Loren Pechtel

It defends against social engineering, it does nothing when it's an inside job.

rxgeek

No one says you have to give easily found answers to security questions.

findark

It depends on how you look at it. Fundamentally, passwords are extremely secure -- a 20-character random token or even a 4-word password has enough entropy to be basically immune from brute force attacks. The so-called "insecurity of passwords" is introduced by fatal flaws in implementation: password reuse and the choice of outrageously insecure passwords, primarily (although inane password "strength requirements" that seem to be pretty much ubiquitous these days also significantly harm password security by essentially enforcing that passwords are difficult to remember).

KRSW

2-Factor authentication is very overrated. E-mail is a second factor, yet taking over someone's e-mail account (as what appears to be the case here) is common. Redirecting SMS messages is possible. Even getting voicemails or forwarding someone's phone number to another number doesn't take much technical ability once you're into someone's e-mail.

The real take-home message here is 1) Have long, unique passwords for each site. There's no need for the C0mPl3x! stuff, as that's been long proven to be bad advice. 'thisisthepassword' is actually quite secure, more than 'pAssW0RD!', due to its length. 2) Secure your e-mail. Your e-mail password should definitely be unique and long. E-mail pretty much is a master key to everything. 3) Don't be an idiot. Use your computer wisely. One of the millennials in my office had their BoA account hacked.. twice.. due to them being stupid and opening e-mail attachments from unknown people...then intentionally bypassing all of the warnings from the computer that they probably shouldn't open the file and that they shouldn't enable macros. She lost $10k ($5k each time) for this. After many months BoA refunded her the money. BUT it would have never happened if she wasn't so dense.

Zorak

Uh, no. 2FA as a concept is extremely valuable and useful. Some methods or choices of second factors, are better than others.

Both true. But usually because that email account itself was not protected with 2FA or with a vulnerable factor like SMS.

Security is a "weakest link" thing. If many accounts are secured by an email account (i.e. can reset the password simply via email link) then it stands to reason that those accounts are only as secure as the email account itself.

The takeaway here, as already mentioned upthread, should be to avoid wherever possible using SMS (or email) as your 2nd factor and use a hardware token or code generator app on any sites that permit it (gmail for example offers non-SMS choices).

(and pretty much agree with the rest of what you said)

exwannabe

Two factor is certainly effective, but the second channel must be different from the primary channel.

The worse thing one can do is set up two factor with email, and the email is the same email the account has as the contact. Somebody gets the email and they have a wide open pathway.

The advantage of two factor is that the attacker must get though two totally different accounts. And that is not how they work in the real world. There is not some super hacker working on you, just thieves grabbing the easy target.

The email account though is still the huge key to self protection. If somebody gets access, to that, you are toast as way too many sites are sloppy about password recovery.

PupManS

So a quick datapoint.

My skmiles account was somehow compromised yesterday. Ironically, while in the TSA line. Fortunately, I had my BPs saved to iPhone wallet.

So I get the compromise email (saying my account had been updated, which I had not done), and after getting thru security and on the plane I rang up Delta. This was about 35 minutes from when they sent the email stating that may account had been updated.

Apparently as I was on the phone with the Diamond line, the attacker started updating other stuff, as I got a bunch of mails. They stated someone was in the account, so they locked it, reset everything to what it was before, and I should wait 24 hours (to unlock) and reset my password. Which we all know is not the best security practice, but whatever.

So I go on tonight 30 hours later to do this password reset and I cannot, as the email address is not mine, and the KBA routine seemed like it was compromised also. I call in again, get asked lots of questions about why I ticketed someone else out of my account last week (answer is, I got SM awards for my family and a revenue ticket for myself on the same flight) and am told this is now referred to RPU and they really cannot say when it will be resolved. In meantime, I'm locked out.

I'm concerned about a few things here..

1) Why are they just resetting things and saying wait 24 hours and try again?
2) Am I at risk of losing miles because I did an innocent activity? RPU has this onerous rep....
3) What am I supposed to do in meantime? In NYC...simple answer...fly United.

In credit card land, once your number is hosed, they VERY SIMPLY make a new account for you and move everything to the new number. So I would have to update some profiles etc, but not the end of the world. Why is this so hard for airlines? I don't WANT to fly UA but I would rather do that than deal with trying to travel with no mobile, uncertain mileage accrual and risk of further disruption and mischief.

As an aside, I'm pretty sure this was compromised thru my corporate travel provider (at least the association of my name and SM#). So this seems like a scam getting smart criminals behind it these days.

flyerCO

You'll still earn while account is locked, just cant spend. The referral to RPU shouldn't be an issue. Every case we get where they kill an account theres reasons that come out as to why. Simply ticketing a ticket for family isnt one. They simply want to make sure you didn't give access to a miles broker and are now calling in to protect yourself. Also that you did indeed authorize the award since the account was compromised.

crunchie

Yes in theory but not in practice and, in my experience, rarely because of implementation. Many of the systems that I've worked on that implement "strength requirements" were done to appease the "cnn/fox/nbc security expert". The company gets flak if they don't have this perceived high security puppet show. Password mechanisms have come a long ways so outside of some random (usually bad) decision to roll their own, poor implementation is less often an issue than users just struggling with long passwords. Post-it notes around the desk to "handle" password length and reuse policies are real (sadly). The proliferation of "use first letter of your favorite song/phrase/etc..." advice is also making passwords a weak defense. The quality and ease of use of the free tools and dictionaries to guess these strings are quite impressive. I've seen better help documentation on those than many commercial software.

It's a tough gig for the average user and it really should not be that tough (shame on us in this field). Conversations I have with my parents who are in their 80s/90s about passwords, phishing mails, etc... is like a Klingon trying to teach a couple of cats how to replace a 74 Camaro transmission.

crunchie

This alone tells you the CS reps are either clueless, didn't pay attention to their security training or DL has poor/non-existent security training. By doing that, they made it significantly harder to track the source of the attack and probably damaged/destroyed valuable data for security forensics.


1. They don't know any better just like reboot solves the symptom this time but does nothing for the root cause. Right now, you still don't know how the bad guys got to your account. Did they compromise your email, put a keylogger on your computer, shoulder surfed you at some point, lucky guessed your password on dl.com, etc... Might want to start checking other accounts of any kind and changing passwords from a known secure machine.
2. Unlikely but getting it back might be slow and tedious
3. Why? Locking the account typically prevents changes and outbound transactions. Even if inbound are frozen, earned miles can be added later when the account is thawed.

Credit cards are a little different. You can spend money with just the face info on the credit card and a bit of easily obtained information about the owner. It's "supposed to be" slightly harder for FF accounts where earning only requires name/number but spending (should) require more (at least 1 secret). Not saying other companies shouldn't just follow what CC companies do, just that there is a difference in their threat model.

If you reasonably suspect the corporate travel provider might be the source of compromise, notify both corporate security and travel teams. No need to yell fire but report it with the facts and why you believe the provider might/is the source of your attack. Any team/company that really cares about security or cares to not be on the next security breach article will be thankful and perform their own investigation.

findark

I agree completely, but I'm also frustrated with the amount of misinformation about passwords that leads to security-weakening requirements like "must contain letters, number, and a special" and popular conception that if a high-level hacker simply "types hard enough" they can "break through" a password screen. A password-only authentication portal with a simple requirement like 8+ characters for the password and a maximum submission rate of once per second (lockout or alert after something high like 100 failed attempts) is virtually impossible to compromise unless the password is guessable because it is (a) in the top 100 passwords used worldwide - and it's depressing what percentage are, or (b) can be compromised by other vectors like using the same password on a compromised system elsewhere, phishing, compromising the client machine, etc.

Even with most computer systems, social engineering is usually the easiest way in (password resets, etc). Honestly, I think the increasingly widespread use of keyringed password managers has done more for security than TFA, especially insecure SMS/email-based TFA. However, in another sense, a lot of this discussion is like designing a vault door to secure your house - the expense and effort is overboard compared to the real risk. Metaphorically speaking, just don't go on vacation with the house unlocked and Instagram your outbound flight experience.

AeRoSpaceman

This whole thread reminds me of why I use a random password for every site I have an account on. I use Lastpass, 2FA, and an Authenticator. I don't even know my own passwords. Never use an open wifi connection to send any sort of authentication information. If you have to use an open wifi make sure you are using a VPN. Always best to use cellular data when you can on your phone instead of wifi(especially in airports, hotels and restaurants).

mike turnbull

So, as an ordinary, man in the street, with no particular computer knowledge what is the recommendation for me re passwords? I have tried to follow the threads but some of it is over my head.
I guess a pin lock on my phone SIM is first and then my email and app accounts ?
And should I change them weekly.....which would be a pain...or monthly or what ?
I currently keep them all in the cloud as there is no way I could remember them all.
And I only have two devices, an Android tablet and Android phone....no home PC.
Would appreciate any helpful advice..thanks.

hnewman

My suggestion is to use a password management systems that runs on multiple devices such as Dashlane or Keeper Security. Use the paid version of either way so you can use multiple devices. Set the passwords for at least 12 characters. BTW I work for neither company but use both.

mike turnbull

Thanks.....appreciated.