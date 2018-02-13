Many ID-Protection Services Fail Basic Security (tomsguide.com) 30
Paul Wagenseil, writing for Tom's Guide: For a monthly fee, identity-protection services promise to do whatever they can to make sure your private personal information doesn't fall into the hands of criminals. Yet many of these services -- including LifeLock, IDShield and Credit Sesame -- put personal information at risk, because they don't let customers use two-factor authentication (2FA). This simple security precaution is offered by many online services. Without 2FA, anyone who has your email address and password -- which might be obtained from a data breach or a phishing email -- could log in to the account for your identity-protection service and, depending on how the service protects them, possibly steal your bank-account, credit-card and Social Security numbers.
Ironic that the companies that are in business to watch people's IDs seem to not care about protecting security themselves with basic account security measures. However, I think this is typical of the computer industry as a whole with "security has no ROI" a mantra sung by the PHBs.
Do these services even work? Once someone applies and gets a credit card, the damage is done... the ID theft service may not be able to do much, because the debt is already signed for and it is up to the victim to press the fra
Will a brand new card let you max it the day your application is processed? I'd have thought it's a couple days to get the card in your hands and a "while" before the credit company AI will let buy 11 4K TVs.
IFF these places are as hooked in to the system as they claim, they should have plenty of time to kill the application before it's granted. I think that's a big IFF though.
... this is typical of the computer industry as a whole with "security has no ROI" a mantra sung by the PHBs.
Precisely this.
Then the shareholders/c-levels dump the stock, avoid the majority of the loss for themselves, then move on to the next company to continue skimping as much as they can there. The cycle continues...
I applied for a credit card once, it got held up in the mail.
The bank refused to give me the card number to use and said it required activation by bringing the physical card in to a branch before it would work.
Another problem is sites that send SMS for every login attempt even for users who have a TOTP app set up as a second factor. This policy, adopted by Twitter [mashable.com] among others, hurts users who choose TOTP because the user A. carries a tablet but not a cell phone, B. lives in North America and carries a cell phone on a pay-as-you-go plan (which costs less per month than an unlimited plan) and therefore pays for each incoming text message, or C. wants to reduce exposure to the vulnerabilities of SMS [techcrunch.com]: exploiting kno
Google used to require SMS for 2FA but now appears to allow authentication using an Android device logged into Google Play Services.
You're completely incorrect.
Google already had it and was even allowing you to port their code to your own TOPT 2-factor authentication client (in addition to HOPT) to use with their service since 2010!
That's right, 2010. That is not a typo. At the time, the official RFC was still being drafted.
Here is the PROOF:
https://web.archive.org/web/20100915000000*/http://code.google.com/p/google-authenticator/ [archive.org]
Downloading Google Authenticator did not and does not require SMS. But associating Google Authenticator with a particular Google Account requires the account's owner to have set up 2FA through SMS on that Google Account. From the instructions [google.com]:
Only the other 2FA method that uses Google Play Services instead of the Google Authenticator app [google.com] can be added without first adding a phone number.
Is that an admission that you were wrong? Or are you just moving the goalposts? [logicallyfallacious.com]
Because Google requiring a cell phone number with a working SMS for an initial set up, which can be changed afterward to TOPT, HOPT, or a recovery email address (all of which Google allowed you to do in 2010 from pretty much any platform by providing the source code, even before the RFC for TOPT was officially out of draft) seems to be a very far cry from what you initially wrote:
Another problem is sites that send SMS for every login attempt even for users who have a TOTP app set up as a second factor.
[...]
Google used to require SMS for 2FA but now appears to allow authentication using an Android device logged into Google Play Services.
In fact, I would argue that Google was a pioneer i
But some companies that offer 2FA appear to just not care
I'm not going to defend Twitter. If that's what they're doing, then they're idiots.
But I drive for Lyft (I used to drive for Uber). Lyft forces SMS 2FA for almost everything (but Uber doesn't, honestly, I'm not sure what Uber does from the consumer's perspective). And I believe that frequent SMS 2FA verification is a huge plus for Lyft.
As a driver, I need to have a valid cell phone number to SMS or call when I pick up someone. Data works, but not always. For instance, if someone's phone inadvertently connec
Equifax already ... (Score:2)
... provided that feature. [fortune.com]
The Equifax Hack Exposed More Data Than Previously Reported
Post-Experian: Endless whack-a-mole (Score:3, Insightful)
You have to admit that "LifeLock" is well-named. They have you locked up, all right.
