cfabar1

sdadept

This brings up an interesting note about delta. I have two factor authentication on almost everything these days (even three factor on a couple like brokerage) and would love to put it on my delta account. But its not yet offered. I really wish they would include that option.

UnderEst

richarddd

Security questions are usually terrible security if you answer them correctly, because of the chance the answers can be researched or just guessed. However, you are free to make up whatever answers you want, including strings of random characters.

SuperG1955

How do you figure that? 2FA doesn't use email.

ecaarch

I like what USAA does. My father was in the military. The confirmation questions from USAA will be about HIS service, information that is ingrained in my head yet doesn't appear in any of MY social media accounts or any of MY records (I assume it is available in his DOD records).

But the "what is your mother's maiden name" or "what high school did you graduate from" questions are useless.

rucksack

jebr

Certainly. However, there's an argument to be made that considering the general attack methods used today, especially for a non-high profile person, on-site storage seems safer than cloud storage. A lot of attacks these days are either social engineering or leaked/compromised passwords, not the traditional virus or malware where they get the data off of your computer directly.

That said, I still don't think it's overall safer to do so. Even with that every-minute pull, there's still a lag where someone who's trying to get in can still get those emails if they're watching the account and trying to get in. It also removes convenience, and it makes someone much more vulnerable to a virus/malware attack on their PC. While not security-related, there's also the real concern of non-existent or failed backups, which can cause the loss of data if the only storage of those emails (or other data) is on your computer.

Considering the vast majority of the attacks on cloud accounts can be thwarted with decent 2FA, it seems much better to simply use 2FA with a secure password than FlyBitcoin's scheme of offloading emails onto a personal computer that almost certainly won't have as robust of physical/software security as Microsoft's or Google's server farms.

HDQDD

Sorry OP, but DL didn't do anything wrong here, although they could have handled the aftermath better. Your gripe is with what ever site/service leaked your login/password info and the criminals who used that info.

This. Anyone who uses the same password on more than one website is just asking to be hacked. Download Lastpass (free) and use randomly generated passwords.

In light of the Equifax breech, my recommendation to anyone is to put a freeze on all 4 credit bureaus unless you specifically need someone to pull your credit. Depending on where you live, the costs vary for this. Thankfully in NC the credit agencies are required to lock/unlock for free.

Zorak

Do they actually require all 3 factors to login? Or is it 2-factor but you can use one of a few alternatives as the second factor, which is still just 2-factor

^ That's my strategy anywhere the answers are freeform; I just save them in the info/notes field in my password manager.

What they might have had in mind is that a lot of accounts can be reset if you have access to someone's email though, or that it can sometimes be used as a 2nd factor as rucksack mentioned.

It's also worth noting that, depending how tin-foil-y you want to be, using your phone number/SMS as a 2nd factor is a bad idea because it is apparently surprisingly easy to social engineer or otherwise hack your way into getting a cell phone company to swap service for someone else's phone number onto a device controlled by an attacker. Thus, wherever possible I use a physical hardware token such as a YubiKey as my 2nd factor, else a code generator app, and only SMS as a last resort if nothing else is supported by the site.

sdadept

[QUOTE=Zorak;31220455]Do they actually require all 3 factors to login? Or is it 2-factor but you can use one of a few alternatives as the second factor, which is still just 2-factor

Actual 3 factor. Password, physical card with PIN and 6 digit code from dongle that changes every minute. Good times...

I would personally prefer if they added like google authenticator or something as a 2nd factor option. Not a fan of email as email servers can lag and its not nearly as safe.

wlau

Unique password or randomly generated password has its own headaches. I've noticed Delta App is token based. However, certain phone usage habits cause the token to reset or deem invalid. One example of that is international travel to a different country or when the region/carrier change is detected. If that token is invalidated and you need to relogin, then chances are you won't remember the randomly generated password. And if you are traveling internationally, it's probably the exact times you need your Delta App the most.

By the way, have you try to type a 30 character randomly generated password using your phone touch keyboard?

They need to enable multi-factor authentication, period...

Zorak

Uh, no, that's what a password manager is for

eneq

This. Password managers are an easy and free solution to this problem. All of the major ones have phone apps as well as browser plugins. Sorry, but there is no excuse for not using a unique password for each site you login to.

bludevil

This happened to me a few months ago with Delta, Hilton, and Amazon simultaneously. Check your email accounts for rules/filters. The bad guys had gotten into my email and had set up rules so anything with certain keywords (like the word password, change, etc.) would go directly to my trash so I would never see them unless I looked but they knew where they were.