Website Hack Tracker 2014


#41

I like KeePass as well, and it’s always been odd to me that 1Password and LastPass gets tons of mentions while KeePass gets overlooked. As for PayPal, while cut/paste may not work, the ctrl+v option (put cursor in username field on web page, select entry in KeePass, hit ctrl+v to automatically have it all typed in) works just fine.


#42

Yea, as I said earlier in the thread I prefer it, because I don’t need to trust someone else’s servers. (LP was breached with no promised security audit released…said it before…)


#43

+1 on Keepass. I’ve been using it for years, and it’s been very handy. Many of the mobile clients support cloud storage providers, so it’s easy to keep everything in sync.


#44

Reddit hacked. The attackers defeated SMS-based 2FA. It’s been said before: SMS/phone number 2FA is horrible for that reason. Any 2FA solution needs to rely upon encryption.


#45

Ugh, my bank relies on two forms of 2FA: email or SMS. Both are terribly insecure. I guess if I could turn off email it would be somewhat better, but it drives me crazy. And it’s one of the biggest banks in the country.


#46

It’s the same reason why people who say we should be able to vote by Internet because we can do our banking on the Internet that bugs me.

If you’re one of hundreds of millions of bank customers, the odds some cyber-thief is going to overcome your defenses (incredibly complex and unique password, 2FA, etc) are slim, especially when there’s millions of other easier targets out (people who have shit passwords and don’t use 2FA).

But if you’re a nation-state with virtually unlimited resources, then your bank account is toast. Now replace bank account with “social network with hundreds of millions of active users” or “voting machines in critical swing states” and, voila.


#47

That was unfortunately pretty light on details.

SMS authentication is as secure as the phone that receives the code, and the phone number is as secure as the customer rep that gets socially engineered to change it without confirming first.

Or have we already come to the point where fake 2G-4G base-stations/downgrade to 2G is “common” and not just something the (in)security services and foreign nation states rely on to increase the size of their haystack? (Good app for that, SnoopSnitch).


#48

If you’re a T-Mobile customer, change your password now.


#49

I’ve been using LastPass, but I still haven’t gone through all my old passwords and upgraded them to something more secure. Mainly because it’s a PITA to log into the LastPass app on my phone. (On Android there is no LastPass browser integration, so you have to log in each time you need to use it.)


#50

If you purchased anything from Newegg over the past month, I’ve got some bad news


#51

Pretty sure my card is hosed. I’d been trying to buy a Vega 64 but the card kept getting declined. So I called the financial institution to increase daily limit and such and tried again but it kept on not working saying that the card was declined or information entered didn’t match the info for my card.

Now I wonder if this breach was somehow preventing the card from working.

I’ve already got a new card on the way.


#52

Came THIS close, but went with Amazon no-hurry to get a bonus. Never thought I’d be so relieved.


#53

Germany has had some kind of celebrity/politician data leak, which seems to have occurred over the course of December but only got picked up on in January and is now becoming a big scandal. The reporting I’ve seen has been frustratingly vague about what exactly was compromised — basically various personal info was posted on Twitter, some of which seems likely to be from hacks. It’s entirely unclear if this is the result of many targeted “hacks” (ie social engingeering) or a compromised centralised system. This (German language) is the most informative piece I’ve come across, but it’s still not very specific.


#54