Register | Sign In


Understanding through Discussion


EvC Forum active members: 46 (9230 total)
2 online now:
Newest Member: Freya
Post Volume: Total: 921,547 Year: 1,869/6,935 Month: 299/333 Week: 20/40 Day: 2/6 Hour: 0/2


EvC Forum Side Orders Coffee House

Scammers

Thread  Details

Email This Thread
Newer Topic | Older Topic
  
Author Topic:   Scammers
Rahvin
Member
Posts: 4101
Joined: 07-01-2005
Member Rating: 8.5

Normal Thread Display

(1)
Message 8 of 14 (920906)
12-06-2024 3:06 PM 		Reply to: Message 7 by PaulK
12-06-2024 1:39 PM

Re: Security and Scamming
Hackers may well try your username and old passwords elsewhere. (In fact I once got a blackmail email that pretended to have hacked my computer - and the “evidence” was that they knew an old password that had been replaced years before.)
They absolutely do this, and that's why it's so important for services and sites that store credentials to use strong hash algorithms and salt. Never ever ever store passwords, even in encrypted form. Encryption can be reversed into plaintext; hashing is explicitly designed to be one-way. A given string of characters will always generate the same hash value when the same hash algorithm is used, but it's not possible to reverse the process and use the hash to reveal the original string - you have to brute force every possible string, which is computationally unfeasible for sufficiently strong algorithms.
The "salt" part is used so that neither the client (your browser) nor the server (whatever you're logging onto) has the complete picture. You have the password, but don't know the right salt. The server knows the salt and the salted hash of your password, but never stores the actual password. A malicious attacker cannot take information from any single entity and get a complete logon credential.
There is still risk at the moment of authentication where a man in the middle could capture your password, but this is where HTTPS/TLS come in, and that's why you should never log on to or trust services that don't use secure connections. These protocols encrypt web traffic and use a hierarchy of trusted "certificates" to ensure that you're communicating with the authentic service. Without that, an attacker could intercept your logon attempt.
And this is why government policies that seek to add a "law enforcement back door" to web encryption is a terrible awful stupid very bad idea - attackers would only have to crack the backdoor key to gain access to all web communication, instead of needing to individually get the keys for every site/service you connect to.
I remember T-Mobile had a major breach after being warned about their plaintext password storage. Every customer's username and password and email address and phone number was stolen in plaintext - no encryption, no hashing, just toally open and available. And hackers absolutely started automating attempts to log on to every bank, Facebook, every email service, everything with that information. Using the same password across services means that some people were easily the subject of identity theft...all because T-Mobile couldn't be bothered to implement a very simple and standard practice for storing password information.
-->“The human understanding when it has once adopted an opinion (either as being the received opinion or as being agreeable to itself) draws all things else to support and agree with it.” - Francis Bacon

"There are two novels that can change a bookish fourteen-year old's life: The Lord of the Rings and Atlas Shrugged. One is a childish fantasy that often engenders a lifelong obsession with its unbelievable heroes, leading to an emotionally stunted, socially crippled adulthood, unable to deal with the real world. The other, of course, involves orcs." - John Rogers

“A world that can be explained even with bad reasons is a familiar world. But, on the other hand, in a universe suddenly divested of illusions and lights, man feels an alien, a stranger. His exile is without remedy since he is deprived of the memory of a lost home or the hope of a promised land. This divorce between man and his life, the actor and his setting, is properly the feeling of absurdity.” – Albert Camus

"...the pious hope that by combining numerous little turds of variously tainted data, one can obtain a valuable result; but in fact, the outcome is merely a larger than average pile of shit." - Barash, David 1995...

"Many that live deserve death. And some die that deserve life. Can you give it to them? Then be not too eager to deal out death in the name of justice, fearing for your own safety. Even the wise cannot see all ends." - Gandalf, J. R. R. Tolkien: The Lord Of the Rings

"The last enemy that shall be destroyed is death."
1 Corinthians 15:26King James Version (KJV)

-->Nihil supernum --> -->

This message is a reply to:
 Message 7 by PaulK, posted 12-06-2024 1:39 PM PaulK has replied
Replies to this message:
 Message 9 by PaulK, posted 12-06-2024 3:21 PM Rahvin has replied
  
Rahvin
Member
Posts: 4101
Joined: 07-01-2005
Member Rating: 8.5

Normal Thread Display
Message 10 of 14 (920909)
12-06-2024 3:28 PM 		Reply to: Message 9 by PaulK
12-06-2024 3:21 PM

Re: Security and Scammin
You're right, Im mis-speaking. The plaintext password is all they need, and otherwise you wouldnt be able to log on yourself.
But the attacker can't capture data from anywhere else and reassemble the password. They can't just submit the hash, since that would be itself re-hashed. The salt is actually used to make the actual stored hashes look different, so you can't tell when people have identical passwords, among a few other benefits. When implemented correctly. (I've seen instances where developers implement hashing/salting....weirdly. Which is still maybe better than plaintext.).
-->“The human understanding when it has once adopted an opinion (either as being the received opinion or as being agreeable to itself) draws all things else to support and agree with it.” - Francis Bacon

"There are two novels that can change a bookish fourteen-year old's life: The Lord of the Rings and Atlas Shrugged. One is a childish fantasy that often engenders a lifelong obsession with its unbelievable heroes, leading to an emotionally stunted, socially crippled adulthood, unable to deal with the real world. The other, of course, involves orcs." - John Rogers

“A world that can be explained even with bad reasons is a familiar world. But, on the other hand, in a universe suddenly divested of illusions and lights, man feels an alien, a stranger. His exile is without remedy since he is deprived of the memory of a lost home or the hope of a promised land. This divorce between man and his life, the actor and his setting, is properly the feeling of absurdity.” – Albert Camus

"...the pious hope that by combining numerous little turds of variously tainted data, one can obtain a valuable result; but in fact, the outcome is merely a larger than average pile of shit." - Barash, David 1995...

"Many that live deserve death. And some die that deserve life. Can you give it to them? Then be not too eager to deal out death in the name of justice, fearing for your own safety. Even the wise cannot see all ends." - Gandalf, J. R. R. Tolkien: The Lord Of the Rings

"The last enemy that shall be destroyed is death."
1 Corinthians 15:26King James Version (KJV)

-->Nihil supernum --> -->

This message is a reply to:
 Message 9 by PaulK, posted 12-06-2024 3:21 PM PaulK has not replied
  
Rahvin
Member
Posts: 4101
Joined: 07-01-2005
Member Rating: 8.5

Normal Thread Display

(1)
Message 13 of 14 (920934)
12-07-2024 5:51 PM 		Reply to: Message 11 by Percy
12-07-2024 10:59 AM

Re: Security and Scamming
2-factor has issues too.
Cell phones have been the "easy" way to get people to use 2-factor, but sim-jacking is a known attack vector. You log on, the site sends a code to your cell phone...but if someone has duplicated or swapped your SIM (the easiest way is to call your cell provider and use social engineering to register a different sim card), they can intercept the code. Similar for 2FA via email - your 2FA is only as secure as your email account. Much easier to get access to an email account in most cases, but I've seen some scary/facepalm-inducing social engineering.
The Google authenticator app is also tied to your Google account (if the cloud sync is turned on, which I believe is the default). So if anyone manages to steal your Google logon...they can get access to your auth codes. The same thing that makes swapping phones easy also creates a vulnerability.
Personally I prefer a hardware security key like a Yubikey, but not all providers support that. You can use authenticator apps that root to a hardware key; secure GMail and many other accounts with a hardware key; etc. My password manager requires a hardware key too. Hypothetically it should be nearly impossible to break into my critical accounts (recovery email addresses, authenticator, password manager) without my physical hardware key.
But getting the average user to do anything beyond the bare minimum is near impossible, which is why the cell phone and Google authenticator will likely remain most common. My setup could go farther, but even as much as I do is too much of a pain for most people to bother with.
-->“The human understanding when it has once adopted an opinion (either as being the received opinion or as being agreeable to itself) draws all things else to support and agree with it.” - Francis Bacon

"There are two novels that can change a bookish fourteen-year old's life: The Lord of the Rings and Atlas Shrugged. One is a childish fantasy that often engenders a lifelong obsession with its unbelievable heroes, leading to an emotionally stunted, socially crippled adulthood, unable to deal with the real world. The other, of course, involves orcs." - John Rogers

“A world that can be explained even with bad reasons is a familiar world. But, on the other hand, in a universe suddenly divested of illusions and lights, man feels an alien, a stranger. His exile is without remedy since he is deprived of the memory of a lost home or the hope of a promised land. This divorce between man and his life, the actor and his setting, is properly the feeling of absurdity.” – Albert Camus

"...the pious hope that by combining numerous little turds of variously tainted data, one can obtain a valuable result; but in fact, the outcome is merely a larger than average pile of shit." - Barash, David 1995...

"Many that live deserve death. And some die that deserve life. Can you give it to them? Then be not too eager to deal out death in the name of justice, fearing for your own safety. Even the wise cannot see all ends." - Gandalf, J. R. R. Tolkien: The Lord Of the Rings

"The last enemy that shall be destroyed is death."
1 Corinthians 15:26King James Version (KJV)

-->Nihil supernum --> -->

This message is a reply to:
 Message 11 by Percy, posted 12-07-2024 10:59 AM Percy has not replied
  
Date format: mm-dd-yyyy
Timezone: ET (US)
  
Newer Topic | Older Topic
Jump to:


Copyright 2001-2023 by EvC Forum, All Rights Reserved

™ Version 4.2
Innovative software from Qwixotic © 2025