something is to happen and how bad it will be if it does happen.

It's not likely, verging on the impossible, that any of your accounts, be it your bank account or your Facebook account will be hacked.

What happens is one of a few things;

1) Some account you don't care about much and share no personal data with, like a newsletter subscription or similar, is hacked.

Immediately if you have used that username/password combination elsewhere, then that account may be accessed, not hacked, through your lax awareness of security.

2) Your password is something ridiculous like 1234 or 'password' and will be easily guessed by an automated program.

You have lost that account through your lax awareness of security.

3) You are phished. Basically someone with some dumb a*** reason or excuse manages to get you to share your personal or account or login details. It'll be either fear (HMRC are after you) or greed (I am a Nigerian princes with a billion pounds I want to share)

And you, through your lax awareness of security, hand them over.

Fundamentally the core security risk is you.

Never use the same password twice
Never use a guessable password
Never share your password (or any other details).
Use all the security going (in particular two-factor).

I am reasonably sure that everybody here is aware and capable (If not, ask, I or someone else will help, and I'll get on the phone and talk you through it if you want) however those around you may not be so aware.

Everybody around me is aware, from my stubborn I-know-best wife through to my everything-will-be-fine-and-I-can't-be-a***d nieces.

You should make sure that both you and everybody around you is equally aware.

Of course, if you don't put the information out there then it can't be stolen. I remember in the early years of my work at Digital Equipment, the mantra was, "if you're not prepared to print it out and put it on the village noticeboard, then don't write it in the first place"

It may not be likely, but it can be a most terrible thing if it does happen.
 Risk... - Crankcase
I have to say a number of services (Amazon, Nest, Gmail) nag me to turn on 2 factor.

I think that means that every single time I use them it will send a code to my phone and I have to enter that as well as my password?

That being so, it doesn't really work for me as the phone signal here varies from nothing to one bar on tiptoe by the upstairs chimney sometimes.

It's bad enough when my banking app insists on sending me a code sometimes to proceed. A simple transaction can sometimes take all morning.

This signal issue is true so far with Three, Tesco, Ee, Orange and Vodafone.

So I admit I've not done it. Have I misunderstood how it works?
 Risk... - No FM2R
>>I think that means that every single time I use them it will send a code to my phone and I have to enter that as well as my password?

No. Typically what it means is that every time you use a computer you have not used before, or a browser on your computer that you have not used before, then it will request a code.

If it is a browser/computer combination that you have used before then it does nothing.

>>So I admit I've not done it. Have I misunderstood how it works?

I think so, yes. I think you've also possibly misjudged just how much sticky stuff will hit the very large whirly thing in the event that it happens to you.
 Risk... - Crankcase
Ah, I really had got it wrong.

Ok, at the next nag I'll try it. Thanks. If it goes wrong I'll call you on my mobile. Oh, wait...
 Risk... - No FM2R
By the way, usually it does not send you a code, though some do. More often it relies on a code generated by an authentication app on your phone.

I have one authentication app which automatically maintains current codes for Facebook, GMail, Outlook, etc. etc. etc. Should a website ask me, then I open the app and choose the code next to that site.

I've been running two-factor for the longest time. And on my home computer/browser there is one app which asks me every 30 days. Everything else is by exception and if I had to guess I;d say every three months or so one site or other asks me.

Of course, if I change computers or reinstall my browser, then every damn app asks me at least for the first time. Seems a small price.
 Risk... - zippy
>> >>I think that means that every single time I use them it will send a
>> code to my phone and I have to enter that as well as my password?
>>
>> No. Typically what it means is that every time you use a computer you have
>> not used before, or a browser on your computer that you have not used before,
>> then it will request a code.
>>
>> If it is a browser/computer combination that you have used before then it does nothing.
>>

Every time I use a certain login for a particular financial service, even on the same PC and browser it sends a code to my phone to be entered.

Some services will send the code by email or by robotic voice to a landline so a mobile phone is not always required.
 Risk... - Manatee
>>Every time I use a certain login for a particular financial service, even on the same PC and browser it sends a code to my phone to be entered

Different when money is involved directly. Does it do that if you use the phone app, assuming there is one? I'm making a lot of largish payments online at the moment and I usually use my phone. The bank clearly knows the phone is the one registered and doesn't send me codes.

Not quite the same thing but I was using my PC yesterday to make a £2,000 payment to Germany using my Halifax credit card. It tripped the security and I had 3 SMS's. The first told me they would send me an SMS (which is a bit weird when you think about it), the second asked if if was really me who had tried to make the payment, to which I replied YES. The third told me to wait 10 minutes and do it again. I find this sort of thing quite reassuring.
 Risk... - tyrednemotional
Rejecting (suspicious) transactions is fine, as long as the service provider can cope with such a rejection.

Whilst organising a trip to Finland with the motorcaravan, my card was ostensibly rejected for a ferry booking via the English language section of a Finnish site for an Estonian ferry company. The booking was left "hanging" in an unknown state, and was not easily (actually, not at all) recoverable via the (buggy) English language section of the website. It can get quite tense trying to sort something like that out.

The situation was eventually recovered by reverting to the (bug-free) German language version, and subsequently a long technical discussion commenced by email with their customer services, when they eventually confirmed they had found a problem.
 Risk... - Manatee
>>I think that means that every single time I use them it will send a code to my phone and I have to enter that as well as my password?

In general no. Only if you log in from an unrecognised (new) device or otherwise trigger the security measures which might be unusual activity/location/changing password.
 Risk... - tyrednemotional

>>
>> So I admit I've not done it. Have I misunderstood how it works?
>>

It all depends on how it is implemented.

Two-factor authentication can work in a number of ways, but generally relies on checking "something you know", and "something you've got". (though there are little-used alternatives to the latter).

The "something you know" is generally password/pin, etc. The "something you have" might be quite varied.

Sending you a code to a known 'phone number is one way (subsequently entering the code proves you have the 'phone). As above, if the "signature" of your device can be captured (or possibly even IP address, though this is rather more risky) then a password entered from a known device might be considered enough (though, frankly, I don't consider it as safe as a one-time code, since the password might be auto-inserted by a browser).

I suspect a number of ex- and current IT people on here might well have been au fait with "tokens" that generated one-time codes for secure log-ins (proving you had the token).
 Risk... - No FM2R
>>(though, frankly, I don't consider it as safe as a one-time code, since the password might be auto-inserted by a browser

Quite right. But if someone either has access to my home computer / browser, or is able to emulate them, then I have bigger problems.

Also, that's just such an unlikely occurrence that I simply cannot be a***d to guard against it.

My bank accounts, possibly the one exception, require me to be holding a dongle which generates unique codes every 30 seconds and a different code must be entered for each transaction I try to process.
 Risk... - Crankcase
Well, as an experiment I just tried enabling it with the Nest app on my phone. It asked me for my Google password (fine), then sent a code to any phone number of my choice (though Google knows my phone number, but anyway).

Obviously no code arrived. I then did the upstairs chimney thing, and after a few worrying minutes a code did arrive. That was accepted. Closed Nest, relaunched it, all seemed well.

It's a start, thanks chaps.

As to the IT comment, believe it or not I was indeed an IT professional for decades, though not in security. Since retiring, use it or lose it has come into effect big time. These days, I tend to close my eyes, bang the keyboard with a banana and hope for the best. As is evident from my posts.
 Risk... - Duncan
Cranky said:-

>> Obviously no code arrived. I then did the upstairs chimney thing, and after a few
>> worrying minutes a code did arrive. That was accepted. Closed Nest, relaunched it, all seemed
>> well.

Sorry, but what is "the upstairs chimney thing"?
 Risk... - tyrednemotional
...you really don't want to know.....
 Risk... - Bromptonaut
>> Sorry, but what is "the upstairs chimney thing"?

What you have to do if you're in the sticks and the mobile signal is worse than spotty.

Nowadays the holiday cottage we prefer on Harris has broadband. Before that I found I could just get an OK signal tethered to my mobile provided I stuck it by the Velux window in the upstairs room.
Last edited by: Bromptonaut on Wed 24 Feb 21 at 22:25
 Risk... - Bromptonaut
>> I suspect a number of ex- and current IT people on here might well have
>> been au fait with "tokens" that generated one-time codes for secure log-ins (proving you had
>> the token).

I'm definitely a 'user' not an IT person.

We still have RSA keys for some uses though for the most part we use mobiles either to generate a key code or where you just confirm it's you logging in.

We were obliged to use them in the Civil Service. While working in the Quango I was sent one for our Chairman, a retired Cabinet Minister from the Thatcher/Major years. He and I tried all sorts of means to overcome its stubborn unwillingness to work. Eventually one of the brighter sparks on the helpdesk got me to check the token's serial number.

It was allocated to Mr X and not The Rt Hon LOrd Y of Z.

Tokens in wrong envelopes.......



 Risk... - Crankcase

>> It was allocated to Mr X and not The Rt Hon LOrd Y of Z.


Having a Cambridge University email address, locally whenever I give it out, everyone knows it to be such. They then almost never say "is that Mr", they say "is that Dr or is it Professor"? Sometimes I pause to prolong the moment, and they say "or Lord? Sir?"

I am very much plain Mr. Must be the glasses.
 Risk... - Bromptonaut
>> I am very much plain Mr. Must be the glasses.

In the Quango Conferences and Events were on my watch. Dealing with Judiciary and the odd senior Civil Servant was relatively straightforward.

Fell into conversation with another organiser while looking at venues.

His problem was separating Mr Smith the senior manager from Mr Smith the consultant surgeon so that the eminence of the latter was apparent on the delegate list.
 Risk... - Lygonos

In November I received a letter from DWP advising they would be contacting my employer to recover my Universal Credit Advance.

Letter was genuine - looks like easily found details on Company House for a minor PLC I am a director of was sufficient to get an advance payment without even having a NI number.

This was in August so not even at the height of the first lockdown.

Spoke to a person who said he had been told by a colleague they expected there had been several tens of thousands of fraudulent claims in the East Midlands alone (simillar population to Scotland)

The UC advance was nearly £1300 - that's a lot of taxpayers' loot disappeared into bitcoin...
 Risk... - sooty123
>> >>
>> His problem was separating Mr Smith the senior manager from Mr Smith the consultant surgeon
>> so that the eminence of the latter was apparent on the delegate list.
>>
The knots that some people get themselves tied up in never cease to surprise.
 Risk... - hawkeye
>> That being so, it doesn't really work for me as the phone signal here varies
>> from nothing to one bar on tiptoe by the upstairs chimney sometimes.
>>
>> It's bad enough when my banking app insists on sending me a code sometimes to
>> proceed. A simple transaction can sometimes take all morning.
>>
>> This signal issue is true so far with Three, Tesco, Ee, Orange and Vodafone.
>>

When we dug out the hillside to build this house, we unwittingly created a mobile signal-free zone. Collecting a text for 2-factor meant a trot up the street to find some reception. All my mobile reception problems have now vanished since getting a phone and provider that uses magic dust to pass texts and voice calls to me. It's called Voice over LTE if you didn't know. I use a Samsung S9 on Sky Mobile.
Last edited by: hawkeye on Thu 25 Feb 21 at 02:07
Latest Forum Posts